diff --git a/.buildkite/scripts/steps/openapi_bundling/final_merge.sh b/.buildkite/scripts/steps/openapi_bundling/final_merge.sh index 41ca47aef24ee..bd9de3c966d8d 100755 --- a/.buildkite/scripts/steps/openapi_bundling/final_merge.sh +++ b/.buildkite/scripts/steps/openapi_bundling/final_merge.sh @@ -7,3 +7,6 @@ source .buildkite/scripts/common/util.sh echo --- Merge Kibana OpenAPI specs (cd oas_docs && make api-docs && make api-docs-lint) +(cd oas_docs && make api-docs-staging && make api-docs-lint) + +check_for_changed_files "make api-docs && make api-docs-staging" true diff --git a/oas_docs/output/kibana.serverless.staging.yaml b/oas_docs/output/kibana.serverless.staging.yaml new file mode 100644 index 0000000000000..b7ba3491c241c --- /dev/null +++ b/oas_docs/output/kibana.serverless.staging.yaml @@ -0,0 +1,34160 @@ +openapi: 3.0.3 +info: + contact: + name: Kibana Team + description: > + **Technical preview** + + This functionality is in technical preview and may be changed or removed in + a future release. + + Elastic will work to fix any issues, but features in technical preview are + not subject to the support SLA of official GA features. + + + The Kibana REST APIs for Elastic serverless enable you to manage resources + + such as connectors, data views, and saved objects. The API calls are + + stateless. Each request that you make happens in isolation from other calls + + and must include all of the necessary information for Kibana to fulfill the + + request. API requests return JSON output, which is a format that is + + machine-readable and works well for automation. + + + To interact with Kibana APIs, use the following operations: + + + - GET: Fetches the information. + + - POST: Adds new information. + + - PUT: Updates the existing information. + + - DELETE: Removes the information. + + + You can prepend any Kibana API endpoint with `kbn:` and run the request in + + **Dev Tools → Console**. For example: + + + ``` + + GET kbn:/api/data_views + + ``` + + + ## Documentation source and versions + + + This documentation is derived from the `main` branch of the + [kibana](https://github.com/elastic/kibana) repository. + + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 + International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + title: Kibana Serverless APIs + version: 1.0.2 + x-doc-license: + name: Attribution-NonCommercial-NoDerivatives 4.0 International + url: https://creativecommons.org/licenses/by-nc-nd/4.0/ + x-feedbackLink: + label: Feedback + url: >- + https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ +servers: + - url: http://{kibana_host}:{port} + variables: + kibana_host: + default: localhost + port: + default: '5601' + - url: http://localhost:5622 + - url: https://{kibana_url} + variables: + kibana_url: + default: localhost:5601 + - url: / + - url: http://KIBANA_HOST:5601 + - description: local + url: http://localhost:5601 +paths: + /api/actions: + get: + deprecated: true + operationId: '%2Fapi%2Factions#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + responses: {} + summary: Get all connectors + tags: + - connectors + /api/actions/action: + post: + deprecated: true + operationId: '%2Fapi%2Factions%2Faction#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actionTypeId: + description: The connector type identifier. + type: string + config: + additionalProperties: {} + default: {} + type: object + name: + description: The display name for the connector. + type: string + secrets: + additionalProperties: {} + default: {} + type: object + required: + - name + - actionTypeId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Create a connector + tags: + - connectors + /api/actions/action/{id}: + delete: + deprecated: true + description: 'WARNING: When you delete a connector, it cannot be recovered.' + operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + summary: Delete a connector + tags: + - connectors + get: + deprecated: true + operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Get connector information + tags: + - connectors + put: + deprecated: true + operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + default: {} + type: object + name: + type: string + secrets: + additionalProperties: {} + default: {} + type: object + required: + - name + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Update a connector + tags: + - connectors + /api/actions/action/{id}/_execute: + post: + deprecated: true + operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D%2F_execute#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + type: object + required: + - params + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Run a connector + tags: + - connectors + /api/actions/connector_types: + get: + description: You do not need any Kibana feature privileges to run this API. + operationId: '%2Fapi%2Factions%2Fconnector_types#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: >- + A filter to limit the retrieved connector types to those that + support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string + responses: {} + summary: Get connector types + tags: + - connectors + /api/actions/connector/{id}: + delete: + description: 'WARNING: When you delete a connector, it cannot be recovered.' + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + summary: Delete a connector + tags: + - connectors + get: + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Get connector information + tags: + - connectors + post: + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%3F%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: false + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + default: {} + type: object + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + secrets: + additionalProperties: {} + default: {} + type: object + required: + - name + - connector_type_id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Create a connector + tags: + - connectors + put: + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + default: {} + type: object + name: + description: The display name for the connector. + type: string + secrets: + additionalProperties: {} + default: {} + type: object + required: + - name + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Update a connector + tags: + - connectors + /api/actions/connector/{id}/_execute: + post: + description: >- + You can use this API to test an action that involves interaction with + Kibana services or integrations with third-party systems. + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D%2F_execute#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + type: object + required: + - params + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Run a connector + tags: + - connectors + /api/actions/connectors: + get: + operationId: '%2Fapi%2Factions%2Fconnectors#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + responses: {} + summary: Get all connectors + tags: + - connectors + /api/actions/list_action_types: + get: + deprecated: true + operationId: '%2Fapi%2Factions%2Flist_action_types#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + responses: {} + summary: Get connector types + tags: + - connectors + /api/alerting/rule/{id}: + delete: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule + tags: + - alerting + get: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: >- + A universally unique identifier (UUID) for the + action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + api_key_created_by_user: + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. + nullable: true + type: string + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: >- + Calculation of different percentiles and success + ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + additionalProperties: false + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: >- + Number of ignored alerts during last + run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: >- + Number of recovered alerts during last + run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value + could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: >- + Outcome message generated during last + rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + success: + description: >- + Indicates whether the rule run was + successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + total_alerts_created: + description: >- + Total number of alerts created during last + rule run. + nullable: true + type: number + total_alerts_detected: + description: >- + Total number of alerts detected during + last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during + last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, + or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + type: array + bymonth: + items: + description: >- + Indicates months of the year that this rule + should recur. + type: number + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + type: array + bysetpos: + items: + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. + type: number + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + type: array + byyearday: + items: + description: >- + Indicates the days of the year that this rule + should recur. + type: number + type: array + count: + description: >- + Number of times the rule should recur until it + stops. + type: number + dtstart: + description: >- + Rule start date in Coordinated Universal Time + (UTC). + type: string + freq: + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: >- + The identifier for the user that updated this rule most + recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Get rule details + tags: + - alerting + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%3F%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: >- + The identifier for the rule. If it is omitted, an ID is randomly + generated. + in: path + name: id + required: false + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Conditions that affect whether the action runs. If you + specify multiple conditions, all conditions must be + met for the action to run. For example, if an alert + occurs within the specified time frame and matches the + query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL) as defined in the + `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the days + of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: >- + Defines the range of time in a day that the + action can run. If the `start` value is + `00:00` and the `end` value is `24:00`, + actions be generated all day. + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work but + lack built-in daylight savings time support + and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. Valid + values include: `onActionGroupChange`: Actions run + when the alert status changes; `onActiveAlert`: + Actions run when the alert becomes active and at + each check interval while the rule conditions are + met; `onThrottleInterval`: Actions run when the + alert becomes active and at the interval specified + in the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` at + both the rule and action level. The recommended + method is to set it for each action. If you set it + at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific + values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often an + alert generates repeated actions. It is specified + in seconds, minutes, hours, or days and is + applicable only if `notify_when` is set to + `onThrottleInterval`. NOTE: You cannot specify the + throttle interval at both the rule and action + level. The recommended method is to set it for + each action. If you set it at the rule level then + update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + default: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, `infrastructure`, + `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, + `siem`, `stackAlerts`, or `uptime`. + type: string + enabled: + default: true + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + name: + description: >- + The name of the rule. While this name does not have to be + unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while the rule + conditions are met; `onThrottleInterval`: Actions run when + the alert becomes active and at the interval specified in + the throttle property while the rule conditions are met. + NOTE: You cannot specify `notify_when` at both the rule and + action level. The recommended method is to set it for each + action. If you set it at the rule level then update the rule + in Kibana, it is automatically changed to use + action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + default: {} + description: The parameters for the rule. + type: object + rule_type_id: + description: The rule type identifier. + type: string + schedule: + additionalProperties: false + description: >- + The check interval, which specifies how frequently the rule + conditions are checked. + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, or + days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: >- + Use the `throttle` property in the action `frequency` object + instead. The throttle interval, which defines how often an + alert generates repeated actions. NOTE: You cannot specify + the throttle interval at both the rule and action level. If + you set it at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific values. + nullable: true + type: string + required: + - name + - rule_type_id + - consumer + - schedule + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: >- + A universally unique identifier (UUID) for the + action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + api_key_created_by_user: + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. + nullable: true + type: string + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: >- + Calculation of different percentiles and success + ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + additionalProperties: false + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: >- + Number of ignored alerts during last + run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: >- + Number of recovered alerts during last + run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value + could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: >- + Outcome message generated during last + rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + success: + description: >- + Indicates whether the rule run was + successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + total_alerts_created: + description: >- + Total number of alerts created during last + rule run. + nullable: true + type: number + total_alerts_detected: + description: >- + Total number of alerts detected during + last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during + last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, + or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + type: array + bymonth: + items: + description: >- + Indicates months of the year that this rule + should recur. + type: number + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + type: array + bysetpos: + items: + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. + type: number + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + type: array + byyearday: + items: + description: >- + Indicates the days of the year that this rule + should recur. + type: number + type: array + count: + description: >- + Number of times the rule should recur until it + stops. + type: number + dtstart: + description: >- + Rule start date in Coordinated Universal Time + (UTC). + type: string + freq: + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: >- + The identifier for the user that updated this rule most + recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. + summary: Create a rule + tags: + - alerting + put: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL) as defined in the + `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the days + of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: >- + Defines the range of time in a day that the + action can run. If the `start` value is + `00:00` and the `end` value is `24:00`, + actions be generated all day. + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work but + lack built-in daylight savings time support + and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. Valid + values include: `onActionGroupChange`: Actions run + when the alert status changes; `onActiveAlert`: + Actions run when the alert becomes active and at + each check interval while the rule conditions are + met; `onThrottleInterval`: Actions run when the + alert becomes active and at the interval specified + in the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` at + both the rule and action level. The recommended + method is to set it for each action. If you set it + at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific + values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often an + alert generates repeated actions. It is specified + in seconds, minutes, hours, or days and is + applicable only if `notify_when` is set to + `onThrottleInterval`. NOTE: You cannot specify the + throttle interval at both the rule and action + level. The recommended method is to set it for + each action. If you set it at the rule level then + update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + default: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + name: + description: >- + The name of the rule. While this name does not have to be + unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while the rule + conditions are met; `onThrottleInterval`: Actions run when + the alert becomes active and at the interval specified in + the throttle property while the rule conditions are met. + NOTE: You cannot specify `notify_when` at both the rule and + action level. The recommended method is to set it for each + action. If you set it at the rule level then update the rule + in Kibana, it is automatically changed to use + action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, or + days. + type: string + required: + - interval + tags: + default: [] + items: + description: The tags for the rule. + type: string + type: array + throttle: + description: >- + Use the `throttle` property in the action `frequency` object + instead. The throttle interval, which defines how often an + alert generates repeated actions. NOTE: You cannot specify + the throttle interval at both the rule and action level. If + you set it at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific values. + nullable: true + type: string + required: + - name + - schedule + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: >- + A universally unique identifier (UUID) for the + action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + api_key_created_by_user: + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. + nullable: true + type: string + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: >- + Calculation of different percentiles and success + ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + additionalProperties: false + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: >- + Number of ignored alerts during last + run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: >- + Number of recovered alerts during last + run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value + could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: >- + Outcome message generated during last + rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + success: + description: >- + Indicates whether the rule run was + successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + total_alerts_created: + description: >- + Total number of alerts created during last + rule run. + nullable: true + type: number + total_alerts_detected: + description: >- + Total number of alerts detected during + last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during + last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, + or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + type: array + bymonth: + items: + description: >- + Indicates months of the year that this rule + should recur. + type: number + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + type: array + bysetpos: + items: + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. + type: number + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + type: array + byyearday: + items: + description: >- + Indicates the days of the year that this rule + should recur. + type: number + type: array + count: + description: >- + Number of times the rule should recur until it + stops. + type: number + dtstart: + description: >- + Rule start date in Coordinated Universal Time + (UTC). + type: string + freq: + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: >- + The identifier for the user that updated this rule most + recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update a rule + tags: + - alerting + /api/alerting/rule/{id}/_disable: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_disable#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + nullable: true + type: object + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean + x-oas-optional: true + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule + tags: + - alerting + /api/alerting/rule/{id}/_enable: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_enable#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule + tags: + - alerting + /api/alerting/rule/{id}/_mute_all: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_mute_all#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + summary: Mute all alerts + tags: + - alerting + /api/alerting/rule/{id}/_unmute_all: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_unmute_all#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + summary: Unmute all alerts + tags: + - alerting + /api/alerting/rule/{id}/_update_api_key: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_update_api_key#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: + post: + operationId: >- + %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_mute#0 + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert + tags: + - alerting + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: + post: + operationId: >- + %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_unmute#0 + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert + tags: + - alerting + /api/alerting/rules/_find: + get: + operationId: '%2Fapi%2Falerting%2Frules%2F_find#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: >- + An Elasticsearch simple_query_string query that filters the objects + in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + anyOf: + - items: + type: string + type: array + - type: string + - description: >- + Determines which field is used to sort the results. The field must + exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: >- + Filters the rules that have a relation with the reference objects + with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - in: query + name: fields + required: false + schema: + items: + description: The fields to return in the `attributes` key of the response. + type: string + type: array + - description: >- + A KQL string that you filter with an attribute from your saved + object. It should look like `savedObjectType.attributes.title: + "myTitle"`. However, if you used a direct attribute of a saved + object, such as `updatedAt`, you must define your filter, for + example, `savedObjectType.updatedAt > 2018-12-22`. + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: >- + A universally unique identifier (UUID) for the + action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + api_key_created_by_user: + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. + nullable: true + type: string + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: >- + Calculation of different percentiles and success + ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + additionalProperties: false + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: >- + Number of ignored alerts during last + run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: >- + Number of recovered alerts during last + run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value + could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: >- + Outcome message generated during last + rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + success: + description: >- + Indicates whether the rule run was + successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + total_alerts_created: + description: >- + Total number of alerts created during last + rule run. + nullable: true + type: number + total_alerts_detected: + description: >- + Total number of alerts detected during + last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during + last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, + or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + type: array + bymonth: + items: + description: >- + Indicates months of the year that this rule + should recur. + type: number + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + type: array + bysetpos: + items: + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. + type: number + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + type: array + byyearday: + items: + description: >- + Indicates the days of the year that this rule + should recur. + type: number + type: array + count: + description: >- + Number of times the rule should recur until it + stops. + type: number + dtstart: + description: >- + Rule start date in Coordinated Universal Time + (UTC). + type: string + freq: + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: >- + The identifier for the user that updated this rule most + recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Get information about rules + tags: + - alerting + /api/apm/agent_keys: + post: + description: Create a new agent key for APM. + operationId: createAgentKey + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + privileges: + items: + enum: + - event:write + - config_agent:read + type: string + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + description: Agent key created successfully + summary: Create an APM agent key + tags: + - APM agent keys + /api/apm/services/{serviceName}/annotation: + post: + description: Create a new annotation for a specific service. + operationId: createAnnotation + parameters: + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + '@timestamp': + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + version: + type: string + tags: + items: + type: string + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _id: + type: string + _index: + type: string + _source: + type: object + properties: + '@timestamp': + type: string + annotation: + type: string + event: + type: object + properties: + created: + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + description: Annotation created successfully + summary: Create a service annotation + tags: + - APM annotations + /api/apm/services/{serviceName}/annotation/search: + get: + description: Search for annotations related to a specific service. + operationId: getAnnotation + parameters: + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + in: query + name: start + required: false + schema: + type: string + - description: The end date for the search + in: query + name: end + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + annotations: + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + description: Successful response + summary: Search for annotations + tags: + - APM annotations + /api/asset_criticality: + delete: + description: Delete the asset criticality record for a specific asset if it exists. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IdField + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + deleted: + description: >- + True if the record was deleted or false if the record did + not exist. + type: boolean + record: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete Criticality Record + tags: + - Security Solution Entity Analytics API + get: + description: Get the criticality record for a specific asset. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IdField + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get Criticality Record + tags: + - Security Solution Entity Analytics API + post: + description: Create or update a criticality record for a specific asset. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + refresh: + description: >- + If 'wait_for' the request will wait for the index + refresh. + enum: + - wait_for + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + summary: Upsert Criticality Record + tags: + - Security Solution Entity Analytics API + /api/asset_criticality/bulk: + post: + description: >- + Bulk upsert up to 1000 asset criticality records, creating or updating + them as needed. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk Upsert Asset Criticality Records + tags: + - Security Solution Entity Analytics API + /api/asset_criticality/list: + get: + description: List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - \@timestamp + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Bulk upload successful + summary: List Asset Criticality Records + tags: + - Security Solution Entity Analytics API + /api/data_views: + get: + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + /api/data_views/data_view: + post: + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + /api/data_views/data_view/{viewId}: + delete: + description: | + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + get: + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + post: + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + /api/data_views/data_view/{viewId}/fields: + post: + description: > + Update fields presentation metadata such as count, customLabel, + customDescription, and format. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + /api/data_views/data_view/{viewId}/runtime_field: + post: + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + put: + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view + tags: + - data views + get: + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + post: + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + /api/data_views/default: + get: + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getDefaultDataViewResponse: + $ref: >- + #/components/examples/Data_views_get_default_data_view_response + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + post: + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: > + The data view identifier. NOTE: The API does not validate + whether it is a valid identifier. Use `null` to unset the + default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + /api/data_views/swap_references: + post: + description: > + Changes saved object references from one data view identifier to + another. WARNING: Misuse can break large numbers of saved objects! + Practicing with a backup is recommended. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + /api/data_views/swap_references/_preview: + post: + description: > + Preview the impact of swapping saved object references from one data + view identifier to another. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + previewSwapDataViewRequest: + $ref: >- + #/components/examples/Data_views_preview_swap_data_view_request + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview a saved object reference swap + tags: + - data views + /api/detection_engine/privileges: + get: + description: > + Retrieves whether or not the user is authenticated, and the user's + Kibana + + space and index privileges, which determine if the user can create an + + index for the Elastic Security alerts generated by + + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Solution Detections API + - Privileges API + /api/detection_engine/rules: + delete: + description: Delete a detection rule using the `rule_id` or `id` field. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Solution Detections API + - Rules API + get: + description: Retrieve a detection rule using the `rule_id` or `id` field. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Retrieve a detection rule + tags: + - Security Solution Detections API + - Rules API + patch: + description: >- + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + operationId: PatchRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePatchProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Solution Detections API + - Rules API + post: + description: Create a new detection rule. + operationId: CreateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleCreateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Solution Detections API + - Rules API + put: + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: UpdateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleUpdateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Solution Detections API + - Rules API + /api/detection_engine/rules/_bulk_action: + post: + description: >- + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + operationId: PerformRulesBulkAction + parameters: + - description: Enables dry run mode for the request call. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDeleteRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDisableRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEnableRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkExportRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkManualRuleRun + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditRules + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkExportActionResponse + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_export: + post: + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > You cannot export prebuilt rules. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: File name for saving the exported rules. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + nullable: true + type: object + properties: + objects: + description: >- + Array of `rule_id` fields. Exports all rules when + unspecified. + items: + type: object + properties: + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: An `.ndjson` file containing the returned rules. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Solution Detections API + - Import/Export API + /api/detection_engine/rules/_find: + get: + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. + operationId: FindRules + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_FindRulesSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + summary: List all detection rules + tags: + - Security Solution Detections API + - Rules API + /api/detection_engine/rules/_import: + post: + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. + operationId: ImportRules + parameters: + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_WarningSchema + type: array + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + exceptions_errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Solution Detections API + - Import/Export API + /api/detection_engine/rules/{id}/exceptions: + post: + description: Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_RuleId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemProps + type: array + required: + - items + description: Rule exception list items + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Create rule exception list items + tags: + - Security Solution Exceptions API + /api/detection_engine/rules/preview: + post: + operationId: RulePreview + parameters: + - description: >- + Enables logging and returning in response ES queries, performed + during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + discriminator: + propertyName: type + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewLogs + type: array + previewId: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + required: + - logs + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Solution Detections API + - Rule preview API + /api/detection_engine/signals/assignees: + post: + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + assignees: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertAssignees + description: Details about the assignees to assign and unassign. + ids: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertIds + description: List of alerts ids to assign and unassign passed assignees. + required: + - assignees + - ids + required: true + responses: + '200': + description: Indicates a successful call. + '400': + description: Invalid request. + summary: Assign and unassign users from detection alerts + tags: + - Security Solution Detections API + /api/detection_engine/signals/search: + post: + description: Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + description: Elasticsearch query and aggregation request + type: object + properties: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object + fields: + items: + type: string + type: array + query: + additionalProperties: true + type: object + runtime_mappings: + additionalProperties: true + type: object + size: + minimum: 0 + type: integer + sort: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSort + track_total_hits: + type: boolean + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Solution Detections API + - Alerts API + /api/detection_engine/signals/status: + post: + description: Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Solution Detections API + - Alerts API + /api/detection_engine/signals/tags: + post: + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertIds + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertTags + required: + - ids + - tags + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Solution Detections API + - Alerts API + /api/detection_engine/tags: + get: + description: List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Solution Detections API + - Tags API + /api/endpoint_list: + post: + description: >- + Create an endpoint exception list, which groups endpoint exception list + items. If an endpoint exception list already exists, an empty response + is returned. + operationId: CreateEndpointList + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an endpoint exception list + tags: + - Security Solution Endpoint Exceptions API + /api/endpoint_list/items: + delete: + description: >- + Delete an endpoint exception list item using the `id` or `item_id` + field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Delete an endpoint exception list item + tags: + - Security Solution Endpoint Exceptions API + get: + description: >- + Get the details of an endpoint exception list item using the `id` or + `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get an endpoint exception list item + tags: + - Security Solution Endpoint Exceptions API + post: + description: >- + Create an endpoint exception list item, and associate it with the + endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item already exists + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an endpoint exception list item + tags: + - Security Solution Endpoint Exceptions API + put: + description: >- + Update an endpoint exception list item using the `id` or `item_id` + field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Update an endpoint exception list item + tags: + - Security Solution Endpoint Exceptions API + /api/endpoint_list/items/_find: + get: + description: Get a list of all endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_FindEndpointListItemsFilter + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get endpoint exception list items + tags: + - Security Solution Endpoint Exceptions API + /api/endpoint/action: + get: + description: Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetEndpointActionListRouteQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get response actions + tags: + - Security Solution Endpoint Management API + /api/endpoint/action_log/{agent_id}: + get: + deprecated: true + description: Get an action request log for the specified agent ID. + operationId: EndpointGetActionLog + parameters: + - in: path + name: agent_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionLogRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get an action request log + tags: + - Security Solution Endpoint Management API + /api/endpoint/action_status: + get: + description: Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agent_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionStatusSuccessResponse + description: OK + summary: Get response actions status + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/{action_id}: + get: + description: Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get action details + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: Get information for the specified file using the file ID. + operationId: EndpointFileInfo + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get file information + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: Download a file from an endpoint. + operationId: EndpointFileDownload + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Download a file + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/execute: + post: + description: Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ExecuteRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Run a command + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/get_file: + post: + description: Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetFileRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get a file + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/isolate: + post: + description: >- + Isolate an endpoint from the network. The endpoint remains isolated + until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_IsolateRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Isolate an endpoint + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/kill_process: + post: + description: Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_KillProcessRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Terminate a process + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/running_procs: + post: + description: Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetProcessesRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get running processes + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/scan: + post: + description: Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ScanRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Scan a file or directory + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/state: + get: + description: >- + Get a response actions state, which reports whether encryption is + enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionStateSuccessResponse + description: OK + summary: Get actions state + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/suspend_process: + post: + description: Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuspendProcessRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Suspend a process + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/unisolate: + post: + description: Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UnisolateRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Release an isolated endpoint + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/upload: + post: + description: Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UploadRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Upload a file + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata: + get: + operationId: GetEndpointMetadataList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ListRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get a metadata list + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata/{id}: + get: + operationId: GetEndpointMetadata + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get metadata + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata/transforms: + get: + operationId: GetEndpointMetadataTransform + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get metadata transforms + tags: + - Security Solution Endpoint Management API + /api/endpoint/policy_response: + get: + operationId: GetPolicyResponse + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agentId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get a policy response + tags: + - Security Solution Endpoint Management API + /api/endpoint/policy/summaries: + get: + deprecated: true + operationId: GetAgentPolicySummary + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + package_name: + type: string + policy_id: + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get an agent policy summary + tags: + - Security Solution Endpoint Management API + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + operationId: GetProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: OK + summary: Get a protection updates note + tags: + - Security Solution Endpoint Management API + post: + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + note: + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: OK + summary: Create or update a protection updates note + tags: + - Security Solution Endpoint Management API + /api/endpoint/suggestions/{suggestion_type}: + post: + operationId: GetEndpointSuggestions + parameters: + - in: path + name: suggestion_type + required: true + schema: + enum: + - eventFilters + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + field: + type: string + fieldMeta: {} + filters: {} + query: + type: string + required: + - parameters + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get suggestions + tags: + - Security Solution Endpoint Management API + /api/entity_store/engines: + get: + operationId: ListEntityStoreEngines + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + count: + type: integer + engines: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineDescriptor + type: array + description: Successful response + summary: List the Entity Store engines + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityStore + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + - description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + deleted: + type: boolean + description: Successful response + summary: Delete the Entity Store engine + tags: + - Security Solution Entity Analytics API + get: + operationId: GetEntityStoreEngine + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Get the Entity Store engine + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}/init: + post: + operationId: InitEntityStore + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + filter: + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IndexPattern + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Initialize the Entity Store + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}/start: + post: + operationId: StartEntityStore + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + started: + type: boolean + description: Successful response + summary: Start the Entity Store engine + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}/stats: + post: + operationId: GetEntityStoreStats + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + indexPattern: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IndexPattern + indices: + items: + type: object + type: array + status: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineStatus + transforms: + items: + type: object + type: array + type: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + description: Successful response + summary: Get the Entity Store engine stats + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}/stop: + post: + operationId: StopEntityStore + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + stopped: + type: boolean + description: Successful response + summary: Stop the Entity Store engine + tags: + - Security Solution Entity Analytics API + /api/entity_store/entities/list: + get: + description: List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - in: query + name: sort_field + required: false + schema: + type: string + - in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - in: query + name: entities_types + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + inspect: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_InspectQuery + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_Entity + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Solution Entity Analytics API + /api/exception_lists: + delete: + description: Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Delete an exception list + tags: + - Security Solution Exceptions API + get: + description: Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get exception list details + tags: + - Security Solution Exceptions API + post: + description: > + An exception list groups exception items and can be associated with + detection rules. You can assign detection rules with multiple exception + lists. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Create an exception list + tags: + - Security Solution Exceptions API + put: + description: Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Update an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_duplicate: + post: + description: Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list to duplicate not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Duplicate an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_export: + post: + description: Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - description: Exception list's identifier + in: query + name: id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: >- + A `.ndjson` file containing specified exception list and its + items + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Export an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_find: + get: + description: Get a list of all exception lists. + operationId: FindExceptionLists + parameters: + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: + + + - `exception-list`: Specify a space-aware exception list. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + minimum: 1 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get exception lists + tags: + - Security Solution Exceptions API + /api/exception_lists/_import: + post: + description: Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + errors: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListsImportBulkErrorArray + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Import an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/items: + delete: + description: Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Delete an exception list item + tags: + - Security Solution Exceptions API + get: + description: >- + Get the details of an exception list item using the `id` or `item_id` + field. + operationId: ReadExceptionListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get an exception list item + tags: + - Security Solution Exceptions API + post: + description: > + Create an exception item and associate it with the specified exception + list. + + > info + + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - list_id + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Create an exception list item + tags: + - Security Solution Exceptions API + put: + description: Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_UpdateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Update an exception list item + tags: + - Security Solution Exceptions API + /api/exception_lists/items/_find: + get: + description: Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + type: array + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_FindExceptionListItemsFilter + type: array + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + type: array + - in: query + name: search + required: false + schema: + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_NonEmptyString + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get exception list items + tags: + - Security Solution Exceptions API + /api/exception_lists/summary: + get: + description: Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Exception list's human readable identifier + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Solution Exceptions API + /api/exceptions/shared: + post: + description: > + An exception list groups exception items and can be associated with + detection rules. A shared exception list can apply to multiple detection + rules. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + required: + - name + - description + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Create a shared exception list + tags: + - Security Solution Exceptions API + /api/fleet/agent_download_sources: + get: + operationId: get-download-sources + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_download_sources' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent binary download sources + tags: + - Elastic Agent binary download sources + post: + operationId: post-download-sources + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + type: string + id: + type: string + is_default: + type: boolean + name: + type: string + required: + - name + - host + - is_default + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent binary download source + tags: + - Elastic Agent binary download sources + /api/fleet/agent_download_sources/{sourceId}: + delete: + operationId: delete-download-source + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent binary download source by ID + tags: + - Elastic Agent binary download sources + get: + operationId: get-one-download-source + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent binary download source by ID + tags: + - Elastic Agent binary download sources + parameters: + - in: path + name: sourceId + required: true + schema: + type: string + put: + operationId: update-download-source + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + type: string + is_default: + type: boolean + name: + type: string + required: + - name + - is_default + - host + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent binary download source by ID + tags: + - Elastic Agent binary download sources + /api/fleet/agent_policies: + get: + description: '' + operationId: agent-policy-list + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_format' + - description: >- + When set to true, retrieve the related package policies for each + agent policy. + in: query + name: full + schema: + type: boolean + - description: >- + When set to true, do not count how many agents are in the agent + policy, this can improve performance if you are searching over a + large number of agent policies. The "agents" property will always be + 0 if set to true. + in: query + name: noAgentCount + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent policies + tags: + - Elastic Agent policies + post: + operationId: create-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_policy_create_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent policy + tags: + - Elastic Agent policies + /api/fleet/agent_policies/_bulk_get: + post: + operationId: bulk-get-agent-policies + parameters: + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of agent policy ids + items: + type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent_policy' + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get agent policies + tags: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: Get one agent policy + operationId: agent-policy-info + parameters: [] + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - $ref: '#/components/parameters/Fleet_format' + put: + operationId: update-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_policy_update_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/copy: + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - $ref: '#/components/parameters/Fleet_format' + post: + operationId: agent-policy-copy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + type: string + name: + type: string + required: + - name + description: '' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Copy agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + operationId: agent-policy-download + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Download agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: string + - in: query + name: standalone + required: false + schema: + type: string + - in: query + name: kubernetes + required: false + schema: + type: string + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + operationId: agent-policy-full + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + oneOf: + - type: string + - $ref: '#/components/schemas/Fleet_agent_policy_full' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get full agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: string + - in: query + name: standalone + required: false + schema: + type: string + - in: query + name: kubernetes + required: false + schema: + type: string + /api/fleet/agent_policies/delete: + parameters: [] + post: + operationId: delete-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + agentPolicyId: + type: string + force: + description: >- + bypass validation checks that can prevent agent policy + deletion + type: boolean + required: + - agentPolicyId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + success: + type: boolean + required: + - id + - success + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_status: + get: + operationId: get-agent-status + parameters: + - in: query + name: policyId + required: false + schema: + type: string + - deprecated: true + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + active: + type: integer + all: + type: integer + error: + type: integer + events: + type: integer + inactive: + type: integer + offline: + type: integer + online: + type: integer + other: + type: integer + total: + deprecated: true + type: integer + unenrolled: + type: integer + updating: + type: integer + required: + - active + - all + - error + - events + - inactive + - offline + - online + - other + - total + - updating + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent status summary + tags: + - Elastic Agent status + /api/fleet/agent_status/data: + get: + operationId: get-agent-data + parameters: + - in: query + name: agentsIds + required: true + schema: + items: + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + additionalProperties: + type: object + properties: + data: + type: boolean + type: object + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get incoming agent data + tags: + - Elastic Agent status + /api/fleet/agent-status: + get: + deprecated: true + operationId: get-agent-status-deprecated + parameters: + - in: query + name: policyId + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: integer + events: + type: integer + inactive: + type: integer + offline: + type: integer + online: + type: integer + other: + type: integer + total: + type: integer + updating: + type: integer + required: + - error + - events + - inactive + - offline + - online + - other + - total + - updating + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent status summary + tags: + - Elastic Agent status + /api/fleet/agents: + get: + operationId: get-agents + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_show_inactive' + - $ref: '#/components/parameters/Fleet_show_upgradeable' + - $ref: '#/components/parameters/Fleet_sort_field' + - $ref: '#/components/parameters/Fleet_sort_order' + - $ref: '#/components/parameters/Fleet_with_metrics' + - in: query + name: getStatusSummary + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_agents_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agents + tags: + - Elastic Agents + post: + operationId: get-agents-by-actions + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionIds: + items: + type: string + type: array + required: + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_get_by_actions' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agents by action ids + tags: + - Elastic Agents + /api/fleet/agents/{agentId}: + delete: + operationId: delete-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent by ID + tags: + - Elastic Agents + get: + operationId: get-agent + parameters: + - $ref: '#/components/parameters/Fleet_with_metrics' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent by ID + tags: + - Elastic Agents + parameters: + - in: path + name: agentId + required: true + schema: + type: string + put: + operationId: update-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + tags: + items: + type: string + type: array + user_provided_metadata: + type: object + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent by ID + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/actions: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: new-agent-action + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + $ref: '#/components/schemas/Fleet_agent_action' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + items: + type: number + type: array + headers: + type: string + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent action + tags: + - Elastic Agent actions + /api/fleet/agents/{agentId}/reassign: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: reassign-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + policy_id: + type: string + required: + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Reassign agent + tags: + - Elastic Agents + put: + deprecated: true + operationId: reassign-agent-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + policy_id: + type: string + required: + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Reassign agent + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/request_diagnostics: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: request-diagnostics-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + additional_metrics: + items: + oneOf: + - enum: + - CPU + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Request agent diagnostics + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/unenroll: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: unenroll-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + revoke: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: OK + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: number + description: BAD REQUEST + summary: Unenroll agent + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/upgrade: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: upgrade-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_upgrade_agent' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_upgrade_agent' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Upgrade agent + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/uploads: + get: + operationId: list-agent-uploads + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + item: + items: + $ref: '#/components/schemas/Fleet_agent_diagnostics' + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent uploads + tags: + - Elastic Agents + parameters: + - in: path + name: agentId + required: true + schema: + type: string + /api/fleet/agents/action_status: + get: + operationId: agents-action-status + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - in: query + name: errorSize + schema: + default: 5 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + latestErrors: + description: >- + latest errors that happened when the agents executed + the action + items: + type: object + properties: + agentId: + type: string + error: + type: string + timestamp: + type: string + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: string + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - POLICY_REASSIGN + - UPGRADE + - UNENROLL + - FORCE_UNENROLL + - UPDATE_TAGS + - CANCEL + - REQUEST_DIAGNOSTICS + - SETTINGS + - POLICY_CHANGE + - INPUT_ACTION + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - complete + - nbAgentsActioned + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - status + - creationTime + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent action status + tags: + - Elastic Agent actions + /api/fleet/agents/actions/{actionId}/cancel: + parameters: + - in: path + name: actionId + required: true + schema: + type: string + post: + operationId: agent-action-cancel + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_action' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Cancel agent action + tags: + - Elastic Agent actions + /api/fleet/agents/bulk_reassign: + post: + operationId: bulk-reassign-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' + policy_id: policy_id + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + policy_id: + description: new agent policy id + type: string + required: + - policy_id + - agents + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk reassign agents + tags: + - Elastic Agents + /api/fleet/agents/bulk_request_diagnostics: + post: + operationId: bulk-request-diagnostics + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' + schema: + type: object + properties: + additional_metrics: + items: + oneOf: + - enum: + - CPU + type: string + type: array + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + batchSize: + type: number + required: + - agents + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk request diagnostics from agents + tags: + - Elastic Agents + /api/fleet/agents/bulk_unenroll: + post: + operationId: bulk-unenroll-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + force: false + revoke: true + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: >- + When passing agents by KQL query, unenrolls inactive agents + too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk unenroll agents + tags: + - Elastic Agents + /api/fleet/agents/bulk_update_agent_tags: + post: + operationId: bulk-update-agent-tags + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + tagsToAdd: + - newTag + tagsToRemove: + - existingTag + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + batchSize: + type: number + tagsToAdd: + items: + type: string + type: array + tagsToRemove: + items: + type: string + type: array + required: + - agents + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk update agent tags + tags: + - Elastic Agents + /api/fleet/agents/bulk_upgrade: + post: + operationId: bulk-upgrade-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + rollout_duration_seconds: 3600 + source_uri: https://artifacts.elastic.co/downloads/beats/elastic-agent + start_time: '2022-08-03T14:00:00.000Z' + version: 8.4.0 + schema: + $ref: '#/components/schemas/Fleet_bulk_upgrade_agents' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk upgrade agents + tags: + - Elastic Agents + /api/fleet/agents/files/{fileId}: + delete: + operationId: delete-agent-upload-file + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + deleted: + type: boolean + id: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete file uploaded by agent + tags: + - Elastic Agents + parameters: + - in: path + name: fileId + required: true + schema: + type: string + /api/fleet/agents/files/{fileId}/{fileName}: + get: + operationId: get-agent-upload-file + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + items: + type: object + properties: + body: {} + headers: {} + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get file uploaded by agent + tags: + - Elastic Agents + parameters: + - in: path + name: fileId + required: true + schema: + type: string + - in: path + name: fileName + required: true + schema: + type: string + /api/fleet/agents/setup: + get: + operationId: get-agents-setup-status + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_status_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent setup info + tags: + - Elastic Agents + post: + operationId: setup-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + admin_password: + type: string + admin_username: + type: string + required: + - admin_username + - admin_password + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_setup_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Initiate agent setup + tags: + - Elastic Agents + /api/fleet/agents/tags: + get: + operationId: get-agent-tags + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_agent_tags_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent tags + tags: + - Elastic Agents + /api/fleet/data_streams: + get: + operationId: data-streams-list + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data_streams: + items: + $ref: '#/components/schemas/Fleet_data_stream' + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List data streams + tags: + - Data streams + parameters: [] + /api/fleet/enrollment_api_keys: + get: + operationId: get-enrollment-api-keys + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - page + - perPage + - total + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List enrollment API keys + tags: + - Fleet enrollment API keys + post: + operationId: create-enrollment-api-keys + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + description: The name of the enrollment API key. Must be unique. + type: string + policy_id: + description: >- + The ID of the agent policy the Elastic Agent will be + enrolled in. + type: string + required: + - policy_id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create enrollment API key + tags: + - Fleet enrollment API keys + /api/fleet/enrollment_api_keys/{keyId}: + delete: + operationId: delete-enrollment-api-key + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Revoke enrollment API key by ID by marking it as inactive + tags: + - Fleet enrollment API keys + get: + operationId: get-enrollment-api-key + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get enrollment API key by ID + tags: + - Fleet enrollment API keys + parameters: + - in: path + name: keyId + required: true + schema: + type: string + /api/fleet/enrollment-api-keys: + get: + deprecated: true + operationId: get-enrollment-api-keys-deprecated + parameters: [] + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - page + - perPage + - total + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List enrollment API keys + tags: + - Fleet enrollment API keys + post: + deprecated: true + operationId: create-enrollment-api-keys-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create enrollment API key + tags: + - Fleet enrollment API keys + /api/fleet/enrollment-api-keys/{keyId}: + delete: + deprecated: true + operationId: delete-enrollment-api-key-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete enrollment API key by ID + tags: + - Fleet enrollment API keys + get: + deprecated: true + operationId: get-enrollment-api-key-deprecated + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get enrollment API key by ID + tags: + - Fleet enrollment API keys + parameters: + - in: path + name: keyId + required: true + schema: + type: string + /api/fleet/epm/bulk_assets: + post: + operationId: bulk-get-assets + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + assetIds: + description: list of items necessary to fetch assets + items: + type: object + properties: + id: + type: string + type: + type: string + type: array + required: + - assetIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_bulk_assets_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get assets + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/categories: + get: + operationId: get-package-categories + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_categories_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List package categories + tags: + - Elastic Package Manager (EPM) + parameters: + - description: >- + Whether to include prerelease packages in categories count (e.g. beta, + rc, preview) + in: query + name: prerelease + schema: + default: false + type: boolean + - deprecated: true + in: query + name: experimental + schema: + default: false + type: boolean + - in: query + name: include_policy_templates + schema: + default: false + type: boolean + /api/fleet/epm/packages: + get: + operationId: list-all-packages + parameters: + - description: >- + Whether to exclude the install status of each package. Enabling this + option will opt in to caching for the response via `cache-control` + headers. If you don't need up-to-date installation info for a + package, and are querying for a list of available packages, + providing this flag can improve performance substantially. + in: query + name: excludeInstallStatus + schema: + default: false + type: boolean + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + - deprecated: true + in: query + name: experimental + schema: + default: false + type: boolean + - in: query + name: category + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_packages_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List packages + tags: + - Elastic Package Manager (EPM) + post: + description: '' + operationId: install-package-by-upload + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/gzip; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + application/zip; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _meta: + type: object + properties: + install_source: + enum: + - upload + - registry + - bundled + type: string + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '429': + $ref: '#/components/responses/Fleet_error' + summary: Install by package by direct upload + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/_bulk: + post: + operationId: bulk-install-packages + parameters: + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + description: force install to ignore package verification errors + type: boolean + packages: + description: list of packages to install + items: + oneOf: + - description: package name + type: string + - type: object + properties: + name: + description: package name + type: string + version: + description: package version + type: string + type: array + required: + - packages + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_bulk_install_packages_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk install packages + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgkey}: + delete: + deprecated: true + operationId: delete-package-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgkey + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete ackage + tags: + - Elastic Package Manager (EPM) + get: + deprecated: true + operationId: get-package-deprecated + parameters: + - in: path + name: pkgkey + required: true + schema: + type: string + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - properties: + response: + $ref: '#/components/schemas/Fleet_package_info' + - properties: + savedObject: + type: string + status: + enum: + - installed + - installing + - install_failed + - not_installed + type: string + required: + - status + - savedObject + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package + tags: + - Elastic Package Manager (EPM) + post: + deprecated: true + description: '' + operationId: install-package-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgkey + required: true + schema: + type: string + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Install package + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: + operationId: delete-package + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: delete package even if policies used by agents + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + deprecated: true + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package + tags: + - Elastic Package Manager (EPM) + get: + operationId: get-package + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - properties: + item: + $ref: '#/components/schemas/Fleet_package_info' + - properties: + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + licensePath: + type: string + notice: + type: string + savedObject: + deprecated: true + type: object + status: + enum: + - installed + - installing + - install_failed + - not_installed + type: string + required: + - status + - savedObject + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: Ignore if the package is fails signature verification + in: query + name: ignoreUnverified + schema: + type: boolean + - description: >- + Return all fields from the package manifest, not just those supported + by the Elastic Package Registry + in: query + name: full + schema: + type: boolean + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + post: + description: '' + operationId: install-package + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + ignore_constraints: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _meta: + type: object + properties: + install_source: + enum: + - registry + - upload + - bundled + type: string + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Install package + tags: + - Elastic Package Manager (EPM) + put: + description: '' + operationId: update-package + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + keepPoliciesUpToDate: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + operationId: packages-get-file + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + headers: + type: object + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package file + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: path + name: filePath + required: true + schema: + type: string + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: '' + operationId: reauthorize-transforms + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: >- + Whether to include prerelease packages in categories count (e.g. + beta, rc, preview) + in: query + name: prerelease + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + transforms: + items: + type: object + properties: + transformId: + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + error: + type: string + success: + type: boolean + transformId: + type: string + required: + - transformId + - error + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Authorize transforms + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/stats: + get: + operationId: get-package-stats + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + $ref: '#/components/schemas/Fleet_package_usage_stats' + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package stats + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + /api/fleet/epm/packages/limited: + get: + operationId: list-limited-packages + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: string + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get limited package list + tags: + - Elastic Package Manager (EPM) + parameters: [] + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + operationId: get-inputs-template + responses: + '200': + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get inputs template + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: Format of response - json or yaml + in: query + name: format + schema: + enum: + - json + - yaml + - yml + type: string + - description: Specify if version is prerelease + in: query + name: prerelease + schema: + type: boolean + - description: Ignore if the package is fails signature verification + in: query + name: ignoreUnverified + schema: + type: boolean + /api/fleet/epm/verification_key_id: + get: + operationId: packages-get-verification-key-id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + id: + description: >- + the key ID of the GPG key used to verify package + signatures + nullable: true + type: string + headers: + type: object + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package signature verification key ID + tags: + - Elastic Package Manager (EPM) + parameters: [] + /api/fleet/fleet_server_hosts: + get: + operationId: get-fleet-server-hosts + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_fleet_server_host' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List Fleet Server hosts + tags: + - Fleet Server hosts + post: + operationId: post-fleet-server-hosts + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host_urls: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this fleet server host. See + the proxies API for more information. + type: string + required: + - name + - host_urls + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create Fleet Server host + tags: + - Fleet Server hosts + /api/fleet/fleet_server_hosts/{itemId}: + delete: + operationId: delete-fleet-server-hosts + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete Fleet Server host by ID + tags: + - Fleet Server hosts + get: + operationId: get-one-fleet-server-hosts + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get Fleet Server host by ID + tags: + - Fleet Server hosts + parameters: + - in: path + name: itemId + required: true + schema: + type: string + put: + operationId: update-fleet-server-hosts + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host_urls: + items: + type: string + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this fleet server host. See + the proxies API for more information. + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update Fleet Server host by ID + tags: + - Fleet Server hosts + /api/fleet/health_check: + post: + operationId: fleet-server-health-check + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + deprecated: true + type: string + id: + type: string + required: + - id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + deprecated: true + type: string + id: + description: Fleet Server host id + type: string + status: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Fleet Server health check + tags: + - Fleet internals + /api/fleet/kubernetes: + get: + operationId: get-full-k8s-manifest + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get full K8s agent manifest + tags: + - Fleet Kubernetes + /api/fleet/logstash_api_keys: + post: + operationId: generate-logstash-api-key + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + api_key: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Generate Logstash API key + tags: + - Fleet outputs + /api/fleet/outputs: + get: + operationId: get-outputs + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_output_create_request' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List outputs + tags: + - Fleet outputs + post: + operationId: post-outputs + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_output_create_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_create_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create output + tags: + - Fleet outputs + /api/fleet/outputs/{outputId}: + delete: + operationId: delete-output + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete output by ID + tags: + - Fleet outputs + get: + operationId: get-output + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_create_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get output by ID + tags: + - Fleet outputs + parameters: + - in: path + name: outputId + required: true + schema: + type: string + put: + operationId: update-output + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_output_update_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_update_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update output by ID + tags: + - Fleet outputs + /api/fleet/outputs/{outputId}/health: + get: + operationId: get-output-health + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get latest output health + tags: + - Fleet outputs + parameters: + - in: path + name: outputId + required: true + schema: + type: string + /api/fleet/package_policies: + get: + operationId: get-package-policies + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_format' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List package policies + tags: + - Fleet package policies + parameters: [] + post: + operationId: create-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_package_policy_request' + description: >- + You should use inputs as an object and not use the deprecated inputs + array. + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '409': + $ref: '#/components/responses/Fleet_error' + summary: Create package policy + tags: + - Fleet package policies + /api/fleet/package_policies/_bulk_get: + post: + operationId: bulk-get-package-policies + parameters: + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + description: list of package policy ids + items: + type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get package policies + tags: + - Fleet package policies + /api/fleet/package_policies/{packagePolicyId}: + delete: + operationId: delete-package-policy + parameters: + - in: query + name: force + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package policy by ID + tags: + - Fleet package policies + get: + operationId: get-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_format' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package policy by ID + tags: + - Fleet package policies + parameters: + - in: path + name: packagePolicyId + required: true + schema: + type: string + put: + operationId: update-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_package_policy_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + sucess: + type: boolean + required: + - item + - sucess + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update package policy by ID + tags: + - Fleet package policies + /api/fleet/package_policies/delete: + post: + operationId: post-delete-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + type: string + name: + type: string + success: + type: boolean + required: + - id + - success + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package policy + tags: + - Fleet package policies + /api/fleet/package_policies/upgrade: + post: + operationId: upgrade-package-policy + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + type: string + name: + type: string + success: + type: boolean + required: + - id + - success + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '409': + $ref: '#/components/responses/Fleet_error' + summary: Upgrade package policy to a newer package version + tags: + - Fleet package policies + /api/fleet/package_policies/upgrade/dryrun: + post: + operationId: upgrade-package-policy-dry-run + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + packagePolicyIds: + items: + type: string + type: array + packageVersion: + type: string + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + agent_diff: + $ref: '#/components/schemas/Fleet_upgrade_agent_diff' + diff: + $ref: '#/components/schemas/Fleet_upgrade_diff' + hasErrors: + type: boolean + required: + - hasErrors + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Dry run package policy upgrade + tags: + - Fleet package policies + /api/fleet/proxies: + get: + operationId: get-fleet-proxies + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_proxies' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List proxies + tags: + - Fleet proxies + post: + operationId: post-fleet-proxies + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + id: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + required: + - name + - url + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create proxy + tags: + - Fleet proxies + /api/fleet/proxies/{itemId}: + delete: + operationId: delete-fleet-proxies + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete proxy by ID + tags: + - Fleet proxies + get: + operationId: get-one-fleet-proxies + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get proxy by ID + tags: + - Fleet proxies + parameters: + - in: path + name: itemId + required: true + schema: + type: string + put: + operationId: update-fleet-proxies + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update proxy by ID + tags: + - Fleet proxies + /api/fleet/service_tokens: + post: + operationId: generate-service-token + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + value: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create service token + tags: + - Fleet service tokens + /api/fleet/service-tokens: + post: + deprecated: true + operationId: generate-service-token-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + value: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create service token + tags: + - Fleet service tokens + /api/fleet/settings: + get: + operationId: get-settings + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_settings_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get settings + tags: + - Fleet internals + put: + operationId: update-settings + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + additional_yaml_config: + type: string + fleet_server_hosts: + description: Protocol and path must be the same for each URL + items: + type: string + type: array + has_seen_add_data_notice: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_settings_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update settings + tags: + - Fleet internals + /api/fleet/setup: + post: + operationId: setup + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_setup_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + description: Internal Server Error + summary: Initiate Fleet setup + tags: + - Fleet internals + /api/fleet/uninstall_tokens: + get: + operationId: get-uninstall-tokens + parameters: + - description: The number of items to return + in: query + name: perPage + required: false + schema: + default: 20 + minimum: 5 + type: integer + - $ref: '#/components/parameters/Fleet_page_index' + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + created_at: + type: string + id: + type: string + policy_id: + type: string + required: + - id + - policy_id + - created_at + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List metadata for latest uninstall tokens per agent policy + tags: + - Fleet uninstall tokens + /api/fleet/uninstall_tokens/{uninstallTokenId}: + get: + operationId: get-uninstall-token + parameters: + - in: path + name: uninstallTokenId + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: object + properties: + created_at: + type: string + id: + type: string + policy_id: + type: string + token: + type: string + required: + - id + - token + - policy_id + - created_at + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get one decrypted uninstall token by its ID + tags: + - Fleet uninstall tokens + /api/lists: + delete: + description: | + Delete a list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - in: query + name: deleteReferences + required: false + schema: + default: false + type: boolean + - in: query + name: ignoreReferences + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Delete a list + tags: + - Security Solution Lists API + get: + description: Get the details of a list using the list ID. + operationId: ReadList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get list details + tags: + - Security Solution Lists API + patch: + description: Update specific fields of an existing list using the list ID. + operationId: PatchList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Patch a list + tags: + - Security Solution Lists API + post: + description: Create a new list. + operationId: CreateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + serializer: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Create a list + tags: + - Security Solution Lists API + put: + description: > + Update a list using the list ID. The original list is replaced, and all + unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + - name + - description + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Update a list + tags: + - Security Solution Lists API + /api/lists/_find: + get: + description: >- + Get a paginated subset of lists. By default, the first page is returned, + with 20 results per page. + operationId: FindLists + parameters: + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of lists to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_FindListsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListsCursor + data: + items: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get lists + tags: + - Security Solution Lists API + /api/lists/index: + delete: + description: Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Delete list data streams + tags: + - Security Solution Lists API + get: + description: Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream(s) not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get status of list data streams + tags: + - Security Solution Lists API + post: + description: Create `.lists` and `.items` data streams in the relevant space. + operationId: CreateListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Create list data streams + tags: + - Security Solution Lists API + /api/lists/items: + delete: + description: Delete a list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + - items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Delete a list item + tags: + - Security Solution Lists API + get: + description: Get the details of a list item. + operationId: ReadListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + - items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get a list item + tags: + - Security Solution Lists API + patch: + description: Update specific fields of an existing list item using the list item ID. + operationId: PatchListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - id + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Patch a list item + tags: + - Security Solution Lists API + post: + description: > + Create a list item and associate it with the specified list. + + + All list items in the same list must be the same type. For example, each + list item in an `ip` list must define a specific IP address. + + > info + + > Before creating a list item, you must create a list. + operationId: CreateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - list_id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Create a list item + tags: + - Security Solution Lists API + put: + description: > + Update a list item using the list item ID. The original list item is + replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Update a list item + tags: + - Security Solution Lists API + /api/lists/items/_export: + post: + description: Export list item values from the specified list. + operationId: ExportListItems + parameters: + - description: List's id to export + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: A `.txt` file containing list items from the specified list + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Export list items + tags: + - Security Solution Lists API + /api/lists/items/_find: + get: + description: Get all list items in the specified list. + operationId: FindListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of list items to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsCursor + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsFilter + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsCursor + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get list items + tags: + - Security Solution Lists API + /api/lists/items/_import: + post: + description: > + Import list items from a TXT or CSV file. The maximum file size is 9 + million bytes. + + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: > + Type of the importing list. + + + Required when importing a new list that is `list_id` is not + specified. + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + - in: query + name: serializer + required: false + schema: + type: string + - in: query + name: deserializer + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + type: string + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: >- + A `.txt` or `.csv` file containing newline separated list + items + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List with specified list_id does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Import list items + tags: + - Security Solution Lists API + /api/lists/privileges: + get: + operationId: ReadListPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemPrivileges + lists: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListPrivileges + required: + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get list privileges + tags: + - Security Solution Lists API + /api/ml/saved_objects/sync: + get: + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models. This API runs automatically when you start Kibana and + periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync machine learning saved objects + tags: + - ml + /api/note: + delete: + description: Delete a note from a Timeline using the note ID. + operationId: DeleteNote + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + type: string + required: + - noteId + - type: object + properties: + noteIds: + items: + type: string + nullable: true + type: array + required: + - noteIds + description: The ID of the note to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + description: Indicates the note was successfully deleted. + summary: Delete a note + tags: + - Security Solution Timeline API + - access:securitySolution + get: + description: Get all notes for a given document. + operationId: GetNotes + parameters: + - in: query + name: documentIds + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_DocumentIds' + - in: query + name: page + schema: + nullable: true + type: number + - in: query + name: perPage + schema: + nullable: true + type: number + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: sortField + schema: + nullable: true + type: string + - in: query + name: sortOrder + schema: + nullable: true + type: string + - in: query + name: filter + schema: + nullable: true + type: string + responses: + '200': + description: Indicates the requested notes were returned. + summary: Get notes + tags: + - Security Solution Timeline API + - access:securitySolution + patch: + description: Add a note to a Timeline or update an existing note. + operationId: PersistNoteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventDataView: + nullable: true + type: string + eventIngested: + nullable: true + type: string + eventTimestamp: + nullable: true + type: string + note: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + noteId: + nullable: true + type: string + overrideOwner: + nullable: true + type: boolean + version: + nullable: true + type: string + required: + - note + description: The note to add or update, along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistNote: + type: object + properties: + code: + type: number + message: + type: string + note: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_Note + required: + - code + - message + - note + required: + - persistNote + required: + - data + description: Indicates the note was successfully created. + summary: Add or update a note + tags: + - Security Solution Timeline API + - access:securitySolution + /api/osquery/live_queries: + get: + description: Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindLiveQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live queries + tags: + - Security Solution Osquery API + post: + description: Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreateLiveQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a live query + tags: + - Security Solution Osquery API + /api/osquery/live_queries/{id}: + get: + description: Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: query + name: query + schema: + additionalProperties: true + type: object + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query details + tags: + - Security Solution Osquery API + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: path + name: actionId + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_GetLiveQueryResultsRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query results + tags: + - Security Solution Osquery API + /api/osquery/packs: + get: + description: Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindPacksRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get packs + tags: + - Security Solution Osquery API + post: + description: Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreatePacksRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a pack + tags: + - Security Solution Osquery API + /api/osquery/packs/{id}: + delete: + description: Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete a pack + tags: + - Security Solution Osquery API + get: + description: Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get pack details + tags: + - Security Solution Osquery API + put: + description: | + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_UpdatePacksRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update a pack + tags: + - Security Solution Osquery API + /api/osquery/saved_queries: + get: + description: Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindSavedQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved queries + tags: + - Security Solution Osquery API + post: + description: Create and run a saved query. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a saved query + tags: + - Security Solution Osquery API + /api/osquery/saved_queries/{id}: + delete: + description: Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete a saved query + tags: + - Security Solution Osquery API + get: + description: Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved query details + tags: + - Security Solution Osquery API + put: + description: | + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_UpdateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update a saved query + tags: + - Security Solution Osquery API + /api/pinned_event: + patch: + description: Pin an event to an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventId: + type: string + pinnedEventId: + nullable: true + type: string + timelineId: + type: string + required: + - eventId + - timelineId + description: The pinned event to add or update, along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistPinnedEventOnTimeline: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Timeline_API_PinnedEvent + - type: object + properties: + code: + type: number + message: + type: string + required: + - persistPinnedEventOnTimeline + required: + - data + description: Indicates the event was successfully pinned to the Timeline. + summary: Pin an event + tags: + - Security Solution Timeline API + - access:securitySolution + /api/risk_score/engine/schedule_now: + post: + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: {} + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_RiskEngineScheduleNowResponse + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse + description: Unexpected error + summary: Schedule the risk engine to run as soon as possible + tags: + - Security Solution Entity Analytics API + /api/saved_objects/_export: + post: + description: > + Retrieve sets of saved objects that you want to import into Kibana. + + You must include `type` or `objects` in the request body. + + + Exported saved objects are not backwards compatible and cannot be + imported into an older version of Kibana. + + + NOTE: The `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be exported. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: exportSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsRequest: + $ref: >- + #/components/examples/Serverless_saved_objects_export_objects_request + schema: + type: object + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + includeReferencesDeep: + description: >- + Includes all of the referenced objects in the exported + objects. + type: boolean + objects: + description: A list of objects to export. + items: + type: object + type: array + type: + description: >- + The saved object types to include in the export. Use `*` to + export all the types. + oneOf: + - type: string + - items: + type: string + type: array + required: true + responses: + '200': + content: + application/x-ndjson; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsResponse: + $ref: >- + #/components/examples/Serverless_saved_objects_export_objects_response + schema: + additionalProperties: true + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Serverless_saved_objects_400_response' + description: Bad request. + summary: Export saved objects + tags: + - saved objects + /api/saved_objects/_import: + post: + description: > + Create sets of Kibana saved objects from a file created by the export + API. + + Saved objects can be imported only into the same version, a newer minor + on the same major, or the next major. Exported saved objects are not + backwards compatible and cannot be imported into an older version of + Kibana. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: importSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' + - description: > + Creates copies of saved objects, regenerates each object ID, and + resets the origin. When used, potential conflict errors are avoided. + NOTE: This option cannot be used with the `overwrite` and + `compatibilityMode` options. + in: query + name: createNewCopies + required: false + schema: + type: boolean + - description: > + Overwrites saved objects when they already exist. When used, + potential conflict errors are automatically resolved by overwriting + the destination object. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: overwrite + required: false + schema: + type: boolean + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. Use this option only if you encounter issues with imported + saved objects. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + importObjectsRequest: + $ref: >- + #/components/examples/Serverless_saved_objects_import_objects_request + schema: + type: object + properties: + file: + description: > + A file exported using the export API. NOTE: The + `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be included in + this file. Similarly, the + `savedObjects.maxImportPayloadBytes` setting limits the + overall size of the file that can be imported. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + importObjectsResponse: + $ref: >- + #/components/examples/Serverless_saved_objects_import_objects_response + schema: + type: object + properties: + errors: + description: > + Indicates the import was unsuccessful and specifies the + objects that failed to import. + + + NOTE: One object may result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and conflict error. + items: + type: object + type: array + success: + description: > + Indicates when the import was successfully completed. When + set to false, some objects may not have been created. For + additional information, refer to the `errors` and + `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: integer + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are created only when all resolvable errors + are addressed, including conflicts and missing references. + If objects are created as new copies, each entry in the + `successResults` array includes a `destinationId` + attribute. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Serverless_saved_objects_400_response' + description: Bad request. + summary: Import saved objects + tags: + - saved objects + x-codeSamples: + - label: Import with createNewCopies + lang: cURL + source: | + curl \ + -X POST api/saved_objects/_import?createNewCopies=true + -H "kbn-xsrf: true" + --form file=@file.ndjson + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: >- + Apply a bulk action to multiple anonymization fields. The bulk action is + applied to all anonymization fields that match the filter or to the list + of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of anonymization fields IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter anonymization fields + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Apply a bulk action to anonymization fields + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get anonymization fields + tags: + - Security AI Assistant API + - AnonymizationFields API + /api/security_ai_assistant/chat/complete: + post: + description: Create a model response for the given chat conversation. + operationId: ChatComplete + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + '200': + content: + application/octet-stream; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a model response + tags: + - Security AI Assistant API + - Chat Complete API + /api/security_ai_assistant/current_user/conversations: + post: + description: Create a new Security AI Assistant conversation. + operationId: CreateConversation + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: Get a list of all conversations for the current user. + operationId: FindConversations + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Conversations per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get conversations + tags: + - Security AI Assistant API + - Conversations API + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: Delete an existing conversation using the conversation ID. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Delete a conversation + tags: + - Security AI Assistant API + - Conversation API + get: + description: Get the details of an existing conversation using the conversation ID. + operationId: ReadConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get a conversation + tags: + - Security AI Assistant API + - Conversations API + put: + description: Update an existing conversation using the conversation ID. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Update a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: >- + Apply a bulk action to multiple prompts. The bulk action is applied to + all prompts that match the filter or to the list of prompts by their + IDs. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of prompts IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter promps + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Apply a bulk action to prompts + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/prompts/_find: + get: + description: Get a list of all prompts. + operationId: FindPrompts + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Prompts per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get prompts + tags: + - Security AI Assistant API + - Prompts API + /api/status: + get: + operationId: '%2Fapi%2Fstatus#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: >- + Kibana or some of it's essential services are unavailable. Kibana + may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + /api/timeline: + delete: + description: Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + savedObjectIds: + items: + type: string + type: array + searchIds: + description: >- + Saved search ids that should be deleted alongside the + timelines + items: + type: string + type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + deleteTimeline: + type: boolean + required: + - deleteTimeline + required: + - data + description: Indicates the Timeline was successfully deleted. + summary: Delete Timelines or Timeline templates + tags: + - Security Solution Timeline API + - access:securitySolution + get: + description: Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The ID of the template timeline to retrieve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + nullable: true + required: + - getOneTimeline + required: + - data + description: Indicates that the (template) Timeline was found and returned. + summary: Get Timeline or Timeline template details + tags: + - Security Solution Timeline API + - access:securitySolution + patch: + description: >- + Update an existing Timeline. You can update the title, description, date + range, pinned events, pinned queries, and/or pinned saved queries of an + existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + timelineId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates that the user does not have the required access to create + a draft Timeline. + summary: Update a Timeline + tags: + - Security Solution Timeline API + - access:securitySolution + post: + description: Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + status: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineStatus + nullable: true + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + timelineId: + nullable: true + type: string + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: >- + The required Timeline fields used to create a new Timeline, along with + optional fields that will be created if not provided. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - persistTimeline + required: + - data + description: Indicates the Timeline was successfully created. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_draft: + get: + description: >- + Get the details of the draft Timeline or Timeline template for the + current user. If the user doesn't have a draft Timeline, an empty + Timeline is returned. + operationId: GetDraftTimelines + parameters: + - in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: Indicates that the draft Timeline was successfully retrieved. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + If a draft Timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + This should never happen, but if a draft Timeline was not found and + we attempted to create one, it indicates that there is already a + draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Solution Timeline API + - access:securitySolution + post: + description: > + Create a clean draft Timeline or Timeline template for the current user. + + > info + + > If the user already has a draft Timeline, the existing draft Timeline + is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + required: + - timelineType + description: >- + The type of Timeline to create. Valid values are `default` and + `template`. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that there is already a draft Timeline with the given + `timelineId`. + summary: Create a clean draft Timeline or Timeline template + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_export: + post: + description: Export Timelines as an NDJSON file. + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + items: + type: string + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates the Timelines were successfully exported. + '400': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that the export size limit was exceeded. + summary: Export Timelines + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_favorite: + patch: + description: Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true + type: string + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistFavorite: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResponse + required: + - persistFavorite + required: + - data + description: Indicates the favorite status was successfully updated. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the user does not have the required permissions to persist + the favorite status. + summary: Favorite a Timeline or Timeline template + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_import: + post: + description: Import Timelines. + operationId: ImportTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Timeline_API_Readable + - type: object + properties: + hapi: + type: object + properties: + filename: + type: string + headers: + type: object + isImmutable: + enum: + - 'true' + - 'false' + type: string + required: + - filename + - headers + required: + - hapi + description: The Timelines to import as a readable stream. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelineResult + required: + - data + description: Indicates the import of Timelines was successful. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: >- + Indicates the import of Timelines was unsuccessful because of an + invalid file extension. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + statusCode: + type: number + description: >- + Indicates that we were unable to locate the saved object client + necessary to handle the import. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_prepackaged: + post: + description: Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + prepackagedTimelines: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + type: array + timelinesToInstall: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelines + nullable: true + type: array + timelinesToUpdate: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelines + nullable: true + type: array + required: + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelineResult + required: + - data + description: Indicates the installation of prepackaged Timelines was successful. + '500': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the installation of prepackaged Timelines was + unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/resolve: + get: + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + nullable: true + required: + - getOneTimeline + required: + - data + description: The (template) Timeline has been found + '400': + description: The request is missing parameters + '404': + description: The (template) Timeline was not found + summary: Get an existing saved Timeline or Timeline template + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timelines: + get: + description: Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: >- + If true, only timelines that are marked as favorites by the user are + returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + nullable: true + - in: query + name: sort_field + schema: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SortFieldTimeline + - in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - in: query + name: page_size + schema: + nullable: true + type: string + - in: query + name: page_index + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: status + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + customTemplateTimelineCount: + type: number + defaultTimelineCount: + type: number + elasticTemplateTimelineCount: + type: number + favoriteCount: + type: number + templateTimelineCount: + type: number + timelines: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + type: array + totalCount: + type: number + required: + - timelines + - totalCount + - defaultTimelineCount + - templateTimelineCount + - favoriteCount + - elasticTemplateTimelineCount + - customTemplateTimelineCount + required: + - data + description: Indicates that the (template) Timelines were found and returned. + '400': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad request. The user supplied invalid data. + summary: Get Timelines or Timeline templates + tags: + - Security Solution Timeline API + - access:securitySolution + /s/{spaceId}/api/observability/slos: + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + post: + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + servers: + - url: https://localhost:5601 + summary: Create an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + servers: + - url: https://localhost:5601 + summary: Batch delete rollup and summary data + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}: + delete: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + put: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '200': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo +components: + examples: + Data_views_create_data_view_request: + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_get_data_view_response: + summary: >- + The get data view API returns a JSON object that contains information + about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: $0,0.00 + products.base_unit_price: + id: number + params: + pattern: $0,0.00 + products.min_price: + id: number + params: + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + summary: >- + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number + params: + pattern: $0,0.[00] + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: + summary: >- + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Serverless_saved_objects_export_objects_request: + summary: Export a specific saved object. + value: + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + type: map + Serverless_saved_objects_export_objects_response: + summary: >- + The export objects API response contains a JSON record for each exported + object. + value: + attributes: + description: '' + layerListJSON: >- + [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total + Requests by + Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web + logs + count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual + Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total + Requests and + Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web + logs + count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] + mapStateJSON: >- + {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} + title: '[Logs] Total Requests and Bytes' + uiStateJSON: '{"isDarkMode":false}' + coreMigrationVersion: 8.8.0 + created_at: '2023-08-23T20:03:32.204Z' + id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + managed: false + references: + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_1_join_0_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_2_source_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_3_source_index_pattern + type: index-pattern + type: map + typeMigrationVersion: 8.4.0 + updated_at: '2023-08-23T20:03:32.204Z' + version: WzEzLDFd + Serverless_saved_objects_import_objects_request: + value: + file: file.ndjson + Serverless_saved_objects_import_objects_response: + summary: >- + The import objects API response indicates a successful import and the + objects are created. Since these objects are created as new copies, each + entry in the successResults array includes a destinationId attribute. + value: + success: true + successCount: 1 + successResults: + - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + managed: false + meta: + icon: indexPatternApp + title: Kibana Sample Data Logs + type: index-pattern + parameters: + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Fleet_format: + description: Simplified or legacy format for package inputs + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + Fleet_kbn_xsrf: + description: Kibana's anti Cross-Site Request Forgery token. Can be any string value. + in: header + name: kbn-xsrf + required: true + schema: + type: string + Fleet_kuery: + in: query + name: kuery + required: false + schema: + type: string + Fleet_page_index: + in: query + name: page + required: false + schema: + default: 1 + type: integer + Fleet_page_size: + description: The number of items to return + in: query + name: perPage + required: false + schema: + default: 20 + type: integer + Fleet_show_inactive: + in: query + name: showInactive + required: false + schema: + type: boolean + Fleet_show_upgradeable: + in: query + name: showUpgradeable + required: false + schema: + type: boolean + Fleet_sort_field: + in: query + name: sortField + required: false + schema: + deprecated: true + type: string + Fleet_sort_order: + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + Fleet_with_metrics: + description: Return agent metrics, false by default + in: query + name: withMetrics + required: false + schema: + type: boolean + Machine_learning_APIs_simulateParam: + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Serverless_saved_objects_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + responses: + Fleet_error: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + schemas: + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: >- + Override an existing data view if a data view with the provided + title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: >- + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Fleet_agent: + title: Agent + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + components: + items: + $ref: '#/components/schemas/Fleet_agent_component' + type: array + default_api_key: + type: string + default_api_key_id: + type: string + enrolled_at: + type: string + id: + type: string + last_checkin: + type: string + local_metadata: + $ref: '#/components/schemas/Fleet_agent_metadata' + metrics: + type: object + properties: + cpu_avg: + description: >- + Average agent CPU usage during the last 5 minutes, number + between 0-1 + type: number + memory_size_byte_avg: + description: Average agent memory consumption during the last 5 minutes + type: number + policy_id: + type: string + policy_revision: + type: number + status: + $ref: '#/components/schemas/Fleet_agent_status' + type: + $ref: '#/components/schemas/Fleet_agent_type' + unenrolled_at: + type: string + unenrollment_started_at: + type: string + user_provided_metadata: + $ref: '#/components/schemas/Fleet_agent_metadata' + required: + - type + - active + - enrolled_at + - id + - status + Fleet_agent_action: + oneOf: + - properties: + ack_data: + type: string + data: + type: string + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + - properties: + data: + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + type: + type: string + title: Agent action + Fleet_agent_component: + title: Agent component + type: object + properties: + id: + type: string + message: + type: string + status: + $ref: '#/components/schemas/Fleet_agent_component_status' + type: + type: string + units: + items: + $ref: '#/components/schemas/Fleet_agent_component_unit' + type: array + Fleet_agent_component_status: + enum: + - starting + - configuring + - healthy + - degraded + - failed + - stopping + - stopped + title: Agent component status + type: string + Fleet_agent_component_unit: + title: Agent component unit + type: object + properties: + id: + type: string + message: + type: string + payload: + type: object + status: + $ref: '#/components/schemas/Fleet_agent_component_status' + type: + $ref: '#/components/schemas/Fleet_agent_component_unit_type' + Fleet_agent_component_unit_type: + enum: + - input + - output + title: Agent component unit type + type: string + Fleet_agent_diagnostics: + title: Agent diagnostics + type: object + properties: + actionId: + type: string + createTime: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - IN_PROGRESS + required: + - id + - name + - createTime + - filePath + - actionId + - status + Fleet_agent_get_by_actions: + items: + items: + type: string + type: array + title: Agents get by action ids + type: array + Fleet_agent_metadata: + title: Agent metadata + type: object + Fleet_agent_policy: + title: Agent Policy + type: object + properties: + advanced_settings: + description: >- + Advanced settings stored in the agent policy, e.g. + agent_limits_go_max_procs + nullable: true + type: object + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + agents: + type: number + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + id: + type: string + inactivity_timeout: + type: integer + is_protected: + description: >- + Indicates whether the agent policy has tamper protection enabled. + Default false. + type: boolean + keep_monitoring_alive: + description: >- + When set to true, monitoring will be enabled but logs/metrics + collection will be disabled + nullable: true + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + overrides: + description: >- + Override settings that are defined in the agent policy. Input + settings cannot be overridden. The override option should be used + only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_policies: + description: >- + This field is present only when retrieving a single agent policy, or + when retrieving a list of agent policies with the ?full=true + parameter + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + revision: + type: number + supports_agentless: + description: >- + Indicates whether the agent policy supports agentless integrations. + Only allowed in a serverless environment. + type: boolean + unenroll_timeout: + type: integer + unprivileged_agents: + type: number + updated_by: + type: string + updated_on: + format: date-time + type: string + required: + - id + - status + - name + - namespace + Fleet_agent_policy_create_request: + title: Create agent policy request + type: object + properties: + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + description: Force agent policy creation even if packages are not verified. + type: boolean + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + id: + type: string + inactivity_timeout: + type: integer + is_protected: + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + unenroll_timeout: + type: integer + required: + - name + - namespace + Fleet_agent_policy_full: + oneOf: + - type: object + properties: + item: + type: string + - type: object + properties: + item: + $ref: '#/components/schemas/Fleet_full_agent_policy' + title: Agent policy full response + type: object + Fleet_agent_policy_update_request: + title: Update agent policy request + type: object + properties: + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + description: Force agent policy creation even if packages are not verified. + type: boolean + inactivity_timeout: + type: integer + is_protected: + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + unenroll_timeout: + type: integer + required: + - name + - namespace + Fleet_agent_status: + enum: + - offline + - error + - online + - inactive + - warning + title: Elastic Agent status + type: string + Fleet_agent_type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + title: Agent type + type: string + Fleet_bulk_install_packages_response: + title: Bulk install packages response + type: object + properties: + items: + items: + type: object + properties: + name: + type: string + version: + type: string + type: array + response: + deprecated: true + items: + type: object + properties: + name: + type: string + version: + type: string + type: array + required: + - items + Fleet_bulk_upgrade_agents: + title: Bulk upgrade agents + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + force: + description: Force upgrade, skipping validation (should be used with caution) + type: boolean + rollout_duration_seconds: + description: rolling upgrade window duration in seconds + type: number + skipRateLimitCheck: + description: Skip rate limit check for upgrade + type: boolean + source_uri: + description: alternative upgrade binary download url + type: string + start_time: + description: start time of upgrade in ISO 8601 format + type: string + version: + description: version to upgrade to + type: string + required: + - agents + - version + Fleet_data_stream: + title: Data stream + type: object + properties: + dashboard: + items: + type: object + properties: + id: + type: string + title: + type: string + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + size_in_bytes: + type: number + size_in_bytes_formatted: + type: string + type: + type: string + Fleet_download_sources: + title: Download Source + type: object + properties: + host: + type: string + id: + type: string + is_default: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this download source. See the proxies + API for more information. + nullable: true + type: string + required: + - is_default + - name + - host + Fleet_elasticsearch_asset_type: + enum: + - component_template + - ingest_pipeline + - index_template + - ilm_policy + - transform + - data_stream_ilm_policy + title: Elasticsearch asset type + type: string + Fleet_enrollment_api_key: + title: Enrollment API key + type: object + properties: + active: + description: >- + When false, the enrollment API key is revoked and cannot be used for + enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + Fleet_fleet_server_host: + title: Fleet Server Host + type: object + properties: + host_urls: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + proxy_id: + type: string + required: + - fleet_server_hosts + - id + - is_default + - is_preconfigured + - host_urls + Fleet_fleet_settings_response: + title: Fleet settings response + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_settings' + required: + - item + Fleet_fleet_setup_response: + title: Fleet Setup response + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + type: array + required: + - isInitialized + - nonFatalErrors + Fleet_fleet_status_response: + title: Fleet status response + type: object + properties: + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + type: array + missing_requirements: + items: + enum: + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + Fleet_full_agent_policy: + title: Full agent policy + type: object + properties: + agent: + nullable: true + type: string + fleet: + oneOf: + - type: object + properties: + hosts: + items: + type: string + type: array + proxy_headers: {} + proxy_url: + type: string + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + - type: object + properties: + kibana: + type: object + properties: + hosts: + items: + type: string + type: array + path: + type: string + protocol: + type: string + id: + type: string + inputs: + type: string + output_permissions: + additionalProperties: + type: object + properties: + data: + $ref: >- + #/components/schemas/Fleet_full_agent_policy_output_permissions + output: + type: integer + type: object + outputs: + additionalProperties: + $ref: '#/components/schemas/Fleet_full_agent_policy_output' + type: object + revision: + type: number + secret_references: + items: + type: object + properties: + id: + type: string + type: array + required: + - id + - outputs + - inputs + Fleet_full_agent_policy_input: + allOf: + - additionalProperties: true + type: object + properties: + data_stream: + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + revision: + type: number + streams: + $ref: '#/components/schemas/Fleet_full_agent_policy_input_stream' + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + title: Full agent policy input + Fleet_full_agent_policy_input_stream: + allOf: + - additionalProperties: true + type: object + properties: + data_stream: + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + - type + id: + type: string + required: + - id + - data_stream + title: Full agent policy input stream + Fleet_full_agent_policy_output: + title: Full agent policy + type: object + properties: + additionalProperties: + type: object + properties: + text: {} + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + type: array + proxy_headers: {} + proxy_url: + type: string + type: {} + required: + - type + - hosts + - ca_sha256 + Fleet_full_agent_policy_output_permissions: + additionalProperties: + type: object + properties: + data: + type: object + properties: + cluster: + items: + type: string + type: array + indices: + items: + type: object + properties: + names: + items: + type: string + type: array + privileges: + items: + type: string + type: array + type: array + packagePolicyName: + type: string + title: Full agent policy output permissions + Fleet_get_agent_tags_response: + title: Get Agent Tags response + type: object + properties: + items: + items: + type: string + type: array + Fleet_get_agents_response: + title: Get Agent response + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_agent' + type: array + page: + type: number + perPage: + type: number + statusSummary: + type: object + properties: + degraded': + type: number + enrolling: + type: number + error: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + unenrolled: + type: number + unenrolling: + type: number + updating: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + Fleet_get_bulk_assets_response: + deprecated: true + properties: + items: + items: + type: object + properties: + appLink: + type: string + attributes: + type: object + properties: + description: + type: string + title: + type: string + id: + type: string + type: + $ref: '#/components/schemas/Fleet_saved_object_type' + updatedAt: + type: string + type: array + required: + - items + title: Bulk get assets response + type: object + Fleet_get_categories_response: + title: Get categories response + type: object + properties: + items: + items: + type: object + properties: + count: + type: number + id: + type: string + title: + type: string + required: + - id + - title + - count + type: array + response: + items: + deprecated: true + type: object + properties: + count: + type: number + id: + type: string + title: + type: string + required: + - id + - title + - count + type: array + required: + - items + Fleet_get_packages_response: + title: Get Packages response + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_search_result' + type: array + response: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_search_result' + type: array + required: + - items + Fleet_installation_info: + title: Installation info object + type: object + properties: + created_at: + type: string + experimental_data_stream_features: + type: array + properties: + data_stream: + type: string + features: + type: object + properties: + doc_value_only_numeric: + nullable: true + type: boolean + doc_value_only_other: + nullable: true + type: boolean + synthetic_source: + nullable: true + type: boolean + tsdb: + nullable: true + type: boolean + install_format_schema_version: + type: string + install_kibana_space_id: + type: string + install_source: + enum: + - registry + - upload + - bundled + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + $ref: '#/components/schemas/Fleet_elasticsearch_asset_type' + installed_kibana: + type: object + properties: + id: + type: string + type: + $ref: '#/components/schemas/Fleet_kibana_saved_object_type' + latest_executed_state: + description: Latest successfully executed state in package install state machine + type: object + properties: + error: + type: string + name: + enum: + - create_restart_installation + - install_kibana_assets + - install_ilm_policies + - install_ml_model + - install_index_template_pipelines + - remove_legacy_templates + - update_current_write_indices + - install_transforms + - delete_previous_pipelines + - save_archive_entries_from_assets_map + - update_so + type: string + started_at: + type: string + latest_install_failed_attempts: + description: Latest failed install errors + items: + type: object + properties: + created_at: + type: string + error: + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + target_version: + type: string + type: array + name: + type: string + namespaces: + items: + type: string + type: array + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - verified + - unverified + - unknown + type: string + version: + type: string + required: + - installed_kibana + - installed_es + - name + - version + - install_status + - install_version + - install_started_at + - install_source + - verification_status + - latest_install_failed_attempts + Fleet_kibana_saved_object_type: + enum: + - dashboard + - visualization + - search + - index-pattern + - map + - lens + - ml-module + - security-rule + - csp_rule_template + title: Kibana saved object asset type + type: string + Fleet_new_package_policy: + description: '' + properties: + description: + type: string + enabled: + type: boolean + inputs: + items: + type: object + properties: + config: + type: object + enabled: + type: boolean + processors: + items: + type: string + type: array + streams: + items: {} + type: array + type: + type: string + vars: + type: object + required: + - type + - enabled + type: array + name: + type: string + namespace: + type: string + output_id: + type: string + overrides: + type: object + package: + type: object + properties: + name: + type: string + requires_root: + type: boolean + title: + type: string + version: + type: string + required: + - name + - version + policy_id: + deprecated: true + nullable: true + type: string + policy_ids: + items: + type: string + type: array + required: + - inputs + - name + title: New package policy + type: object + Fleet_output_create_request: + discriminator: + mapping: + elasticsearch: '#/components/schemas/Fleet_output_create_request_elasticsearch' + kafka: '#/components/schemas/Fleet_output_create_request_kafka' + logstash: '#/components/schemas/Fleet_output_create_request_logstash' + remote_elasticsearch: >- + #/components/schemas/Fleet_output_create_request_remote_elasticsearch + propertyName: type + oneOf: + - $ref: '#/components/schemas/Fleet_output_create_request_elasticsearch' + - $ref: '#/components/schemas/Fleet_output_create_request_kafka' + - $ref: '#/components/schemas/Fleet_output_create_request_logstash' + - $ref: >- + #/components/schemas/Fleet_output_create_request_remote_elasticsearch + title: Output + Fleet_output_create_request_elasticsearch: + title: elasticsearch + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - elasticsearch + type: string + required: + - name + Fleet_output_create_request_kafka: + title: kafka + type: object + properties: + auth_type: + type: string + broker_timeout: + type: number + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + client_id: + type: string + compression: + type: string + compression_level: + type: number + config: + type: object + config_yaml: + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + headers: + items: + type: object + properties: + key: + type: string + value: + type: string + type: array + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + key: + type: string + name: + type: string + partition: + type: string + password: + type: string + proxy_id: + type: string + random: + type: object + properties: + group_events: + type: number + required_acks: + type: number + round_robin: + type: object + properties: + group_events: + type: number + sasl: + type: object + properties: + mechanism: + type: string + secrets: + type: object + properties: + password: + type: string + ssl: + type: object + properties: + key: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + verification_mode: + enum: + - none + - full + - certificate + - strict + type: string + timeout: + type: number + topic: + type: string + topics: + deprecated: true + description: Use topic instead. + items: + type: object + properties: + topic: + type: string + when: + deprecated: true + description: >- + Deprecated, kafka output do not support conditionnal topics + anymore. + type: object + properties: + condition: + type: string + type: + type: string + type: array + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + - type + - topics + - auth_type + - hosts + Fleet_output_create_request_logstash: + title: logstash + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + type: string + secrets: + type: object + properties: + ssl: + type: object + properties: + key: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - logstash + type: string + required: + - name + - hosts + - type + Fleet_output_create_request_remote_elasticsearch: + title: remote_elasticsearch + type: object + properties: + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + secrets: + type: object + properties: + service_token: + type: string + service_token: + type: string + type: + enum: + - remote_elasticsearch + type: string + required: + - name + Fleet_output_update_request: + discriminator: + mapping: + elasticsearch: '#/components/schemas/Fleet_output_update_request_elasticsearch' + kafka: '#/components/schemas/Fleet_output_update_request_kafka' + logstash: '#/components/schemas/Fleet_output_update_request_logstash' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Fleet_output_update_request_elasticsearch' + - $ref: '#/components/schemas/Fleet_output_update_request_kafka' + - $ref: '#/components/schemas/Fleet_output_update_request_logstash' + title: Output + Fleet_output_update_request_elasticsearch: + title: elasticsearch + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - elasticsearch + type: string + required: + - name + - hosts + - type + Fleet_output_update_request_kafka: + title: kafka + type: object + properties: + auth_type: + type: string + broker_timeout: + type: number + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + client_id: + type: string + compression: + type: string + compression_level: + type: number + config: + type: object + config_yaml: + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + headers: + items: + type: object + properties: + key: + type: string + value: + type: string + type: array + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + key: + type: string + name: + type: string + partition: + type: string + password: + type: string + proxy_id: + type: string + random: + type: object + properties: + group_events: + type: number + required_acks: + type: number + round_robin: + type: object + properties: + group_events: + type: number + sasl: + type: object + properties: + mechanism: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + verification_mode: + enum: + - none + - full + - certificate + - strict + type: string + timeout: + type: number + topic: + type: string + topics: + deprecated: true + description: Use topic instead. + items: + type: object + properties: + topic: + type: string + when: + deprecated: true + description: >- + Deprecated, kafka output do not support conditionnal topics + anymore. + type: object + properties: + condition: + type: string + type: + type: string + type: array + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + Fleet_output_update_request_logstash: + title: logstash + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - logstash + type: string + required: + - name + Fleet_package_info: + title: Package information + type: object + properties: + assets: + items: + type: string + type: array + categories: + items: + type: string + type: array + conditions: + type: object + properties: + elasticsearch: + type: object + properties: + subscription: + enum: + - basic + - gold + - platinum + - enterprise + type: string + kibana: + type: object + properties: + versions: + type: string + data_streams: + items: + type: object + properties: + ingeset_pipeline: + type: string + name: + type: string + package: + type: string + release: + type: string + title: + type: string + type: + type: string + vars: + items: + type: object + properties: + default: + type: string + name: + type: string + required: + - name + - default + type: array + required: + - title + - name + - release + - ingeset_pipeline + - type + - package + type: array + description: + type: string + download: + type: string + elasticsearch: + type: object + properties: + privileges: + type: object + properties: + cluster: + items: + type: string + type: array + format_version: + type: string + icons: + items: + type: string + type: array + internal: + type: boolean + name: + type: string + path: + type: string + readme: + type: string + release: + deprecated: true + description: >- + release label is deprecated, derive from the version instead + (packages follow semver) + enum: + - experimental + - beta + - ga + type: string + screenshots: + items: + type: object + properties: + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + - path + type: array + source: + type: object + properties: + license: + enum: + - Apache-2.0 + - Elastic-2.0 + type: string + title: + type: string + type: + type: string + version: + type: string + required: + - name + - title + - version + - description + - type + - categories + - conditions + - assets + - format_version + - download + - path + Fleet_package_policy: + allOf: + - type: object + properties: + id: + type: string + inputs: + oneOf: + - items: {} + type: array + - type: object + revision: + type: number + required: + - id + - revision + - $ref: '#/components/schemas/Fleet_new_package_policy' + title: Package policy + Fleet_package_policy_request: + title: Package Policy Request + type: object + properties: + description: + description: Package policy description + example: my description + type: string + force: + description: >- + Force package policy creation even if package is not verified, or if + the agent policy is managed. + type: boolean + id: + description: Package policy unique identifier + type: string + inputs: + additionalProperties: + type: object + properties: + enabled: + description: enable or disable that input, (default to true) + type: boolean + streams: + additionalProperties: + type: object + properties: + enabled: + description: enable or disable that stream, (default to true) + type: boolean + vars: + description: >- + Stream level variable (see integration documentation for + more information) + type: object + description: >- + Input streams (see integration documentation to know what + streams are available) + type: object + vars: + description: >- + Input level variable (see integration documentation for more + information) + type: object + description: >- + Package policy inputs (see integration documentation to know what + inputs are available) + example: + nginx-logfile: + enabled: true + streams: + nginx.access: + enabled: true + vars: + ignore_older: 72h + paths: + - /var/log/nginx/access.log* + preserve_original_event: false + tags: + - nginx-access + type: object + name: + description: Package policy name (should be unique) + example: nginx-123 + type: string + namespace: + description: >- + The package policy namespace. Leave blank to inherit the agent + policy's namespace. + example: customnamespace + type: string + output_id: + description: Output ID to send package data to + example: output-id + nullable: true + type: string + overrides: + description: >- + Override settings that are defined in the package policy. The + override option should be used only in unusual circumstances and not + as a routine procedure. + nullable: true + type: object + properties: + inputs: + type: object + package: + type: object + properties: + name: + description: Package name + example: nginx + type: string + version: + description: Package version + example: 1.6.0 + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Agent policy ID where that package policy will be added + example: agent-policy-id + nullable: true + type: string + policy_ids: + description: Agent policy IDs where that package policy will be added + example: + - agent-policy-id + items: + type: string + type: array + vars: + description: >- + Package root level variable (see integration documentation for more + information) + type: object + required: + - name + - package + Fleet_package_usage_stats: + title: Package usage stats + type: object + properties: + agent_policy_count: + type: integer + required: + - agent_policy_count + Fleet_proxies: + title: Fleet Proxy + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + id: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + required: + - name + - url + Fleet_saved_object_type: + oneOf: + - enum: + - dashboard + - visualization + - search + - index_pattern + - map + - lens + - security_rule + - csp_rule_template + - ml_module + - tag + - osquery_pack_asset + - osquery_saved_query + type: string + - enum: + - index + - component_template + - ingest_pipeline + - index_template + - ilm_policy + - transform + - data_stream_ilm_policy + - ml_model + type: string + title: Saved Object type + Fleet_search_result: + title: Search result + type: object + properties: + description: + type: string + download: + type: string + icons: + type: string + installationInfo: + $ref: '#/components/schemas/Fleet_installation_info' + name: + type: string + path: + type: string + savedObject: + deprecated: true + type: object + status: + type: string + title: + type: string + type: + type: string + version: + type: string + required: + - description + - download + - icons + - name + - path + - title + - type + - version + - status + Fleet_settings: + title: Settings + type: object + properties: + fleet_server_hosts: + deprecated: true + items: + type: string + type: array + has_seen_add_data_notice: + type: boolean + id: + type: string + prerelease_integrations_enabled: + type: boolean + required: + - fleet_server_hosts + - id + Fleet_upgrade_agent: + title: Upgrade agent + type: object + properties: + force: + description: Force upgrade, skipping validation (should be used with caution) + type: boolean + skipRateLimitCheck: + description: Skip rate limit check for upgrade + type: boolean + source_uri: + type: string + version: + type: string + required: + - version + Fleet_upgrade_agent_diff: + items: + items: + $ref: '#/components/schemas/Fleet_full_agent_policy_input' + type: array + title: Package policy Upgrade dryrun + type: array + Fleet_upgrade_diff: + items: + allOf: + - $ref: '#/components/schemas/Fleet_package_policy' + - allOf: + - $ref: '#/components/schemas/Fleet_new_package_policy' + - type: object + properties: + errors: + items: + type: object + properties: + key: + type: string + message: + type: string + type: array + missingVars: + items: + type: string + type: array + type: object + title: Package policy Upgrade dryrun + type: array + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. + type: object + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: >- + Kibana's operational status as well as a detailed breakdown of plugin + statuses indication of various loads (like event loop utilization and + network traffic) at time of request. + type: object + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: >- + Unique, generated Kibana instance UUID. This UUID should persist + even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: >- + The build flavour determines configuration and behavior of + Kibana. On premise users will almost always run the + "traditional" flavour, while other flavours are reserved for + Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: >- + A unique hash value representing the git commit of this Kibana + build. + type: string + build_number: + description: >- + A monotonically increasing number, each subsequent build will + have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + Machine_learning_APIs_mlSync200Response: + properties: + datafeedsAdded: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. + type: object + datafeedsRemoved: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. + type: object + savedObjectsCreated: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + savedObjectsDeleted: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + title: Successful sync API response + type: object + Machine_learning_APIs_mlSync4xxResponse: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful sync API response + type: object + Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for anomaly detection jobs + type: object + Machine_learning_APIs_mlSyncResponseDatafeeds: + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for datafeeds + type: object + Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for data frame analytics jobs + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: If saved objects are missing for trained models, they are created. + type: object + title: Sync API response for created saved objects + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. + type: object + title: Sync API response for deleted saved objects + type: object + Machine_learning_APIs_mlSyncResponseSuccess: + description: The success or failure of the synchronization. + type: boolean + Machine_learning_APIs_mlSyncResponseTrainedModels: + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for trained models + type: object + Security_AI_Assistant_API_AnonymizationFieldCreateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + field: + type: string + required: + - field + Security_AI_Assistant_API_AnonymizationFieldDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_AnonymizationFieldResponse: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + createdAt: + type: string + createdBy: + type: string + field: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + namespace: + description: Kibana space + type: string + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + required: + - id + - field + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: + enum: + - ANONYMIZATION_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + type: object + properties: + anonymization_fields_count: + type: integer + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + type: array + updated: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_AnonymizationFieldUpdateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + id: + type: string + required: + - id + Security_AI_Assistant_API_ApiConfig: + type: object + properties: + actionTypeId: + description: action type id + type: string + connectorId: + description: connector id + type: string + defaultSystemPromptId: + description: defaultSystemPromptId + type: string + model: + description: model + type: string + provider: + $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' + description: Provider + required: + - connectorId + - actionTypeId + Security_AI_Assistant_API_BulkCrudActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_AI_Assistant_API_ChatCompleteProps: + type: object + properties: + connectorId: + type: string + conversationId: + type: string + isStream: + type: boolean + langSmithApiKey: + type: string + langSmithProject: + type: string + messages: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' + type: array + model: + type: string + persist: + type: boolean + promptId: + type: string + responseLanguage: + type: string + required: + - messages + - persist + - connectorId + Security_AI_Assistant_API_ChatMessage: + description: AI assistant message. + type: object + properties: + content: + description: Message content. + type: string + data: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' + description: ECS object to attach to the context of the message. + fields_to_anonymize: + items: + type: string + type: array + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' + description: Message role. + required: + - role + Security_AI_Assistant_API_ChatMessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_ConversationCategory: + description: The conversation category. + enum: + - assistant + - insights + type: string + Security_AI_Assistant_API_ConversationConfidence: + description: The conversation confidence. + enum: + - low + - medium + - high + type: string + Security_AI_Assistant_API_ConversationCreateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + description: The conversation id. + type: string + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + type: string + required: + - title + Security_AI_Assistant_API_ConversationResponse: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + createdAt: + description: The last time conversation was updated. + type: string + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + namespace: + description: Kibana space + type: string + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + title: + description: The conversation title. + type: string + updatedAt: + description: The last time conversation was updated. + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - title + - createdAt + - users + - namespace + - category + Security_AI_Assistant_API_ConversationSummary: + type: object + properties: + confidence: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationConfidence + description: >- + How confident you are about this being a correct and useful + learning. + content: + description: Summary text of the conversation over time. + type: string + public: + description: Define if summary is marked as publicly available. + type: boolean + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp summary was updated. + Security_AI_Assistant_API_ConversationUpdateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + title: + description: The conversation title. + type: string + required: + - id + Security_AI_Assistant_API_FindAnonymizationFieldsSortField: + enum: + - created_at + - anonymized + - allowed + - field + - updated_at + type: string + Security_AI_Assistant_API_FindConversationsSortField: + enum: + - created_at + - is_default + - title + - updated_at + type: string + Security_AI_Assistant_API_FindPromptsSortField: + enum: + - created_at + - is_default + - name + - updated_at + type: string + Security_AI_Assistant_API_Message: + description: AI assistant conversation message. + type: object + properties: + content: + description: Message content. + type: string + isError: + description: Is error message. + type: boolean + reader: + $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' + description: Message content. + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' + description: Message role. + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp message was sent or received. + traceData: + $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' + description: trace Data + required: + - timestamp + - content + - role + Security_AI_Assistant_API_MessageData: + additionalProperties: true + type: object + Security_AI_Assistant_API_MessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_AI_Assistant_API_NormalizedAnonymizationFieldError: + type: object + properties: + anonymization_fields: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + type: array + err_code: + type: string + message: + type: string + status_code: + type: integer + required: + - message + - status_code + - anonymization_fields + Security_AI_Assistant_API_NormalizedPromptError: + type: object + properties: + err_code: + type: string + message: + type: string + prompts: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - prompts + Security_AI_Assistant_API_PromptCreateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + required: + - name + - content + - promptType + Security_AI_Assistant_API_PromptDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_PromptResponse: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + createdAt: + type: string + createdBy: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + namespace: + description: Kibana space + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - name + - promptType + - content + Security_AI_Assistant_API_PromptsBulkActionSkipReason: + enum: + - PROMPT_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_PromptsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_PromptsBulkCrudActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + prompts_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_PromptsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_PromptType: + description: Prompt type + enum: + - system + - quick + type: string + Security_AI_Assistant_API_PromptUpdateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + id: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + required: + - id + Security_AI_Assistant_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + type: string + Security_AI_Assistant_API_Reader: + additionalProperties: true + type: object + Security_AI_Assistant_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanomymize messsages + type: object + Security_AI_Assistant_API_SortOrder: + enum: + - asc + - desc + type: string + Security_AI_Assistant_API_TraceData: + description: trace Data + type: object + properties: + traceId: + description: Could be any string, not necessarily a UUID + type: string + transactionId: + description: Could be any string, not necessarily a UUID + type: string + Security_AI_Assistant_API_User: + description: Could be any string, not necessarily a UUID + type: object + properties: + id: + description: User id + type: string + name: + description: User name + type: string + Security_Solution_Detections_API_AlertAssignees: + type: object + properties: + add: + description: A list of users ids to assign. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + remove: + description: A list of users ids to unassign. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + required: + - add + - remove + Security_Solution_Detections_API_AlertIds: + description: A list of alerts ids. + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + minItems: 1 + type: array + Security_Solution_Detections_API_AlertsIndex: + deprecated: true + description: (deprecated) Has no effect. + type: string + Security_Solution_Detections_API_AlertsIndexNamespace: + description: Has no effect. + type: string + Security_Solution_Detections_API_AlertsSort: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSortCombinations + - items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSortCombinations + type: array + Security_Solution_Detections_API_AlertsSortCombinations: + anyOf: + - type: string + - additionalProperties: true + type: object + Security_Solution_Detections_API_AlertStatus: + enum: + - open + - closed + - acknowledged + - in-progress + type: string + Security_Solution_Detections_API_AlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionDuration + group_by: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionGroupBy + missing_fields_strategy: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionMissingFieldsStrategy + required: + - group_by + Security_Solution_Detections_API_AlertSuppressionDuration: + type: object + properties: + unit: + enum: + - s + - m + - h + type: string + value: + minimum: 1 + type: integer + required: + - value + - unit + Security_Solution_Detections_API_AlertSuppressionGroupBy: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Solution_Detections_API_AlertSuppressionMissingFieldsStrategy: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + + doNotSuppress - per each document a separate alert will be created + + suppress - only alert will be created per suppress by bucket + enum: + - doNotSuppress + - suppress + type: string + Security_Solution_Detections_API_AlertTag: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + Security_Solution_Detections_API_AlertTags: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTag' + type: array + Security_Solution_Detections_API_AnomalyThreshold: + description: Anomaly threshold + minimum: 0 + type: integer + Security_Solution_Detections_API_BuildingBlockType: + description: >- + Determines if the rule acts as a building block. By default, + building-block alerts are not displayed in the UI. These rules are used + as a foundation for other rules that do generate alerts. Its value must + be default. + type: string + Security_Solution_Detections_API_BulkActionEditPayload: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadSchedule + Security_Solution_Detections_API_BulkActionEditPayloadIndexPatterns: + type: object + properties: + overwrite_data_views: + type: boolean + type: + enum: + - add_index_patterns + - delete_index_patterns + - set_index_patterns + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadInvestigationFields: + type: object + properties: + type: + enum: + - add_investigation_fields + - delete_investigation_fields + - set_investigation_fields + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadRuleActions: + type: object + properties: + type: + enum: + - add_rule_actions + - set_rule_actions + type: string + value: + type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NormalizedRuleAction + type: array + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThrottleForBulkActions + required: + - actions + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadSchedule: + type: object + properties: + type: + enum: + - set_schedule + type: string + value: + type: object + properties: + interval: + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + lookback: + description: Lookback time for the rule + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + required: + - interval + - lookback + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadTags: + type: object + properties: + type: + enum: + - add_tags + - delete_tags + - set_tags + type: string + value: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleTagArray' + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadTimeline: + type: object + properties: + type: + enum: + - set_timeline + type: string + value: + type: object + properties: + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + required: + - timeline_id + - timeline_title + required: + - type + - value + Security_Solution_Detections_API_BulkActionsDryRunErrCode: + enum: + - IMMUTABLE + - MACHINE_LEARNING_AUTH + - MACHINE_LEARNING_INDEX_PATTERN + - ESQL_INDEX_PATTERN + - MANUAL_RULE_RUN_FEATURE + - MANUAL_RULE_RUN_DISABLED_RULE + type: string + Security_Solution_Detections_API_BulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditSkipReason + required: + - id + - skip_reason + Security_Solution_Detections_API_BulkDeleteRules: + type: object + properties: + action: + enum: + - delete + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkDisableRules: + type: object + properties: + action: + enum: + - disable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkDuplicateRules: + type: object + properties: + action: + enum: + - duplicate + type: string + duplicate: + type: object + properties: + include_exceptions: + description: Whether to copy exceptions from the original rule + type: boolean + include_expired_exceptions: + description: Whether to copy expired exceptions from the original rule + type: boolean + required: + - include_exceptions + - include_expired_exceptions + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkEditActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NormalizedRuleError + type: array + results: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionResults + summary: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionSummary + required: + - results + - summary + message: + type: string + rules_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_Solution_Detections_API_BulkEditActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + deleted: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_Solution_Detections_API_BulkEditActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_Solution_Detections_API_BulkEditRules: + type: object + properties: + action: + enum: + - edit + type: string + edit: + description: Array of objects containing the edit operations + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayload + minItems: 1 + type: array + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + - edit + Security_Solution_Detections_API_BulkEditSkipReason: + enum: + - RULE_NOT_MODIFIED + type: string + Security_Solution_Detections_API_BulkEnableRules: + type: object + properties: + action: + enum: + - enable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkExportActionResponse: + type: string + Security_Solution_Detections_API_BulkExportRules: + type: object + properties: + action: + enum: + - export + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkManualRuleRun: + type: object + properties: + action: + enum: + - run + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + run: + type: object + properties: + end_date: + description: End date of the manual rule run + type: string + start_date: + description: Start date of the manual rule run + type: string + required: + - start_date + required: + - action + - run + Security_Solution_Detections_API_ConcurrentSearches: + minimum: 1 + type: integer + Security_Solution_Detections_API_DataViewId: + type: string + Security_Solution_Detections_API_DefaultParams: + type: object + properties: + command: + enum: + - isolate + type: string + comment: + type: string + required: + - command + Security_Solution_Detections_API_EcsMapping: + additionalProperties: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + type: object + Security_Solution_Detections_API_EndpointResponseAction: + type: object + properties: + action_type_id: + enum: + - .endpoint + type: string + params: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_DefaultParams + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ProcessesParams + required: + - action_type_id + - params + Security_Solution_Detections_API_EqlOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + event_category_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EventCategoryOverride + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + tiebreaker_field: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TiebreakerField + timestamp_field: + $ref: '#/components/schemas/Security_Solution_Detections_API_TimestampField' + Security_Solution_Detections_API_EqlQueryLanguage: + enum: + - eql + type: string + Security_Solution_Detections_API_EqlRequiredFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlQueryLanguage + description: Query language to use + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + required: + - type + - query + - language + Security_Solution_Detections_API_EqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleResponseFields + Security_Solution_Detections_API_EqlRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateFields + Security_Solution_Detections_API_EqlRulePatchFields: + allOf: + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlQueryLanguage + description: Query language to use + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRulePatchFields + Security_Solution_Detections_API_EqlRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateFields + Security_Solution_Detections_API_ErrorSchema: + additionalProperties: false + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + id: + type: string + item_id: + minLength: 1 + type: string + list_id: + minLength: 1 + type: string + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + required: + - error + Security_Solution_Detections_API_EsqlQueryLanguage: + enum: + - esql + type: string + Security_Solution_Detections_API_EsqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleResponseFields + Security_Solution_Detections_API_EsqlRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleRequiredFields + Security_Solution_Detections_API_EsqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateFields + Security_Solution_Detections_API_EsqlRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + Security_Solution_Detections_API_EsqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlQueryLanguage + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: ESQL query to execute + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + type: + description: Rule type + enum: + - esql + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + Security_Solution_Detections_API_EsqlRuleRequiredFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: ESQL query to execute + type: + description: Rule type + enum: + - esql + type: string + required: + - type + - language + - query + Security_Solution_Detections_API_EsqlRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleRequiredFields + Security_Solution_Detections_API_EsqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateFields + Security_Solution_Detections_API_EventCategoryOverride: + type: string + Security_Solution_Detections_API_ExceptionListType: + description: The exception type + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Detections_API_ExternalRuleSource: + description: >- + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. + type: object + properties: + is_customized: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsExternalRuleCustomized + type: + enum: + - external + type: string + required: + - type + - is_customized + Security_Solution_Detections_API_FindRulesSortField: + enum: + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status + - name + - risk_score + - riskScore + - severity + - updated_at + - updatedAt + type: string + Security_Solution_Detections_API_HistoryWindowStart: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + Security_Solution_Detections_API_IndexPatternArray: + items: + type: string + type: array + Security_Solution_Detections_API_InternalRuleSource: + description: >- + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. + type: object + properties: + type: + enum: + - internal + type: string + required: + - type + Security_Solution_Detections_API_InvestigationFields: + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. + + Added in PR #163235 + + Right now we only have a single field but anticipate adding more related + fields to store various + + configuration states such as `override` - where a user might say if they + want only these fields to + + display, or if they want these fields + the fields we select. When + expanding this field, it may look + + something like: + + ```typescript + + const investigationFields = z.object({ + field_names: NonEmptyArray(NonEmptyString), + override: z.boolean().optional(), + }); + + ``` + type: object + properties: + field_names: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + required: + - field_names + Security_Solution_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. + type: string + Security_Solution_Detections_API_IsExternalRuleCustomized: + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). + type: boolean + Security_Solution_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. + type: boolean + Security_Solution_Detections_API_IsRuleImmutable: + deprecated: true + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. + type: boolean + Security_Solution_Detections_API_ItemsPerSearch: + minimum: 1 + type: integer + Security_Solution_Detections_API_KqlQueryLanguage: + enum: + - kuery + - lucene + type: string + Security_Solution_Detections_API_MachineLearningJobId: + description: Machine learning job ID + oneOf: + - type: string + - items: + type: string + minItems: 1 + type: array + Security_Solution_Detections_API_MachineLearningRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleResponseFields + Security_Solution_Detections_API_MachineLearningRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateFields + Security_Solution_Detections_API_MachineLearningRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + Security_Solution_Detections_API_MachineLearningRulePatchFields: + allOf: + - type: object + properties: + anomaly_threshold: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AnomalyThreshold + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRulePatchFields + Security_Solution_Detections_API_MachineLearningRuleRequiredFields: + type: object + properties: + anomaly_threshold: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AnomalyThreshold + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning + type: string + required: + - type + - machine_learning_job_id + - anomaly_threshold + Security_Solution_Detections_API_MachineLearningRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateFields + Security_Solution_Detections_API_MaxSignals: + minimum: 1 + type: integer + Security_Solution_Detections_API_NewTermsFields: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Solution_Detections_API_NewTermsRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleResponseFields + Security_Solution_Detections_API_NewTermsRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleDefaultableFields + Security_Solution_Detections_API_NewTermsRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateFields + Security_Solution_Detections_API_NewTermsRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_NewTermsRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + Security_Solution_Detections_API_NewTermsRulePatchFields: + allOf: + - type: object + properties: + history_window_start: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_HistoryWindowStart + new_terms_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsFields + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleDefaultableFields + Security_Solution_Detections_API_NewTermsRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRulePatchFields + Security_Solution_Detections_API_NewTermsRuleRequiredFields: + type: object + properties: + history_window_start: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_HistoryWindowStart + new_terms_fields: + $ref: '#/components/schemas/Security_Solution_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + required: + - type + - query + - new_terms_fields + - history_window_start + Security_Solution_Detections_API_NewTermsRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_NewTermsRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateFields + Security_Solution_Detections_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Detections_API_NormalizedRuleAction: + additionalProperties: false + type: object + properties: + alerts_filter: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionAlertsFilter + frequency: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionFrequency + group: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionGroup + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleActionId' + params: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionParams + required: + - id + - params + Security_Solution_Detections_API_NormalizedRuleError: + type: object + properties: + err_code: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionsDryRunErrCode + message: + type: string + rules: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - rules + Security_Solution_Detections_API_OsqueryParams: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_EcsMapping' + pack_id: + type: string + queries: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_OsqueryQuery' + type: array + query: + type: string + saved_query_id: + type: string + timeout: + type: number + Security_Solution_Detections_API_OsqueryQuery: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_EcsMapping' + id: + description: Query ID + type: string + platform: + type: string + query: + description: Query to run + type: string + removed: + type: boolean + snapshot: + type: boolean + version: + description: Query version + type: string + required: + - id + - query + Security_Solution_Detections_API_OsqueryResponseAction: + type: object + properties: + action_type_id: + enum: + - .osquery + type: string + params: + $ref: '#/components/schemas/Security_Solution_Detections_API_OsqueryParams' + required: + - action_type_id + - params + Security_Solution_Detections_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Detections_API_ProcessesParams: + type: object + properties: + command: + enum: + - kill-process + - suspend-process + type: string + comment: + type: string + config: + type: object + properties: + field: + description: Field to use instead of process.pid + type: string + overwrite: + default: true + description: Whether to overwrite field with process.pid + type: boolean + required: + - field + required: + - command + - config + Security_Solution_Detections_API_QueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleResponseFields + Security_Solution_Detections_API_QueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleDefaultableFields + Security_Solution_Detections_API_QueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateFields + Security_Solution_Detections_API_QueryRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + Security_Solution_Detections_API_QueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + Security_Solution_Detections_API_QueryRulePatchFields: + allOf: + - type: object + properties: + type: + description: Rule type + enum: + - query + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleDefaultableFields + Security_Solution_Detections_API_QueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRulePatchFields + Security_Solution_Detections_API_QueryRuleRequiredFields: + type: object + properties: + type: + description: Rule type + enum: + - query + type: string + required: + - type + Security_Solution_Detections_API_QueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + required: + - query + - language + Security_Solution_Detections_API_QueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateFields + Security_Solution_Detections_API_RelatedIntegration: + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. + + + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + + + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: + + + - `package`: name of the package (required, unique id) + + - `version`: version of the package (required, semver-compatible) + + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + + several integrations; in this case, `integration` should be specified. + + + @example + + const x: RelatedIntegration = { + package: 'windows', + version: '1.5.x', + }; + + + @example + + const x: RelatedIntegration = { + package: 'azure', + version: '~1.1.6', + integration: 'activitylogs', + }; + type: object + properties: + integration: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - package + - version + Security_Solution_Detections_API_RelatedIntegrationArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegration + type: array + Security_Solution_Detections_API_RequiredField: + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and + + the rule will generate an alert. + + + Required field is an event field that must be present in the source + indices of a given rule. + + + @example + + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + + @example + + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; + type: object + properties: + ecs: + description: Whether the field is an ECS field + type: boolean + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Type of the Elasticsearch field + required: + - name + - type + - ecs + Security_Solution_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RequiredField' + type: array + Security_Solution_Detections_API_RequiredFieldInput: + description: >- + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. + type: object + properties: + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Type of an Elasticsearch field + required: + - name + - type + Security_Solution_Detections_API_ResponseAction: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_OsqueryResponseAction + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EndpointResponseAction + Security_Solution_Detections_API_ResponseFields: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + type: string + execution_summary: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionSummary + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + immutable: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleImmutable + required_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldArray + revision: + minimum: 0 + type: integer + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_source: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleSource' + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - rule_id + - immutable + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + Security_Solution_Detections_API_RiskScore: + description: Risk score (0 to 100) + maximum: 100 + minimum: 0 + type: integer + Security_Solution_Detections_API_RiskScoreMapping: + description: >- + Overrides generated alerts' risk_score with a value from the source + event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: array + Security_Solution_Detections_API_RuleAction: + type: object + properties: + action_type_id: + description: The action type used for sending notifications. + type: string + alerts_filter: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionAlertsFilter + frequency: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionFrequency + group: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionGroup + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleActionId' + params: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionParams + uuid: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + Security_Solution_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + type: object + Security_Solution_Detections_API_RuleActionFrequency: + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). + type: object + properties: + notifyWhen: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionNotifyWhen + summary: + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + nullable: true + required: + - summary + - notifyWhen + - throttle + Security_Solution_Detections_API_RuleActionGroup: + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. + type: string + Security_Solution_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Solution_Detections_API_RuleActionNotifyWhen: + description: >- + The condition for throttling the notification: `onActionGroupChange`, + `onActiveAlert`, or `onThrottleInterval` + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Solution_Detections_API_RuleActionParams: + additionalProperties: true + description: >- + Object containing the allowed connector fields, which varies according + to the connector type. + type: object + Security_Solution_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule + type: string + - description: Time interval in seconds, minutes, hours, or days. + example: 1h + pattern: ^[1-9]\d*[smhd]$ + type: string + Security_Solution_Detections_API_RuleAuthorArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleCreateProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateProps + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleDescription: + minLength: 1 + type: string + Security_Solution_Detections_API_RuleDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_Solution_Detections_API_RuleExceptionList: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: ID of the exception container + list_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: List ID of the exception container + namespace_type: + description: Determines the exceptions validity in rule's Kibana space + enum: + - agnostic + - single + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ExceptionListType + required: + - id + - list_id + - type + - namespace_type + Security_Solution_Detections_API_RuleExecutionMetrics: + type: object + properties: + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + total_enrichment_duration_ms: + description: >- + Total time spent enriching documents during current rule execution + cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during current rule execution + cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response + minimum: 0 + type: integer + Security_Solution_Detections_API_RuleExecutionStatus: + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. + enum: + - going to run + - running + - partial failure + - failed + - succeeded + type: string + Security_Solution_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Solution_Detections_API_RuleExecutionSummary: + type: object + properties: + last_execution: + type: object + properties: + date: + description: Date of the last execution + format: date-time + type: string + message: + type: string + metrics: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionMetrics + status: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionStatus + description: Status of the last execution + status_order: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionStatusOrder + required: + - date + - status + - status_order + - message + - metrics + required: + - last_execution + Security_Solution_Detections_API_RuleFalsePositiveArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleFilterArray: + items: {} + type: array + Security_Solution_Detections_API_RuleInterval: + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). + type: string + Security_Solution_Detections_API_RuleIntervalFrom: + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + Security_Solution_Detections_API_RuleIntervalTo: + type: string + Security_Solution_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Solution_Detections_API_RuleMetadata: + additionalProperties: true + type: object + Security_Solution_Detections_API_RuleName: + minLength: 1 + type: string + Security_Solution_Detections_API_RuleNameOverride: + description: Sets the source field for the alert's signal.rule.name value + type: string + Security_Solution_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Solution_Detections_API_UUID' + Security_Solution_Detections_API_RulePatchProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRulePatchProps + Security_Solution_Detections_API_RulePreviewLoggedRequest: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + duration: + type: integer + request: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - request + Security_Solution_Detections_API_RulePreviewLogs: + type: object + properties: + duration: + description: Execution duration in milliseconds + type: integer + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + requests: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewLoggedRequest + type: array + startedAt: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + warnings: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + required: + - errors + - warnings + - duration + Security_Solution_Detections_API_RulePreviewParams: + type: object + properties: + invocationCount: + type: integer + timeframeEnd: + format: date-time + type: string + required: + - invocationCount + - timeframeEnd + Security_Solution_Detections_API_RuleQuery: + type: string + Security_Solution_Detections_API_RuleReferenceArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Solution_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdRule' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRule + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRule + - $ref: '#/components/schemas/Security_Solution_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_EsqlRule' + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleSignatureId: + description: Could be any string, not necessarily a UUID + type: string + Security_Solution_Detections_API_RuleSource: + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. + discriminator: + propertyName: type + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ExternalRuleSource + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_InternalRuleSource + Security_Solution_Detections_API_RuleTagArray: + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. + items: + type: string + type: array + Security_Solution_Detections_API_RuleUpdateProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleUpdateProps + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleVersion: + description: The rule's version number. + minimum: 1 + type: integer + Security_Solution_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Solution_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Solution_Detections_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Solution_Detections_API_SavedQueryId: + type: string + Security_Solution_Detections_API_SavedQueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleResponseFields + Security_Solution_Detections_API_SavedQueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleDefaultableFields + Security_Solution_Detections_API_SavedQueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateFields + Security_Solution_Detections_API_SavedQueryRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_SavedQueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + Security_Solution_Detections_API_SavedQueryRulePatchFields: + allOf: + - type: object + properties: + saved_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryId + type: + description: Rule type + enum: + - saved_query + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleDefaultableFields + Security_Solution_Detections_API_SavedQueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRulePatchFields + Security_Solution_Detections_API_SavedQueryRuleRequiredFields: + type: object + properties: + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query + type: string + required: + - type + - saved_id + Security_Solution_Detections_API_SavedQueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_SavedQueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateFields + Security_Solution_Detections_API_SetAlertsStatusByIds: + type: object + properties: + signal_ids: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertStatus' + required: + - signal_ids + - status + Security_Solution_Detections_API_SetAlertsStatusByQuery: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertStatus' + required: + - query + - status + Security_Solution_Detections_API_SetAlertTags: + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Solution_Detections_API_SetupGuide: + type: string + Security_Solution_Detections_API_Severity: + description: Severity of the rule + enum: + - low + - medium + - high + - critical + type: string + Security_Solution_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Solution_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Solution_Detections_API_Threat: + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatTechnique + type: array + required: + - framework + - tactic + Security_Solution_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threat' + type: array + Security_Solution_Detections_API_ThreatFilters: + items: + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values + type: array + Security_Solution_Detections_API_ThreatIndex: + items: + type: string + type: array + Security_Solution_Detections_API_ThreatIndicatorPath: + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) + type: string + Security_Solution_Detections_API_ThreatMapping: + items: + type: object + properties: + entries: + items: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: + enum: + - mapping + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + required: + - field + - type + - value + type: array + required: + - entries + minItems: 1 + type: array + Security_Solution_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleResponseFields + Security_Solution_Detections_API_ThreatMatchRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields + Security_Solution_Detections_API_ThreatMatchRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateFields + Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThreatMatchRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + concurrent_searches: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ConcurrentSearches + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + items_per_search: + $ref: '#/components/schemas/Security_Solution_Detections_API_ItemsPerSearch' + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + threat_filters: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatIndicatorPath + threat_language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThreatMatchRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threat_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatIndex + threat_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMapping + threat_query: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatQuery + type: + description: Rule type + enum: + - threat_match + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields + Security_Solution_Detections_API_ThreatMatchRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRulePatchFields + Security_Solution_Detections_API_ThreatMatchRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match + type: string + required: + - type + - query + - threat_query + - threat_mapping + - threat_index + Security_Solution_Detections_API_ThreatMatchRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_ThreatMatchRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateFields + Security_Solution_Detections_API_ThreatQuery: + description: Query to run + type: string + Security_Solution_Detections_API_ThreatSubtechnique: + type: object + properties: + id: + description: Subtechnique ID + type: string + name: + description: Subtechnique name + type: string + reference: + description: Subtechnique reference + type: string + required: + - id + - name + - reference + Security_Solution_Detections_API_ThreatTactic: + type: object + properties: + id: + description: Tactic ID + type: string + name: + description: Tactic name + type: string + reference: + description: Tactic reference + type: string + required: + - id + - name + - reference + Security_Solution_Detections_API_ThreatTechnique: + type: object + properties: + id: + description: Technique ID + type: string + name: + description: Technique name + type: string + reference: + description: Technique reference + type: string + subtechnique: + description: Array containing more specific information on the attack technique + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatSubtechnique + type: array + required: + - id + - name + - reference + Security_Solution_Detections_API_Threshold: + type: object + properties: + cardinality: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdCardinality + field: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdValue' + required: + - field + - value + Security_Solution_Detections_API_ThresholdAlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionDuration + required: + - duration + Security_Solution_Detections_API_ThresholdCardinality: + items: + type: object + properties: + field: + type: string + value: + minimum: 0 + type: integer + required: + - field + - value + type: array + Security_Solution_Detections_API_ThresholdField: + description: Field to aggregate on + oneOf: + - type: string + - items: + type: string + type: array + Security_Solution_Detections_API_ThresholdRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleResponseFields + Security_Solution_Detections_API_ThresholdRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleDefaultableFields + Security_Solution_Detections_API_ThresholdRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateFields + Security_Solution_Detections_API_ThresholdRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThresholdRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdAlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + Security_Solution_Detections_API_ThresholdRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleDefaultableFields + Security_Solution_Detections_API_ThresholdRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRulePatchFields + Security_Solution_Detections_API_ThresholdRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + required: + - type + - query + - threshold + Security_Solution_Detections_API_ThresholdRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_ThresholdRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateFields + Security_Solution_Detections_API_ThresholdValue: + description: Threshold value + minimum: 1 + type: integer + Security_Solution_Detections_API_ThrottleForBulkActions: + description: >- + The condition for throttling the notification: 'rule', 'no_actions', or + time duration + enum: + - rule + - 1h + - 1d + - 7d + type: string + Security_Solution_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Solution_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Solution_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Solution_Detections_API_TimestampField: + description: Contains the event timestamp used for sorting a sequence of events + type: string + Security_Solution_Detections_API_TimestampOverride: + description: Sets the time field used to query indices + type: string + Security_Solution_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Solution_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Solution_Detections_API_WarningSchema: + type: object + properties: + actionPath: + type: string + buttonLabel: + type: string + message: + type: string + type: + type: string + required: + - type + - message + - actionPath + Security_Solution_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionList + - additionalProperties: false + type: object + Security_Solution_Endpoint_Exceptions_API_EndpointListItem: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItem + Security_Solution_Endpoint_Exceptions_API_ExceptionList: + type: object + properties: + _version: + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListDescription: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + description: Human readable string identifier, e.g. `trusted-linux-processes` + Security_Solution_Endpoint_Exceptions_API_ExceptionListId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + created_at: + format: date-time + type: string + created_by: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + updated_at: + format: date-time + type: string + updated_by: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - id + - comment + - created_at + - created_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemComment + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntry + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + list: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ListId + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ListType + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Solution_Endpoint_Exceptions_API_ExceptionListName: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Solution_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ListId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Endpoint_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Endpoint_Management_API_ActionLogRequestQuery: + type: object + properties: + end_date: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndDate + page: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Page' + page_size: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PageSize + start_date: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_StartDate + Security_Solution_Endpoint_Management_API_ActionStateSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + canEncrypt: + type: boolean + required: + - data + required: + - body + Security_Solution_Endpoint_Management_API_ActionStatusSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + agent_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + pending_actions: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionsSchema + required: + - agent_id + - pending_actions + required: + - data + required: + - body + Security_Solution_Endpoint_Management_API_AgentId: + description: Agent ID + type: string + Security_Solution_Endpoint_Management_API_AgentIds: + minLength: 1 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_AgentTypes: + enum: + - endpoint + - sentinel_one + - crowdstrike + type: string + Security_Solution_Endpoint_Management_API_AlertIds: + description: A list of alerts ids. + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NonEmptyString + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_CaseIds: + description: Case IDs to be updated (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_Command: + description: The command to be executed (cannot be an empty string) + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_Commands: + items: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Command' + type: array + Security_Solution_Endpoint_Management_API_Comment: + description: Optional comment + type: string + Security_Solution_Endpoint_Management_API_EndDate: + description: End date + type: string + Security_Solution_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_EntityId: + type: object + properties: + entity_id: + minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_ExecuteRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + command: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Command + timeout: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Timeout + required: + - command + required: + - parameters + Security_Solution_Endpoint_Management_API_GetEndpointActionListRouteQuery: + type: object + properties: + agentIds: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentIds + agentTypes: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + commands: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Commands + endDate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndDate + page: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Page' + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + startDate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_StartDate + types: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Types' + userIds: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UserIds + withOutputs: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_WithOutputs + Security_Solution_Endpoint_Management_API_GetFileRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Solution_Endpoint_Management_API_GetProcessesRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_IsolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_KillProcessRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Pid + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EntityId + - type: object + properties: + process_name: + description: Valid for SentinelOne agent type only + minLength: 1 + type: string + required: + - parameters + Security_Solution_Endpoint_Management_API_ListRequestQuery: + type: object + properties: + hostStatuses: + items: + enum: + - healthy + - offline + - updating + - inactive + - unenrolled + type: string + type: array + kuery: + nullable: true + type: string + page: + default: 0 + description: Page number + minimum: 0 + type: integer + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + sortDirection: + enum: + - asc + - desc + nullable: true + type: string + sortField: + enum: + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin + type: string + required: + - hostStatuses + Security_Solution_Endpoint_Management_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Endpoint_Management_API_NoParametersRequestSchema: + type: object + properties: + body: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: + - body + Security_Solution_Endpoint_Management_API_Page: + default: 1 + description: Page number + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + maximum: 100 + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_Parameters: + description: Optional parameters object + type: object + Security_Solution_Endpoint_Management_API_PendingActionDataType: + type: integer + Security_Solution_Endpoint_Management_API_PendingActionsSchema: + oneOf: + - type: object + properties: + execute: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + get-file: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + isolate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + kill-process: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + running-processes: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + scan: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + suspend-process: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + unisolate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + upload: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + - additionalProperties: true + type: object + Security_Solution_Endpoint_Management_API_Pid: + type: object + properties: + pid: + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + type: object + properties: + note: + type: string + Security_Solution_Endpoint_Management_API_ScanRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Solution_Endpoint_Management_API_StartDate: + description: Start date + type: string + Security_Solution_Endpoint_Management_API_SuccessResponse: + type: object + properties: {} + Security_Solution_Endpoint_Management_API_SuspendProcessRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Pid + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EntityId + required: + - parameters + Security_Solution_Endpoint_Management_API_Timeout: + description: The maximum timeout value in milliseconds (optional) + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Solution_Endpoint_Management_API_Types: + description: List of types of response actions + items: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Solution_Endpoint_Management_API_UnisolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_UploadRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + file: + format: binary + type: string + parameters: + type: object + properties: + overwrite: + default: false + type: boolean + required: + - parameters + - file + Security_Solution_Endpoint_Management_API_UserIds: + description: User IDs + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_WithOutputs: + description: Shows detailed outputs for an action response + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + type: object + properties: + index: + type: integer + message: + type: string + required: + - message + - index + Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + type: object + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + Security_Solution_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + Security_Solution_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + '@timestamp': + description: The time the record was created or updated. + example: '2017-07-21T17:32:28Z' + format: date-time + type: string + required: + - '@timestamp' + Security_Solution_Entity_Analytics_API_AssetCriticalityRecordIdParts: + type: object + properties: + id_field: + $ref: '#/components/schemas/Security_Solution_Entity_Analytics_API_IdField' + description: The field representing the ID. + example: host.name + id_value: + description: The ID value of the asset. + type: string + required: + - id_value + - id_field + Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality_level + Security_Solution_Entity_Analytics_API_EngineDescriptor: + type: object + properties: + filter: + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IndexPattern + status: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineStatus + type: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + Security_Solution_Entity_Analytics_API_EngineStatus: + enum: + - installing + - started + - stopped + type: string + Security_Solution_Entity_Analytics_API_Entity: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_UserEntity + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_HostEntity + Security_Solution_Entity_Analytics_API_EntityType: + enum: + - user + - host + type: string + Security_Solution_Entity_Analytics_API_HostEntity: + type: object + properties: + entity: + type: object + properties: + definitionId: + type: string + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + host: + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + type: + items: + type: string + type: array + required: + - name + Security_Solution_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + type: string + Security_Solution_Entity_Analytics_API_IndexPattern: + type: string + Security_Solution_Entity_Analytics_API_InspectQuery: + type: object + properties: + dsl: + items: + type: string + type: array + response: + items: + type: string + type: array + required: + - dsl + - response + Security_Solution_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: + type: object + properties: + full_error: + type: string + message: + type: string + required: + - message + - full_error + Security_Solution_Entity_Analytics_API_RiskEngineScheduleNowResponse: + type: object + properties: + success: + type: boolean + Security_Solution_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable + type: object + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + Security_Solution_Entity_Analytics_API_UserEntity: + type: object + properties: + entity: + type: object + properties: + definitionId: + type: string + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + user: + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + roles: + items: + type: string + type: array + required: + - name + Security_Solution_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateExceptionListItemComment + type: array + Security_Solution_Exceptions_API_CreateRuleExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemComment + type: array + Security_Solution_Exceptions_API_CreateRuleExceptionListItemProps: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + Security_Solution_Exceptions_API_ExceptionList: + type: object + properties: + _version: + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Exceptions_API_ExceptionListDescription: + type: string + Security_Solution_Exceptions_API_ExceptionListHumanId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + description: Human readable string identifier, e.g. `trusted-linux-processes` + Security_Solution_Exceptions_API_ExceptionListId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + created_at: + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + updated_at: + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Solution_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemComment + type: array + Security_Solution_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Solution_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Solution_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntry + type: array + Security_Solution_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Solution_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryExists + Security_Solution_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Solution_Exceptions_API_ExceptionListItemHumanId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Solution_Exceptions_API_ExceptionListItemName: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Exceptions_API_ExceptionListItemTags: + items: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + type: array + Security_Solution_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Solution_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Solution_Exceptions_API_ExceptionListName: + type: string + Security_Solution_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Solution_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Exceptions_API_ExceptionListsImportBulkError: + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + required: + - error + Security_Solution_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListsImportBulkError + type: array + Security_Solution_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Solution_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Solution_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Solution_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_FindExceptionListsFilter: + type: string + Security_Solution_Exceptions_API_ListId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_UUID' + Security_Solution_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Exceptions_API_UpdateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_UpdateExceptionListItemComment + type: array + Security_Solution_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Solution_Lists_API_FindListItemsCursor: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_FindListItemsFilter: + type: string + Security_Solution_Lists_API_FindListsCursor: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_FindListsFilter: + type: string + Security_Solution_Lists_API_List: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListDescription' + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + minimum: 1 + type: integer + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Lists_API_ListDescription: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListId: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListItem: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemMetadata' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + value: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Lists_API_ListItemId: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListItemMetadata: + additionalProperties: true + type: object + Security_Solution_Lists_API_ListItemPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Solution_Lists_API_ListItemValue: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListMetadata: + additionalProperties: true + type: object + Security_Solution_Lists_API_ListName: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Solution_Lists_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Lists_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Lists_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Lists_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Osquery_API_ArrayQueries: + items: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ArrayQueriesItem' + type: array + Security_Solution_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PlatformOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_CreateLiveQueryRequestBody: + type: object + properties: + agent_all: + type: boolean + agent_ids: + items: + type: string + type: array + agent_platforms: + items: + type: string + type: array + agent_policy_ids: + items: + type: string + type: array + alert_ids: + items: + type: string + type: array + case_ids: + items: + type: string + type: array + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + event_ids: + items: + type: string + type: array + metadata: + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + saved_query_id: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SavedQueryIdOrUndefined + Security_Solution_Osquery_API_CreatePacksRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + enabled: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_EnabledOrUndefined + name: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackName' + policy_ids: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PolicyIdsOrUndefined + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Shards' + Security_Solution_Osquery_API_CreateSavedQueryRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Interval' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_DefaultSuccessResponse: + type: object + properties: {} + Security_Solution_Osquery_API_Description: + type: string + Security_Solution_Osquery_API_DescriptionOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Description' + nullable: true + Security_Solution_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ECSMappingItem' + type: object + Security_Solution_Osquery_API_ECSMappingItem: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + Security_Solution_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ECSMapping' + nullable: true + Security_Solution_Osquery_API_Enabled: + type: boolean + Security_Solution_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Enabled' + nullable: true + Security_Solution_Osquery_API_FindLiveQueryRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Solution_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_FindPacksRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_FindSavedQueryRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_GetLiveQueryResultsRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Solution_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_Id: + type: string + Security_Solution_Osquery_API_Interval: + type: string + Security_Solution_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Interval' + nullable: true + Security_Solution_Osquery_API_KueryOrUndefined: + nullable: true + type: string + Security_Solution_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueriesItem' + type: object + Security_Solution_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PlatformOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + saved_query_id: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SavedQueryIdOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_PackId: + type: string + Security_Solution_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + nullable: true + Security_Solution_Osquery_API_PackName: + type: string + Security_Solution_Osquery_API_PageOrUndefined: + nullable: true + type: integer + Security_Solution_Osquery_API_PageSizeOrUndefined: + nullable: true + type: integer + Security_Solution_Osquery_API_Platform: + type: string + Security_Solution_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Platform' + nullable: true + Security_Solution_Osquery_API_PolicyIds: + items: + type: string + type: array + Security_Solution_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PolicyIds' + nullable: true + Security_Solution_Osquery_API_Query: + type: string + Security_Solution_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + nullable: true + Security_Solution_Osquery_API_Removed: + type: boolean + Security_Solution_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Removed' + nullable: true + Security_Solution_Osquery_API_SavedQueryId: + type: string + Security_Solution_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + nullable: true + Security_Solution_Osquery_API_Shards: + additionalProperties: + type: number + type: object + Security_Solution_Osquery_API_Snapshot: + type: boolean + Security_Solution_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Snapshot' + nullable: true + Security_Solution_Osquery_API_SortOrderOrUndefined: + oneOf: + - nullable: true + type: string + - enum: + - asc + - desc + Security_Solution_Osquery_API_SortOrUndefined: + nullable: true + type: string + Security_Solution_Osquery_API_UpdatePacksRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + enabled: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_EnabledOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + policy_ids: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PolicyIdsOrUndefined + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Shards' + Security_Solution_Osquery_API_UpdateSavedQueryRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + interval: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_IntervalOrUndefined + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_Version: + type: string + Security_Solution_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Version' + nullable: true + Security_Solution_Timeline_API_BareNote: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + nullable: true + type: string + note: + nullable: true + type: string + timelineId: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + required: + - timelineId + Security_Solution_Timeline_API_ColumnHeaderResult: + type: object + properties: + aggregatable: + type: boolean + category: + type: string + columnHeaderType: + type: string + description: + type: string + example: + oneOf: + - type: string + - type: number + id: + type: string + indexes: + items: + type: string + type: array + name: + type: string + placeholder: + type: string + searchable: + type: boolean + type: + type: string + Security_Solution_Timeline_API_DataProviderQueryMatch: + type: object + properties: + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Solution_Timeline_API_QueryMatchResult' + Security_Solution_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_DataProviderQueryMatch + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Solution_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Solution_Timeline_API_DataProviderType' + nullable: true + Security_Solution_Timeline_API_DataProviderType: + description: >- + The type of data provider to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + Security_Solution_Timeline_API_DocumentIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Solution_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + code: + nullable: true + type: number + favorite: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResult + type: array + message: + nullable: true + type: string + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + version: + type: string + required: + - savedObjectId + - version + Security_Solution_Timeline_API_FavoriteTimelineResult: + type: object + properties: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Solution_Timeline_API_FilterTimelineResult: + type: object + properties: + exists: + type: boolean + match_all: + type: string + meta: + type: object + properties: + alias: + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + formattedValue: + type: string + index: + type: string + key: + type: string + negate: + type: boolean + params: + type: string + type: + type: string + value: + type: string + missing: + type: string + query: + type: string + range: + type: string + script: + type: string + Security_Solution_Timeline_API_ImportTimelineResult: + type: object + properties: + errors: + items: + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + type: number + id: + type: string + type: array + success: + type: boolean + success_count: + type: number + timelines_installed: + type: number + timelines_updated: + type: number + Security_Solution_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + Security_Solution_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + - type: object + properties: + noteId: + type: string + version: + type: string + Security_Solution_Timeline_API_PinnedEvent: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + type: string + pinnedEventId: + type: string + timelineId: + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + version: + type: string + required: + - eventId + - pinnedEventId + - timelineId + - version + Security_Solution_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + nullable: true + type: string + Security_Solution_Timeline_API_Readable: + type: object + properties: + _data: + additionalProperties: true + type: object + _encoding: + type: string + _events: + additionalProperties: true + type: object + _eventsCount: + type: number + _maxListeners: + additionalProperties: true + type: object + _position: + type: number + _read: + additionalProperties: true + type: object + _readableState: + additionalProperties: true + type: object + readable: + type: boolean + Security_Solution_Timeline_API_RowRendererId: + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Solution_Timeline_API_SavedTimeline: + type: object + properties: + columns: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ColumnHeaderResult + nullable: true + type: array + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + dataProviders: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_DataProviderResult + nullable: true + type: array + dataViewId: + nullable: true + type: string + dateRange: + nullable: true + type: object + properties: + end: + oneOf: + - type: string + - type: number + start: + oneOf: + - type: string + - type: number + description: + nullable: true + type: string + eqlOptions: + nullable: true + type: object + properties: + eventCategoryField: + nullable: true + type: string + query: + nullable: true + type: string + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + nullable: true + type: string + excludedRowRendererIds: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResult + nullable: true + type: array + filters: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FilterTimelineResult + nullable: true + type: array + indexNames: + items: + type: string + nullable: true + type: array + kqlMode: + nullable: true + type: string + kqlQuery: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SerializedFilterQueryResult + nullable: true + savedQueryId: + nullable: true + type: string + savedSearchId: + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Sort' + nullable: true + status: + enum: + - active + - draft + - immutable + nullable: true + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + nullable: true + title: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + Security_Solution_Timeline_API_SerializedFilterQueryResult: + type: object + properties: + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Solution_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_SortObject' + type: array + Security_Solution_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Solution_Timeline_API_SortObject: + type: object + properties: + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Solution_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Note' + type: array + noteIds: + items: + type: string + type: array + notes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Note' + type: array + pinnedEventIds: + items: + type: string + type: array + pinnedEventsSaveObject: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_PinnedEvent + type: array + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + Security_Solution_Timeline_API_TimelineStatus: + description: >- + The status of the timeline. Valid values are `active`, `draft`, and + `immutable`. + enum: + - active + - draft + - immutable + type: string + Security_Solution_Timeline_API_TimelineType: + description: >- + The type of timeline to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + Serverless_saved_objects_400_response: + title: Bad request + type: object + properties: + error: + enum: + - Bad Request + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_create_slo_request: + description: > + The create SLO API request body varies depending on the type of + indicator, time window and budgeting method. + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: >- + A optional and unique identifier for the SLO. Must be between 8 and + 36 chars + example: my-super-slo-id + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + required: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response + type: object + properties: + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: > + The delete SLO instances request takes a list of SLO id and instance id, + then delete the rollup and summary data. This API can be used to remove + the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id + items: + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId + type: array + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 + type: number + initial: + description: The initial error budget, as 1 - objective + example: 0.02 + type: number + isEstimated: + description: >- + Only for SLO defined with occurrences budgeting method and calendar + aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: + nullable: true + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom + type: string + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option + is "sum" + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option + is "sum" + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom + type: string + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom + type: string + required: + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: > + An object defining the metrics, equation, and threshold to + determine if it's a good slice or not + type: object + properties: + comparator: + description: >- + The comparator to use to compare the equation to the + threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + anyOf: + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric + type: array + threshold: + description: >- + The threshold used to determine if the metric is a good + slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice + type: string + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective + type: object + properties: + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: >- + the target objective for each slice when using a timeslices + budgeting method + example: 0.995 + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: >- + the duration of each slice when using a timeslices budgeting method, + as {duraton}{unit} + example: 5m + type: string + required: + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: Configure how often the transform runs, default 1m + example: 5m + type: string + preventInitialBackfill: + default: false + description: Prevents the transform from backfilling data when it starts. + example: true + type: boolean + syncDelay: + default: 1m + description: The synch delay to apply to the transform. Default 1m + example: 5m + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response + type: object + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' + type: string + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response + type: object + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' + type: string + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde + type: string + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary + type: object + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window + type: object + properties: + duration: + description: >- + the duration formatted as {duration}{unit}. Accepted values for + rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w + (weekly) or 1M (monthly) + example: 30d + type: string + type: + description: >- + Indicates weither the time window is a rolling or a calendar aligned + time window. + enum: + - rolling + - calendarAligned + example: rolling + type: string + required: + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: + type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: + type: object + properties: + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option is + "percentile" + enum: + - percentile + example: percentile + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: > + The update SLO API request body varies depending on the type of + indicator, time window and budgeting method. Partial update is handled. + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object + securitySchemes: + apiKeyAuth: + description: >- + You must create an API key and use the encoded value in the request + header. To learn about creating keys, go to [API + keys](https://www.elastic.co/docs/current/serverless/api-keys). + in: header + name: Authorization + type: apiKey +security: + - apiKeyAuth: [] +tags: + - name: alerting + - description: > + Configure APM agent keys to authorize requests from APM agents to the APM + Server. + name: APM agent keys + - description: > + Annotate visualizations in the APM app with significant events. + Annotations enable you to easily see how events are impacting the + performance of your applications. + name: APM annotations + - name: connectors + - name: Data streams + - description: >- + Data view APIs enable you to manage data views, formerly known as Kibana + index patterns. + name: data views + - name: Elastic Agent actions + - name: Elastic Agent binary download sources + - name: Elastic Agent policies + - name: Elastic Agent status + - name: Elastic Agents + - name: Elastic Package Manager (EPM) + - name: Fleet enrollment API keys + - name: Fleet internals + - name: Fleet Kubernetes + - name: Fleet outputs + - name: Fleet package policies + - name: Fleet proxies + - name: Fleet Server hosts + - name: Fleet service tokens + - name: Fleet uninstall tokens + - description: Machine learning + name: ml + - description: > + Export sets of saved objects that you want to import into {kib}, resolve + import errors, and rotate an encryption key for encrypted saved objects + with the saved objects APIs. + + + To manage a specific type of saved object, use the corresponding APIs. + + For example, use: + + + [Data views](../group/endpoint-data-views) + + + Warning: Do not write documents directly to the `.kibana` index. When you + write directly to the `.kibana` index, the data becomes corrupted and + permanently breaks future Kibana versions. + name: saved objects + x-displayName: Saved objects + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + - description: >- + You can create rules that automatically turn events and external alerts + sent to Elastic Security into detection alerts. These alerts are displayed + on the Detections page. + name: Security Solution Detections API + - description: >- + Endpoint Exceptions API allows you to manage detection rule endpoint + exceptions to prevent a rule from generating an alert from incoming events + even when the rule's other criteria are met. + name: Security Solution Endpoint Exceptions API + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Solution Endpoint Management API + - description: '' + name: Security Solution Entity Analytics API + - description: >- + Exceptions API allows you to manage detection rule exceptions to prevent a + rule from generating an alert from incoming events even when the rule's + other criteria are met. + name: Security Solution Exceptions API + - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items. + name: Security Solution Lists API + - description: Run live queries, manage packs and saved queries. + name: Security Solution Osquery API + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Solution Timeline API + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + - name: system diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index caaee59e30287..7a7079c9b99c7 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -61,27 +61,27 @@ info: version: 1.0.2 x-doc-license: name: Attribution-NonCommercial-NoDerivatives 4.0 International - url: 'https://creativecommons.org/licenses/by-nc-nd/4.0/' + url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback url: >- https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - - url: 'http://{kibana_host}:{port}' + - url: http://{kibana_host}:{port} variables: kibana_host: default: localhost port: default: '5601' - - url: 'http://localhost:5622' - - url: 'https://{kibana_url}' + - url: http://localhost:5622 + - url: https://{kibana_url} variables: kibana_url: - default: 'localhost:5601' + default: localhost:5601 - url: / - - url: 'http://KIBANA_HOST:5601' + - url: http://KIBANA_HOST:5601 - description: local - url: 'http://localhost:5601' + url: http://localhost:5601 paths: /api/actions: get: @@ -146,11 +146,53 @@ paths: - actionTypeId responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Create a connector tags: - connectors - '/api/actions/action/{id}': + /api/actions/action/{id}: delete: deprecated: true description: 'WARNING: When you delete a connector, it cannot be recovered.' @@ -203,6 +245,48 @@ paths: type: string responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Get connector information tags: @@ -253,11 +337,53 @@ paths: - name responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Update a connector tags: - connectors - '/api/actions/action/{id}/_execute': + /api/actions/action/{id}/_execute: post: deprecated: true operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D%2F_execute#0' @@ -297,6 +423,48 @@ paths: - params responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Run a connector tags: @@ -326,7 +494,7 @@ paths: summary: Get connector types tags: - connectors - '/api/actions/connector/{id}': + /api/actions/connector/{id}: delete: description: 'WARNING: When you delete a connector, it cannot be recovered.' operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#0' @@ -377,6 +545,48 @@ paths: type: string responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Get connector information tags: @@ -399,7 +609,8 @@ paths: schema: example: 'true' type: string - - in: path + - description: An identifier for the connector. + in: path name: id required: false schema: @@ -430,6 +641,48 @@ paths: - connector_type_id responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Create a connector tags: @@ -480,11 +733,53 @@ paths: - name responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Update a connector tags: - connectors - '/api/actions/connector/{id}/_execute': + /api/actions/connector/{id}/_execute: post: description: >- You can use this API to test an action that involves interaction with @@ -526,6 +821,48 @@ paths: - params responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Run a connector tags: @@ -563,7 +900,7 @@ paths: summary: Get connector types tags: - connectors - '/api/alerting/rule/{id}': + /api/alerting/rule/{id}: delete: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#2' parameters: @@ -591,6 +928,12 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. summary: Delete a rule tags: - alerting @@ -1345,7 +1688,7 @@ paths: description: Recur the rule until this date. type: string wkst: - description: 'Indicates the start of week, defaults to Monday.' + description: Indicates the start of week, defaults to Monday. enum: - MO - TU @@ -1417,6 +1760,12 @@ paths: - execution_status - revision description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. summary: Get rule details tags: - alerting @@ -2480,7 +2829,7 @@ paths: description: Recur the rule until this date. type: string wkst: - description: 'Indicates the start of week, defaults to Monday.' + description: Indicates the start of week, defaults to Monday. enum: - MO - TU @@ -2552,6 +2901,12 @@ paths: - execution_status - revision description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. summary: Create a rule tags: - alerting @@ -3586,7 +3941,7 @@ paths: description: Recur the rule until this date. type: string wkst: - description: 'Indicates the start of week, defaults to Monday.' + description: Indicates the start of week, defaults to Monday. enum: - MO - TU @@ -3658,10 +4013,18 @@ paths: - execution_status - revision description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. summary: Update a rule tags: - alerting - '/api/alerting/rule/{id}/_disable': + /api/alerting/rule/{id}/_disable: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_disable#0' parameters: @@ -3701,10 +4064,16 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. summary: Disable a rule tags: - alerting - '/api/alerting/rule/{id}/_enable': + /api/alerting/rule/{id}/_enable: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_enable#0' parameters: @@ -3732,10 +4101,16 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. summary: Enable a rule tags: - alerting - '/api/alerting/rule/{id}/_mute_all': + /api/alerting/rule/{id}/_mute_all: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_mute_all#0' parameters: @@ -3766,7 +4141,7 @@ paths: summary: Mute all alerts tags: - alerting - '/api/alerting/rule/{id}/_unmute_all': + /api/alerting/rule/{id}/_unmute_all: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_unmute_all#0' parameters: @@ -3797,7 +4172,7 @@ paths: summary: Unmute all alerts tags: - alerting - '/api/alerting/rule/{id}/_update_api_key': + /api/alerting/rule/{id}/_update_api_key: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_update_api_key#0' parameters: @@ -3825,10 +4200,18 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. summary: Update the API key for a rule tags: - alerting - '/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute': + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: post: operationId: >- %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_mute#0 @@ -3863,10 +4246,16 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. summary: Mute an alert tags: - alerting - '/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute': + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: post: operationId: >- %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_unmute#0 @@ -3901,6 +4290,12 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. summary: Unmute an alert tags: - alerting @@ -4756,7 +5151,7 @@ paths: description: Recur the rule until this date. type: string wkst: - description: 'Indicates the start of week, defaults to Monday.' + description: Indicates the start of week, defaults to Monday. enum: - MO - TU @@ -4828,6 +5223,10 @@ paths: - execution_status - revision description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. summary: Get information about rules tags: - alerting @@ -4846,8 +5245,8 @@ paths: privileges: items: enum: - - 'event:write' - - 'config_agent:read' + - event:write + - config_agent:read type: string type: array required: true @@ -4873,7 +5272,7 @@ paths: summary: Create an APM agent key tags: - APM agent keys - '/api/apm/services/{serviceName}/annotation': + /api/apm/services/{serviceName}/annotation: post: description: Create a new annotation for a specific service. operationId: createAnnotation @@ -4948,7 +5347,7 @@ paths: summary: Create a service annotation tags: - APM annotations - '/api/apm/services/{serviceName}/annotation/search': + /api/apm/services/{serviceName}/annotation/search: get: description: Search for annotations related to a specific service. operationId: getAnnotation @@ -5073,7 +5472,7 @@ paths: summary: Create a data view tags: - data views - '/api/data_views/data_view/{viewId}': + /api/data_views/data_view/{viewId}: delete: description: | WARNING: When you delete a data view, it cannot be recovered. @@ -5146,7 +5545,7 @@ paths: summary: Update a data view tags: - data views - '/api/data_views/data_view/{viewId}/fields': + /api/data_views/data_view/{viewId}/fields: post: description: > Update fields presentation metadata such as count, customLabel, @@ -5189,7 +5588,7 @@ paths: summary: Update data view fields metadata tags: - data views - '/api/data_views/data_view/{viewId}/runtime_field': + /api/data_views/data_view/{viewId}/runtime_field: post: operationId: createRuntimeFieldDefault parameters: @@ -5281,7 +5680,7 @@ paths: summary: Create or update a runtime field tags: - data views - '/api/data_views/data_view/{viewId}/runtime_field/{fieldName}': + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: delete: operationId: deleteRuntimeFieldDefault parameters: @@ -5588,7 +5987,7 @@ paths: summary: Create agent binary download source tags: - Elastic Agent binary download sources - '/api/fleet/agent_download_sources/{sourceId}': + /api/fleet/agent_download_sources/{sourceId}: delete: operationId: delete-download-source parameters: @@ -5791,7 +6190,7 @@ paths: summary: Bulk get agent policies tags: - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}': + /api/fleet/agent_policies/{agentPolicyId}: get: description: Get one agent policy operationId: agent-policy-info @@ -5846,7 +6245,7 @@ paths: summary: Update agent policy by ID tags: - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}/copy': + /api/fleet/agent_policies/{agentPolicyId}/copy: parameters: - in: path name: agentPolicyId @@ -5888,7 +6287,7 @@ paths: summary: Copy agent policy by ID tags: - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}/download': + /api/fleet/agent_policies/{agentPolicyId}/download: get: operationId: agent-policy-download responses: @@ -5927,7 +6326,7 @@ paths: required: false schema: type: string - '/api/fleet/agent_policies/{agentPolicyId}/full': + /api/fleet/agent_policies/{agentPolicyId}/full: get: operationId: agent-policy-full responses: @@ -6210,7 +6609,7 @@ paths: summary: List agents by action ids tags: - Elastic Agents - '/api/fleet/agents/{agentId}': + /api/fleet/agents/{agentId}: delete: operationId: delete-agent parameters: @@ -6295,7 +6694,7 @@ paths: summary: Update agent by ID tags: - Elastic Agents - '/api/fleet/agents/{agentId}/actions': + /api/fleet/agents/{agentId}/actions: parameters: - in: path name: agentId @@ -6336,7 +6735,7 @@ paths: summary: Create agent action tags: - Elastic Agent actions - '/api/fleet/agents/{agentId}/reassign': + /api/fleet/agents/{agentId}/reassign: parameters: - in: path name: agentId @@ -6398,7 +6797,7 @@ paths: summary: Reassign agent tags: - Elastic Agents - '/api/fleet/agents/{agentId}/request_diagnostics': + /api/fleet/agents/{agentId}/request_diagnostics: parameters: - in: path name: agentId @@ -6437,7 +6836,7 @@ paths: summary: Request agent diagnostics tags: - Elastic Agents - '/api/fleet/agents/{agentId}/unenroll': + /api/fleet/agents/{agentId}/unenroll: parameters: - in: path name: agentId @@ -6483,7 +6882,7 @@ paths: summary: Unenroll agent tags: - Elastic Agents - '/api/fleet/agents/{agentId}/upgrade': + /api/fleet/agents/{agentId}/upgrade: parameters: - in: path name: agentId @@ -6512,7 +6911,7 @@ paths: summary: Upgrade agent tags: - Elastic Agents - '/api/fleet/agents/{agentId}/uploads': + /api/fleet/agents/{agentId}/uploads: get: operationId: list-agent-uploads responses: @@ -6656,7 +7055,7 @@ paths: summary: Get agent action status tags: - Elastic Agent actions - '/api/fleet/agents/actions/{actionId}/cancel': + /api/fleet/agents/actions/{actionId}/cancel: parameters: - in: path name: actionId @@ -6698,7 +7097,7 @@ paths: properties: agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: @@ -6747,7 +7146,7 @@ paths: type: array agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: @@ -6791,7 +7190,7 @@ paths: properties: agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: @@ -6846,7 +7245,7 @@ paths: properties: agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: @@ -6892,7 +7291,7 @@ paths: - agent1 - agent2 rollout_duration_seconds: 3600 - source_uri: 'https://artifacts.elastic.co/downloads/beats/elastic-agent' + source_uri: https://artifacts.elastic.co/downloads/beats/elastic-agent start_time: '2022-08-03T14:00:00.000Z' version: 8.4.0 schema: @@ -6913,7 +7312,7 @@ paths: summary: Bulk upgrade agents tags: - Elastic Agents - '/api/fleet/agents/files/{fileId}': + /api/fleet/agents/files/{fileId}: delete: operationId: delete-agent-upload-file responses: @@ -6942,7 +7341,7 @@ paths: required: true schema: type: string - '/api/fleet/agents/files/{fileId}/{fileName}': + /api/fleet/agents/files/{fileId}/{fileName}: get: operationId: get-agent-upload-file responses: @@ -7136,7 +7535,7 @@ paths: summary: Create enrollment API key tags: - Fleet enrollment API keys - '/api/fleet/enrollment_api_keys/{keyId}': + /api/fleet/enrollment_api_keys/{keyId}: delete: operationId: delete-enrollment-api-key parameters: @@ -7247,7 +7646,7 @@ paths: summary: Create enrollment API key tags: - Fleet enrollment API keys - '/api/fleet/enrollment-api-keys/{keyId}': + /api/fleet/enrollment-api-keys/{keyId}: delete: deprecated: true operationId: delete-enrollment-api-key-deprecated @@ -7532,7 +7931,7 @@ paths: summary: Bulk install packages tags: - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgkey}': + /api/fleet/epm/packages/{pkgkey}: delete: deprecated: true operationId: delete-package-deprecated @@ -7692,7 +8091,7 @@ paths: summary: Install package tags: - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}': + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: operationId: delete-package parameters: @@ -7924,7 +8323,7 @@ paths: summary: Update package settings tags: - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}': + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: operationId: packages-get-file responses: @@ -7962,7 +8361,7 @@ paths: required: true schema: type: string - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize': + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: post: description: '' operationId: reauthorize-transforms @@ -8028,7 +8427,7 @@ paths: summary: Authorize transforms tags: - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/stats': + /api/fleet/epm/packages/{pkgName}/stats: get: operationId: get-package-stats responses: @@ -8075,7 +8474,7 @@ paths: tags: - Elastic Package Manager (EPM) parameters: [] - '/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs': + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: operationId: get-inputs-template responses: @@ -8215,7 +8614,7 @@ paths: summary: Create Fleet Server host tags: - Fleet Server hosts - '/api/fleet/fleet_server_hosts/{itemId}': + /api/fleet/fleet_server_hosts/{itemId}: delete: operationId: delete-fleet-server-hosts parameters: @@ -8448,7 +8847,7 @@ paths: summary: Create output tags: - Fleet outputs - '/api/fleet/outputs/{outputId}': + /api/fleet/outputs/{outputId}: delete: operationId: delete-output parameters: @@ -8517,7 +8916,7 @@ paths: summary: Update output by ID tags: - Fleet outputs - '/api/fleet/outputs/{outputId}/health': + /api/fleet/outputs/{outputId}/health: get: operationId: get-output-health responses: @@ -8531,7 +8930,7 @@ paths: description: long message if unhealthy type: string state: - description: 'state of output, HEALTHY or DEGRADED' + description: state of output, HEALTHY or DEGRADED type: string timestamp: description: timestamp of reported state @@ -8653,7 +9052,7 @@ paths: summary: Bulk get package policies tags: - Fleet package policies - '/api/fleet/package_policies/{packagePolicyId}': + /api/fleet/package_policies/{packagePolicyId}: delete: operationId: delete-package-policy parameters: @@ -8925,7 +9324,7 @@ paths: summary: Create proxy tags: - Fleet proxies - '/api/fleet/proxies/{itemId}': + /api/fleet/proxies/{itemId}: delete: operationId: delete-fleet-proxies parameters: @@ -9184,7 +9583,7 @@ paths: summary: List metadata for latest uninstall tokens per agent policy tags: - Fleet uninstall tokens - '/api/fleet/uninstall_tokens/{uninstallTokenId}': + /api/fleet/uninstall_tokens/{uninstallTokenId}: get: operationId: get-uninstall-token parameters: @@ -9518,7 +9917,7 @@ paths: summary: Get Kibana's current status tags: - system - '/s/{spaceId}/api/observability/slos': + /s/{spaceId}/api/observability/slos: get: description: > You must have the `read` privileges for the **SLOs** feature in the @@ -9533,7 +9932,7 @@ paths: name: kqlQuery schema: type: string - - description: 'The page to use for pagination, must be greater or equal than 1' + - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page @@ -9657,11 +10056,11 @@ paths: $ref: '#/components/schemas/SLOs_409_response' description: Conflict - The SLO id already exists servers: - - url: 'https://localhost:5601' + - url: https://localhost:5601 summary: Create an SLO tags: - slo - '/s/{spaceId}/api/observability/slos/_delete_instances': + /s/{spaceId}/api/observability/slos/_delete_instances: post: description: > The deletion occurs for the specified list of `sloId` and `instanceId`. @@ -9699,11 +10098,11 @@ paths: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response servers: - - url: 'https://localhost:5601' + - url: https://localhost:5601 summary: Batch delete rollup and summary data tags: - slo - '/s/{spaceId}/api/observability/slos/{sloId}': + /s/{spaceId}/api/observability/slos/{sloId}: delete: description: > You must have the `write` privileges for the **SLOs** feature in the @@ -9841,7 +10240,7 @@ paths: summary: Update an SLO tags: - slo - '/s/{spaceId}/api/observability/slos/{sloId}/_reset': + /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: description: > You must have the `write` privileges for the **SLOs** feature in the @@ -9885,7 +10284,7 @@ paths: summary: Reset an SLO tags: - slo - '/s/{spaceId}/api/observability/slos/{sloId}/disable': + /s/{spaceId}/api/observability/slos/{sloId}/disable: post: description: > You must have the `write` privileges for the **SLOs** feature in the @@ -9925,7 +10324,7 @@ paths: summary: Disable an SLO tags: - slo - '/s/{spaceId}/api/observability/slos/{sloId}/enable': + /s/{spaceId}/api/observability/slos/{sloId}/enable: post: description: > You must have the `write` privileges for the **SLOs** feature in the @@ -9975,7 +10374,7 @@ components: runtimeFieldMap: runtime_shape_name: script: - source: 'emit(doc[''shape_name''].value)' + source: emit(doc['shape_name'].value) type: keyword title: logstash-* Data_views_create_runtime_field_request: @@ -9984,7 +10383,7 @@ components: name: runtimeFoo runtimeField: script: - source: 'emit(doc["foo"].value)' + source: emit(doc["foo"].value) type: long Data_views_get_data_view_response: summary: >- @@ -10006,35 +10405,35 @@ components: products.base_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.base_unit_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.min_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.taxful_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.taxless_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 taxful_total_price: id: number params: - pattern: '$0,0.[00]' + pattern: $0,0.[00] taxless_total_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 fields: _id: aggregatable: false @@ -10510,7 +10909,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.base_price readFromDocValues: true @@ -10526,7 +10925,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.base_unit_price readFromDocValues: true @@ -10646,7 +11045,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.min_price readFromDocValues: true @@ -10662,7 +11061,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.price readFromDocValues: true @@ -10765,7 +11164,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.taxful_price readFromDocValues: true @@ -10781,7 +11180,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.taxless_price readFromDocValues: true @@ -10825,7 +11224,7 @@ components: format: id: number params: - pattern: '$0,0.[00]' + pattern: $0,0.[00] isMapped: true name: taxful_total_price readFromDocValues: true @@ -10841,7 +11240,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: taxless_total_price readFromDocValues: true @@ -10952,7 +11351,7 @@ components: AvgTicketPrice: id: number params: - pattern: '$0,0.[00]' + pattern: $0,0.[00] hour_of_day: id: number params: @@ -11020,7 +11419,7 @@ components: format: id: number params: - pattern: '$0,0.[00]' + pattern: $0,0.[00] isMapped: true name: AvgTicketPrice readFromDocValues: true @@ -11295,7 +11694,7 @@ components: readFromDocValues: false runtimeField: script: - source: 'emit(doc[''timestamp''].value.getHour());' + source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true @@ -11420,7 +11819,7 @@ components: runtimeFieldMap: hour_of_day: script: - source: 'emit(doc[''timestamp''].value.getHour());' + source: emit(doc['timestamp'].value.getHour()); type: long sourceFilters: [] timeFieldName: timestamp @@ -11435,7 +11834,7 @@ components: readFromDocValues: false runtimeField: script: - source: 'emit(doc[''timestamp''].value.getHour());' + source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true @@ -11483,7 +11882,7 @@ components: value: runtimeField: script: - source: 'emit(doc["bar"].value)' + source: emit(doc["bar"].value) Machine_learning_APIs_mlSyncExample: summary: Two anomaly detection jobs required synchronization in this example. value: @@ -11654,7 +12053,7 @@ components: - desc type: string Fleet_with_metrics: - description: 'Return agent metrics, false by default' + description: Return agent metrics, false by default in: query name: withMetrics required: false @@ -11928,7 +12327,7 @@ components: - fromId - toId Data_views_timefieldname: - description: 'The timestamp field name, which you use for time-based data views.' + description: The timestamp field name, which you use for time-based data views. type: string Data_views_title: description: >- @@ -11936,7 +12335,7 @@ components: to search. Supports wildcards (`*`). type: string Data_views_type: - description: 'When set to `rollup`, identifies the rollup data views.' + description: When set to `rollup`, identifies the rollup data views. type: string Data_views_typemeta: description: >- @@ -12463,14 +12862,14 @@ components: properties: agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: type: string type: array force: - description: 'Force upgrade, skipping validation (should be used with caution)' + description: Force upgrade, skipping validation (should be used with caution) type: boolean rollout_duration_seconds: description: rolling upgrade window duration in seconds @@ -14025,14 +14424,14 @@ components: type: object properties: enabled: - description: 'enable or disable that input, (default to true)' + description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: type: object properties: enabled: - description: 'enable or disable that stream, (default to true)' + description: enable or disable that stream, (default to true) type: boolean vars: description: >- @@ -14241,7 +14640,7 @@ components: type: object properties: force: - description: 'Force upgrade, skipping validation (should be used with caution)' + description: Force upgrade, skipping validation (should be used with caution) type: boolean skipRateLimitCheck: description: Skip rate limit check for upgrade @@ -14647,7 +15046,7 @@ components: additionalProperties: $ref: >- #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: 'If saved objects are missing for trained models, they are created.' + description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object @@ -14774,7 +15173,7 @@ components: example: Not Found type: string message: - example: 'SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found' + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found type: string statusCode: example: 404 @@ -14791,7 +15190,7 @@ components: example: Conflict type: string message: - example: 'SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists' + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists type: string statusCode: example: 409 @@ -14900,11 +15299,11 @@ components: type: object properties: consumed: - description: 'The error budget consummed, as a percentage of the initial value.' + description: The error budget consummed, as a percentage of the initial value. example: 0.8 type: number initial: - description: 'The initial error budget, as 1 - objective' + description: The initial error budget, as 1 - objective example: 0.02 type: number isEstimated: @@ -14914,7 +15313,7 @@ components: example: true type: boolean remaining: - description: 'The error budget remaining, as a percentage of the initial value.' + description: The error budget remaining, as a percentage of the initial value. example: 0.2 type: number required: @@ -14999,7 +15398,7 @@ components: type: string index: description: The index used by APM metrics - example: 'metrics-apm*,apm*' + example: metrics-apm*,apm* type: string service: description: The APM service name @@ -15046,7 +15445,7 @@ components: type: string index: description: The index used by APM metrics - example: 'metrics-apm*,apm*' + example: metrics-apm*,apm* type: string service: description: The APM service name @@ -15180,7 +15579,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string required: - name @@ -15234,7 +15633,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string required: - name @@ -15536,7 +15935,7 @@ components: properties: frequency: default: 1m - description: 'Configure how often the transform runs, default 1m' + description: Configure how often the transform runs, default 1m example: 5m type: string preventInitialBackfill: @@ -15681,7 +16080,7 @@ components: - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' instanceId: - description: 'the value derived from the groupBy field, if present, otherwise ''*''' + description: the value derived from the groupBy field, if present, otherwise '*' example: host-abcde type: string name: @@ -15806,7 +16205,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string required: - name @@ -15829,7 +16228,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string required: - name @@ -15857,7 +16256,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string percentile: description: The percentile value. @@ -15967,6 +16366,6 @@ tags: permanently breaks future Kibana versions. name: saved objects x-displayName: Saved objects - - description: 'SLO APIs enable you to define, manage and track service-level objectives' + - description: SLO APIs enable you to define, manage and track service-level objectives name: slo - name: system diff --git a/oas_docs/output/kibana.staging.yaml b/oas_docs/output/kibana.staging.yaml new file mode 100644 index 0000000000000..9651b3c9107ce --- /dev/null +++ b/oas_docs/output/kibana.staging.yaml @@ -0,0 +1,42182 @@ +openapi: 3.0.3 +info: + contact: + name: Kibana Team + description: > + The Kibana REST APIs enable you to manage resources such as connectors, data + views, and saved objects. + + The API calls are stateless. + + Each request that you make happens in isolation from other calls and must + include all of the necessary information for Kibana to fulfill the + + request. + + API requests return JSON output, which is a format that is machine-readable + and works well for automation. + + + To interact with Kibana APIs, use the following operations: + + + - GET: Fetches the information. + + - PATCH: Applies partial modifications to the existing information. + + - POST: Adds new information. + + - PUT: Updates the existing information. + + - DELETE: Removes the information. + + + You can prepend any Kibana API endpoint with `kbn:` and run the request in + **Dev Tools → Console**. + + For example: + + + ``` + + GET kbn:/api/data_views + + ``` + + + For more information about the console, refer to [Run API + requests](https://www.elastic.co/guide/en/kibana/current/console-kibana.html). + + + NOTE: Access to internal Kibana API endpoints will be restricted in Kibana + version 9.0. Please move any integrations to publicly documented APIs. + + + ## Documentation source and versions + + + This documentation is derived from the `main` branch of the + [kibana](https://github.com/elastic/kibana) repository. + + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 + International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + title: Kibana APIs + version: 1.0.2 + x-doc-license: + name: Attribution-NonCommercial-NoDerivatives 4.0 International + url: https://creativecommons.org/licenses/by-nc-nd/4.0/ + x-feedbackLink: + label: Feedback + url: >- + https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ +servers: + - url: https://{kibana_url} + variables: + kibana_url: + default: localhost:5601 +paths: + /api/actions: + get: + deprecated: true + operationId: '%2Fapi%2Factions#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + responses: {} + summary: Get all connectors + tags: + - connectors + /api/actions/action: + post: + deprecated: true + operationId: '%2Fapi%2Factions%2Faction#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actionTypeId: + description: The connector type identifier. + type: string + config: + additionalProperties: {} + default: {} + type: object + name: + description: The display name for the connector. + type: string + secrets: + additionalProperties: {} + default: {} + type: object + required: + - name + - actionTypeId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Create a connector + tags: + - connectors + /api/actions/action/{id}: + delete: + deprecated: true + description: 'WARNING: When you delete a connector, it cannot be recovered.' + operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + summary: Delete a connector + tags: + - connectors + get: + deprecated: true + operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Get connector information + tags: + - connectors + put: + deprecated: true + operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + default: {} + type: object + name: + type: string + secrets: + additionalProperties: {} + default: {} + type: object + required: + - name + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Update a connector + tags: + - connectors + /api/actions/action/{id}/_execute: + post: + deprecated: true + operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D%2F_execute#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + type: object + required: + - params + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Run a connector + tags: + - connectors + /api/actions/connector_types: + get: + description: You do not need any Kibana feature privileges to run this API. + operationId: '%2Fapi%2Factions%2Fconnector_types#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: >- + A filter to limit the retrieved connector types to those that + support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string + responses: {} + summary: Get connector types + tags: + - connectors + /api/actions/connector/{id}: + delete: + description: 'WARNING: When you delete a connector, it cannot be recovered.' + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + summary: Delete a connector + tags: + - connectors + get: + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Get connector information + tags: + - connectors + post: + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%3F%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: false + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + default: {} + type: object + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + secrets: + additionalProperties: {} + default: {} + type: object + required: + - name + - connector_type_id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Create a connector + tags: + - connectors + put: + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + default: {} + type: object + name: + description: The display name for the connector. + type: string + secrets: + additionalProperties: {} + default: {} + type: object + required: + - name + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Update a connector + tags: + - connectors + /api/actions/connector/{id}/_execute: + post: + description: >- + You can use this API to test an action that involves interaction with + Kibana services or integrations with third-party systems. + operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D%2F_execute#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + params: + additionalProperties: {} + type: object + required: + - params + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + description: Indicates a successful call. + summary: Run a connector + tags: + - connectors + /api/actions/connectors: + get: + operationId: '%2Fapi%2Factions%2Fconnectors#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + responses: {} + summary: Get all connectors + tags: + - connectors + /api/actions/list_action_types: + get: + deprecated: true + operationId: '%2Fapi%2Factions%2Flist_action_types#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + responses: {} + summary: Get connector types + tags: + - connectors + /api/alerting/_health: + get: + description: > + You must have `read` privileges for the **Management > Stack Rules** + feature or for at least one of the **Analytics > Discover**, **Analytics + > Machine Learning**, **Observability**, or **Security** features. + operationId: getAlertingHealth + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getAlertingHealthResponse: + $ref: '#/components/examples/Alerting_get_health_response' + schema: + type: object + properties: + alerting_framework_health: + description: > + Three substates identify the health of the alerting + framework: `decryption_health`, `execution_health`, and + `read_health`. + type: object + properties: + decryption_health: + description: The timestamp and status of the rule decryption. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + execution_health: + description: The timestamp and status of the rule run. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + read_health: + description: The timestamp and status of the rule reading events. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + has_permanent_encryption_key: + description: >- + If `false`, the encrypted saved object plugin does not + have a permanent encryption key. + example: true + type: boolean + is_sufficiently_secure: + description: If `false`, security is enabled but TLS is not. + example: true + type: boolean + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the alerting framework health + tags: + - alerting + /api/alerting/rule_types: + get: + description: > + If you have `read` privileges for one or more Kibana features, the API + response contains information about the appropriate rule types. For + example, there are rule types associated with the **Management > Stack + Rules** feature, **Analytics > Discover** and **Machine Learning** + features, **Observability** features, and **Security** features. To get + rule types associated with the **Stack Monitoring** feature, use the + `monitoring_user` built-in role. + operationId: getRuleTypes + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getRuleTypesResponse: + $ref: '#/components/examples/Alerting_get_rule_types_response' + schema: + items: + type: object + properties: + action_groups: + description: > + An explicit list of groups for which the rule type can + schedule actions, each with the action group's unique ID + and human readable name. Rule actions validation uses + this configuration to ensure that groups are valid. + items: + type: object + properties: + id: + type: string + name: + type: string + type: array + action_variables: + description: > + A list of action variables that the rule type makes + available via context and state in action parameter + templates, and a short human readable description. When + you create a rule in Kibana, it uses this information to + prompt you for these variables in action parameter + editors. + type: object + properties: + context: + items: + type: object + properties: + description: + type: string + name: + type: string + useWithTripleBracesInTemplates: + type: boolean + type: array + params: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + state: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + alerts: + description: > + Details for writing alerts as data documents for this + rule type. + type: object + properties: + context: + description: | + The namespace for this rule type. + enum: + - ml.anomaly-detection + - observability.apm + - observability.logs + - observability.metrics + - observability.slo + - observability.threshold + - observability.uptime + - security + - stack + type: string + dynamic: + description: Indicates whether new fields are added dynamically. + enum: + - 'false' + - runtime + - strict + - 'true' + type: string + isSpaceAware: + description: > + Indicates whether the alerts are space-aware. If + true, space-specific alert indices are used. + type: boolean + mappings: + type: object + properties: + fieldMap: + additionalProperties: + $ref: >- + #/components/schemas/Alerting_fieldmap_properties + description: > + Mapping information for each field supported in + alerts as data documents for this rule type. For + more information about mapping parameters, refer + to the Elasticsearch documentation. + type: object + secondaryAlias: + description: > + A secondary alias. It is typically used to support + the signals alias for detection rules. + type: string + shouldWrite: + description: > + Indicates whether the rule should write out alerts + as data. + type: boolean + useEcs: + description: > + Indicates whether to include the ECS component + template for the alerts. + type: boolean + useLegacyAlerts: + default: false + description: > + Indicates whether to include the legacy component + template for the alerts. + type: boolean + authorized_consumers: + description: >- + The list of the plugins IDs that have access to the rule + type. + type: object + properties: + alerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + apm: + type: object + properties: + all: + type: boolean + read: + type: boolean + discover: + type: object + properties: + all: + type: boolean + read: + type: boolean + infrastructure: + type: object + properties: + all: + type: boolean + read: + type: boolean + logs: + type: object + properties: + all: + type: boolean + read: + type: boolean + ml: + type: object + properties: + all: + type: boolean + read: + type: boolean + monitoring: + type: object + properties: + all: + type: boolean + read: + type: boolean + siem: + type: object + properties: + all: + type: boolean + read: + type: boolean + slo: + type: object + properties: + all: + type: boolean + read: + type: boolean + stackAlerts: + type: object + properties: + all: + type: boolean + read: + type: boolean + uptime: + type: object + properties: + all: + type: boolean + read: + type: boolean + category: + description: >- + The rule category, which is used by features such as + category-specific maintenance windows. + enum: + - management + - observability + - securitySolution + type: string + default_action_group_id: + description: The default identifier for the rule type group. + type: string + does_set_recovery_context: + description: >- + Indicates whether the rule passes context variables to + its recovery action. + type: boolean + enabled_in_license: + description: >- + Indicates whether the rule type is enabled or disabled + based on the subscription. + type: boolean + has_alerts_mappings: + description: >- + Indicates whether the rule type has custom mappings for + the alert data. + type: boolean + has_fields_for_a_a_d: + type: boolean + id: + description: The unique identifier for the rule type. + type: string + is_exportable: + description: >- + Indicates whether the rule type is exportable in **Stack + Management > Saved Objects**. + type: boolean + minimum_license_required: + description: The subscriptions required to use the rule type. + example: basic + type: string + name: + description: The descriptive name of the rule type. + type: string + producer: + description: >- + An identifier for the application that produces this + rule type. + example: stackAlerts + type: string + recovery_action_group: + description: >- + An action group to use when an alert goes from an active + state to an inactive one. + type: object + properties: + id: + type: string + name: + type: string + rule_task_timeout: + example: 5m + type: string + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the rule types + tags: + - alerting + /api/alerting/rule/{id}: + delete: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule + tags: + - alerting + get: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: >- + A universally unique identifier (UUID) for the + action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + api_key_created_by_user: + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. + nullable: true + type: string + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: >- + Calculation of different percentiles and success + ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + additionalProperties: false + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: >- + Number of ignored alerts during last + run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: >- + Number of recovered alerts during last + run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value + could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: >- + Outcome message generated during last + rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + success: + description: >- + Indicates whether the rule run was + successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + total_alerts_created: + description: >- + Total number of alerts created during last + rule run. + nullable: true + type: number + total_alerts_detected: + description: >- + Total number of alerts detected during + last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during + last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, + or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + type: array + bymonth: + items: + description: >- + Indicates months of the year that this rule + should recur. + type: number + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + type: array + bysetpos: + items: + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. + type: number + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + type: array + byyearday: + items: + description: >- + Indicates the days of the year that this rule + should recur. + type: number + type: array + count: + description: >- + Number of times the rule should recur until it + stops. + type: number + dtstart: + description: >- + Rule start date in Coordinated Universal Time + (UTC). + type: string + freq: + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: >- + The identifier for the user that updated this rule most + recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Get rule details + tags: + - alerting + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%3F%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: >- + The identifier for the rule. If it is omitted, an ID is randomly + generated. + in: path + name: id + required: false + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Conditions that affect whether the action runs. If you + specify multiple conditions, all conditions must be + met for the action to run. For example, if an alert + occurs within the specified time frame and matches the + query, the action runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL) as defined in the + `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the days + of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: >- + Defines the range of time in a day that the + action can run. If the `start` value is + `00:00` and the `end` value is `24:00`, + actions be generated all day. + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work but + lack built-in daylight savings time support + and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. Valid + values include: `onActionGroupChange`: Actions run + when the alert status changes; `onActiveAlert`: + Actions run when the alert becomes active and at + each check interval while the rule conditions are + met; `onThrottleInterval`: Actions run when the + alert becomes active and at the interval specified + in the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` at + both the rule and action level. The recommended + method is to set it for each action. If you set it + at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific + values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often an + alert generates repeated actions. It is specified + in seconds, minutes, hours, or days and is + applicable only if `notify_when` is set to + `onThrottleInterval`. NOTE: You cannot specify the + throttle interval at both the rule and action + level. The recommended method is to set it for + each action. If you set it at the rule level then + update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + default: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, `infrastructure`, + `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, + `siem`, `stackAlerts`, or `uptime`. + type: string + enabled: + default: true + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + name: + description: >- + The name of the rule. While this name does not have to be + unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while the rule + conditions are met; `onThrottleInterval`: Actions run when + the alert becomes active and at the interval specified in + the throttle property while the rule conditions are met. + NOTE: You cannot specify `notify_when` at both the rule and + action level. The recommended method is to set it for each + action. If you set it at the rule level then update the rule + in Kibana, it is automatically changed to use + action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + default: {} + description: The parameters for the rule. + type: object + rule_type_id: + description: The rule type identifier. + type: string + schedule: + additionalProperties: false + description: >- + The check interval, which specifies how frequently the rule + conditions are checked. + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, or + days. + type: string + required: + - interval + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: >- + Use the `throttle` property in the action `frequency` object + instead. The throttle interval, which defines how often an + alert generates repeated actions. NOTE: You cannot specify + the throttle interval at both the rule and action level. If + you set it at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific values. + nullable: true + type: string + required: + - name + - rule_type_id + - consumer + - schedule + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: >- + A universally unique identifier (UUID) for the + action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + api_key_created_by_user: + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. + nullable: true + type: string + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: >- + Calculation of different percentiles and success + ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + additionalProperties: false + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: >- + Number of ignored alerts during last + run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: >- + Number of recovered alerts during last + run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value + could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: >- + Outcome message generated during last + rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + success: + description: >- + Indicates whether the rule run was + successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + total_alerts_created: + description: >- + Total number of alerts created during last + rule run. + nullable: true + type: number + total_alerts_detected: + description: >- + Total number of alerts detected during + last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during + last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, + or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + type: array + bymonth: + items: + description: >- + Indicates months of the year that this rule + should recur. + type: number + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + type: array + bysetpos: + items: + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. + type: number + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + type: array + byyearday: + items: + description: >- + Indicates the days of the year that this rule + should recur. + type: number + type: array + count: + description: >- + Number of times the rule should recur until it + stops. + type: number + dtstart: + description: >- + Rule start date in Coordinated Universal Time + (UTC). + type: string + freq: + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: >- + The identifier for the user that updated this rule most + recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. + summary: Create a rule + tags: + - alerting + put: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + type: object + properties: + alerts_filter: + additionalProperties: false + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query Domain + Specific Language (DSL) as defined in the + `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the days + of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: >- + Defines the range of time in a day that the + action can run. If the `start` value is + `00:00` and the `end` value is `24:00`, + actions be generated all day. + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work but + lack built-in daylight savings time support + and are not recommended. + type: string + required: + - days + - hours + - timezone + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. Valid + values include: `onActionGroupChange`: Actions run + when the alert status changes; `onActiveAlert`: + Actions run when the alert becomes active and at + each check interval while the rule conditions are + met; `onThrottleInterval`: Actions run when the + alert becomes active and at the interval specified + in the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` at + both the rule and action level. The recommended + method is to set it for each action. If you set it + at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific + values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often an + alert generates repeated actions. It is specified + in seconds, minutes, hours, or days and is + applicable only if `notify_when` is set to + `onThrottleInterval`. NOTE: You cannot specify the + throttle interval at both the rule and action + level. The recommended method is to set it for + each action. If you set it at the rule level then + update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + default: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + name: + description: >- + The name of the rule. While this name does not have to be + unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while the rule + conditions are met; `onThrottleInterval`: Actions run when + the alert becomes active and at the interval specified in + the throttle property while the rule conditions are met. + NOTE: You cannot specify `notify_when` at both the rule and + action level. The recommended method is to set it for each + action. If you set it at the rule level then update the rule + in Kibana, it is automatically changed to use + action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, or + days. + type: string + required: + - interval + tags: + default: [] + items: + description: The tags for the rule. + type: string + type: array + throttle: + description: >- + Use the `throttle` property in the action `frequency` object + instead. The throttle interval, which defines how often an + alert generates repeated actions. NOTE: You cannot specify + the throttle interval at both the rule and action level. If + you set it at the rule level then update the rule in Kibana, + it is automatically changed to use action-specific values. + nullable: true + type: string + required: + - name + - schedule + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: >- + A universally unique identifier (UUID) for the + action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + api_key_created_by_user: + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. + nullable: true + type: string + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: >- + Calculation of different percentiles and success + ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + additionalProperties: false + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: >- + Number of ignored alerts during last + run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: >- + Number of recovered alerts during last + run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value + could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: >- + Outcome message generated during last + rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + success: + description: >- + Indicates whether the rule run was + successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + total_alerts_created: + description: >- + Total number of alerts created during last + rule run. + nullable: true + type: number + total_alerts_detected: + description: >- + Total number of alerts detected during + last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during + last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, + or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + type: array + bymonth: + items: + description: >- + Indicates months of the year that this rule + should recur. + type: number + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + type: array + bysetpos: + items: + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. + type: number + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + type: array + byyearday: + items: + description: >- + Indicates the days of the year that this rule + should recur. + type: number + type: array + count: + description: >- + Number of times the rule should recur until it + stops. + type: number + dtstart: + description: >- + Rule start date in Coordinated Universal Time + (UTC). + type: string + freq: + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: >- + The identifier for the user that updated this rule most + recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update a rule + tags: + - alerting + /api/alerting/rule/{id}/_disable: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_disable#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + nullable: true + type: object + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean + x-oas-optional: true + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule + tags: + - alerting + /api/alerting/rule/{id}/_enable: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_enable#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule + tags: + - alerting + /api/alerting/rule/{id}/_mute_all: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_mute_all#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + summary: Mute all alerts + tags: + - alerting + /api/alerting/rule/{id}/_unmute_all: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_unmute_all#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + summary: Unmute all alerts + tags: + - alerting + /api/alerting/rule/{id}/_update_api_key: + post: + operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_update_api_key#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: + post: + operationId: >- + %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_mute#0 + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert + tags: + - alerting + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: + post: + operationId: >- + %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_unmute#0 + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + '204': + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert + tags: + - alerting + /api/alerting/rules/_find: + get: + operationId: '%2Fapi%2Falerting%2Frules%2F_find#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: >- + An Elasticsearch simple_query_string query that filters the objects + in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + anyOf: + - items: + type: string + type: array + - type: string + - description: >- + Determines which field is used to sort the results. The field must + exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: >- + Filters the rules that have a relation with the reference objects + with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + - in: query + name: fields + required: false + schema: + items: + description: The fields to return in the `attributes` key of the response. + type: string + type: array + - description: >- + A KQL string that you filter with an attribute from your saved + object. It should look like `savedObjectType.attributes.title: + "myTitle"`. However, if you used a direct attribute of a saved + object, such as `updatedAt`, you must define your filter, for + example, `savedObjectType.updatedAt > 2018-12-22`. + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + actions: + items: + additionalProperties: false + type: object + properties: + alerts_filter: + additionalProperties: false + description: >- + Defines a period that limits whether the action + runs. + type: object + properties: + query: + additionalProperties: false + type: object + properties: + dsl: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL). + type: string + filters: + description: >- + A filter written in Elasticsearch Query + Domain Specific Language (DSL) as defined in + the `kbn-es-query` package. + items: + additionalProperties: false + type: object + properties: + $state: + additionalProperties: false + type: object + properties: + store: + description: >- + A filter can be either specific to an + application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: array + kql: + description: >- + A filter written in Kibana Query Language + (KQL). + type: string + required: + - kql + - filters + timeframe: + additionalProperties: false + type: object + properties: + days: + description: >- + Defines the days of the week that the action + can run, represented as an array of numbers. + For example, `1` represents Monday. An empty + array is equivalent to specifying all the + days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + type: object + properties: + end: + description: >- + The end of the time frame in 24-hour + notation (`hh:mm`). + type: string + start: + description: >- + The start of the time frame in 24-hour + notation (`hh:mm`). + type: string + required: + - start + - end + timezone: + description: >- + The ISO time zone for the `hours` values. + Values such as `UTC` and `UTC+1` also work + but lack built-in daylight savings time + support and are not recommended. + type: string + required: + - days + - hours + - timezone + connector_type_id: + description: >- + The type of connector. This property appears in + responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + type: object + properties: + notify_when: + description: >- + Indicates how often alerts generate actions. + Valid values include: `onActionGroupChange`: + Actions run when the alert status changes; + `onActiveAlert`: Actions run when the alert + becomes active and at each check interval while + the rule conditions are met; + `onThrottleInterval`: Actions run when the alert + becomes active and at the interval specified in + the throttle property while the rule conditions + are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The + recommended method is to set it for each action. + If you set it at the rule level then update the + rule in Kibana, it is automatically changed to + use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: >- + The throttle interval, which defines how often + an alert generates repeated actions. It is + specified in seconds, minutes, hours, or days + and is applicable only if 'notify_when' is set + to 'onThrottleInterval'. NOTE: You cannot + specify the throttle interval at both the rule + and action level. The recommended method is to + set it for each action. If you set it at the + rule level then update the rule in Kibana, it is + automatically changed to use action-specific + values. + nullable: true + type: string + required: + - summary + - notify_when + - throttle + group: + description: >- + The group name, which affects when the action runs + (for example, when the threshold is met or when the + alert is recovered). Each rule type has a list of + valid action group names. If you don't need to group + actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: >- + The parameters for the action, which are sent to the + connector. The `params` are handled as Mustache + templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: >- + A universally unique identifier (UUID) for the + action. + type: string + required: + - id + - connector_type_id + - params + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: >- + Indicates that an alert occurs only when the specified + number of consecutive runs met the rule conditions. + type: object + properties: + active: + description: >- + The number of consecutive runs that must meet the rule + conditions. + type: number + required: + - active + api_key_created_by_user: + description: >- + Indicates whether the API key that is associated with the + rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: >- + The owner of the API key that is associated with the rule + and used to run background tasks. + nullable: true + type: string + consumer: + description: >- + The name of the application or feature that owns the rule. + For example: `alerts`, `apm`, `discover`, + `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, + `securitySolution`, `siem`, `stackAlerts`, or `uptime`. + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: >- + Indicates whether you want to run the rule on an interval + basis after it is created. + type: boolean + execution_status: + additionalProperties: false + type: object + properties: + error: + additionalProperties: false + type: object + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + type: object + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + required: + - status + - last_execution_date + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value could be + succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + type: object + properties: + run: + additionalProperties: false + description: Rule run details. + type: object + properties: + calculated_metrics: + additionalProperties: false + description: >- + Calculation of different percentiles and success + ratio. + type: object + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + history: + description: History of the rule run. + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + additionalProperties: false + type: object + properties: + alerts_count: + additionalProperties: false + type: object + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: >- + Number of ignored alerts during last + run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: >- + Number of recovered alerts during last + run. + nullable: true + type: number + outcome: + description: >- + Outcome of last run of the rule. Value + could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: >- + Outcome message generated during last + rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + success: + description: >- + Indicates whether the rule run was + successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: array + last_run: + additionalProperties: false + type: object + properties: + metrics: + additionalProperties: false + type: object + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + total_alerts_created: + description: >- + Total number of alerts created during last + rule run. + nullable: true + type: number + total_alerts_detected: + description: >- + Total number of alerts detected during + last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during + last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: >- + Total time spent performing Elasticsearch + searches as measured by Kibana; includes + network latency and time spent serializing + or deserializing the request and response. + nullable: true + type: number + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + required: + - history + - calculated_metrics + - last_run + required: + - run + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: >- + Indicates how often alerts generate actions. Valid values + include: `onActionGroupChange`: Actions run when the alert + status changes; `onActiveAlert`: Actions run when the + alert becomes active and at each check interval while the + rule conditions are met; `onThrottleInterval`: Actions run + when the alert becomes active and at the interval + specified in the throttle property while the rule + conditions are met. NOTE: You cannot specify `notify_when` + at both the rule and action level. The recommended method + is to set it for each action. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + type: object + properties: + interval: + description: >- + The interval is specified in seconds, minutes, hours, + or days. + type: string + required: + - interval + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + type: object + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + type: object + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + type: array + bymonth: + items: + description: >- + Indicates months of the year that this rule + should recur. + type: number + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + type: array + bysetpos: + items: + description: >- + A positive or negative integer affecting the + nth day of the month. For example, -2 combined + with `byweekday` of FR is 2nd to last Friday + of the month. It is recommended to not set + this manually and just use `byweekday`. + type: number + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: >- + Indicates the days of the week to recur or + else nth-day-of-month strings. For example, + "+2TU" second Tuesday of month, "-1FR" last + Friday of the month, which are internally + converted to a `byweekday/bysetpos` + combination. + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + type: array + byyearday: + items: + description: >- + Indicates the days of the year that this rule + should recur. + type: number + type: array + count: + description: >- + Number of times the rule should recur until it + stops. + type: number + dtstart: + description: >- + Rule start date in Coordinated Universal Time + (UTC). + type: string + freq: + description: >- + Indicates frequency of the rule. Options are + YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: >- + Indicates the interval of frequency. For + example, 1 and YEARLY is every 1 year, 2 and + WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: >- + Deprecated in 8.13.0. Use the `throttle` property in the + action `frequency` object instead. The throttle interval, + which defines how often an alert generates repeated + actions. NOTE: You cannot specify the throttle interval at + both the rule and action level. If you set it at the rule + level then update the rule in Kibana, it is automatically + changed to use action-specific values. + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: >- + The identifier for the user that updated this rule most + recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + summary: Get information about rules + tags: + - alerting + /api/alerts/alert/{alertId}: + delete: + deprecated: true + description: > + Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After + you delete an alert, you cannot recover it. + operationId: legaryDeleteAlert + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: The identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Delete an alert + tags: + - alerting + get: + deprecated: true + description: Deprecated in 7.13.0. Use the get rule API instead. + operationId: legacyGetAlert + parameters: + - description: The identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_alert_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get an alert by identifier + tags: + - alerting + post: + deprecated: true + description: Deprecated in 7.13.0. Use the create rule API instead. + operationId: legacyCreateAlert + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: >- + An UUID v1 or v4 identifier for the alert. If this parameter is + omitted, the identifier is randomly generated. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + title: Legacy create alert request properties + type: object + properties: + actions: + items: + type: object + properties: + actionTypeId: + description: The identifier for the action type. + type: string + group: + description: > + Grouping actions is recommended for escalations for + different types of alert instances. If you don't need + this functionality, set it to `default`. + type: string + id: + description: The ID of the action saved object. + type: string + params: + description: > + The map to the `params` that the action type will + receive. `params` are handled as Mustache templates + and passed a default set of context. + type: object + required: + - actionTypeId + - group + - id + - params + type: array + alertTypeId: + description: >- + The ID of the alert type that you want to call when the + alert is scheduled to run. + type: string + consumer: + description: >- + The name of the application that owns the alert. This name + has to match the Kibana feature name, as that dictates the + required role-based access control privileges. + type: string + enabled: + description: >- + Indicates if you want to run the alert on an interval basis + after it is created. + type: boolean + name: + description: A name to reference and search. + type: string + notifyWhen: + description: The condition for throttling the notification. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + params: + description: >- + The parameters to pass to the alert type executor `params` + value. This will also validate against the alert type params + validator, if defined. + type: object + schedule: + description: > + The schedule specifying when this alert should be run. A + schedule is structured such that the key specifies the + format you wish to use and its value specifies the schedule. + type: object + properties: + interval: + description: >- + The interval format specifies the interval in seconds, + minutes, hours or days at which the alert should run. + example: 10s + type: string + tags: + description: A list of keywords to reference and search. + items: + type: string + type: array + throttle: + description: > + How often this alert should fire the same actions. This will + prevent the alert from sending out the same notification + over and over. For example, if an alert with a schedule of 1 + minute stays in a triggered state for 90 minutes, setting a + throttle of `10m` or `1h` will prevent it from sending 90 + notifications during this period. + type: string + required: + - alertTypeId + - consumer + - name + - notifyWhen + - params + - schedule + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_alert_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Create an alert + tags: + - alerting + put: + deprecated: true + description: Deprecated in 7.13.0. Use the update rule API instead. + operationId: legacyUpdateAlert + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: The identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + title: Legacy update alert request properties + type: object + properties: + actions: + items: + type: object + properties: + actionTypeId: + description: The identifier for the action type. + type: string + group: + description: > + Grouping actions is recommended for escalations for + different types of alert instances. If you don't need + this functionality, set it to `default`. + type: string + id: + description: The ID of the action saved object. + type: string + params: + description: > + The map to the `params` that the action type will + receive. `params` are handled as Mustache templates + and passed a default set of context. + type: object + required: + - actionTypeId + - group + - id + - params + type: array + name: + description: A name to reference and search. + type: string + notifyWhen: + description: The condition for throttling the notification. + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + params: + description: >- + The parameters to pass to the alert type executor `params` + value. This will also validate against the alert type params + validator, if defined. + type: object + schedule: + description: > + The schedule specifying when this alert should be run. A + schedule is structured such that the key specifies the + format you wish to use and its value specifies the schedule. + type: object + properties: + interval: + description: >- + The interval format specifies the interval in seconds, + minutes, hours or days at which the alert should run. + example: 1d + type: string + tags: + description: A list of keywords to reference and search. + items: + type: string + type: array + throttle: + description: > + How often this alert should fire the same actions. This will + prevent the alert from sending out the same notification + over and over. For example, if an alert with a schedule of 1 + minute stays in a triggered state for 90 minutes, setting a + throttle of `10m` or `1h` will prevent it from sending 90 + notifications during this period. + type: string + required: + - name + - notifyWhen + - params + - schedule + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_alert_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Update an alert + tags: + - alerting + /api/alerts/alert/{alertId}/_disable: + post: + deprecated: true + description: Deprecated in 7.13.0. Use the disable rule API instead. + operationId: legacyDisableAlert + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: The identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Disable an alert + tags: + - alerting + /api/alerts/alert/{alertId}/_enable: + post: + deprecated: true + description: Deprecated in 7.13.0. Use the enable rule API instead. + operationId: legacyEnableAlert + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: The identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Enable an alert + tags: + - alerting + /api/alerts/alert/{alertId}/_mute_all: + post: + deprecated: true + description: Deprecated in 7.13.0. Use the mute all alerts API instead. + operationId: legacyMuteAllAlertInstances + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: The identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Mute all alert instances + tags: + - alerting + /api/alerts/alert/{alertId}/_unmute_all: + post: + deprecated: true + description: Deprecated in 7.13.0. Use the unmute all alerts API instead. + operationId: legacyUnmuteAllAlertInstances + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: The identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Unmute all alert instances + tags: + - alerting + /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute: + post: + deprecated: true + description: Deprecated in 7.13.0. Use the mute alert API instead. + operationId: legacyMuteAlertInstance + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: An identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + - description: An identifier for the alert instance. + in: path + name: alertInstanceId + required: true + schema: + example: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + type: string + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Mute an alert instance + tags: + - alerting + /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute: + post: + deprecated: true + description: Deprecated in 7.13.0. Use the unmute alert API instead. + operationId: legacyUnmuteAlertInstance + parameters: + - $ref: '#/components/parameters/Alerting_kbn_xsrf' + - description: An identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + type: string + - description: An identifier for the alert instance. + in: path + name: alertInstanceId + required: true + schema: + example: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + type: string + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Unmute an alert instance + tags: + - alerting + /api/alerts/alerts/_find: + get: + deprecated: true + description: > + Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert + `params` are stored as a flattened field type and analyzed as keywords. + As alerts change in Kibana, the results on each page of the response + also change. Use the find API for traditional paginated results, but + avoid using it to export large amounts of data. + operationId: legacyFindAlerts + parameters: + - description: The default operator to use for the `simple_query_string`. + example: OR + in: query + name: default_search_operator + schema: + default: OR + type: string + - description: The fields to return in the `attributes` key of the response. + in: query + name: fields + schema: + items: + type: string + type: array + - description: > + A KQL string that you filter with an attribute from your saved + object. It should look like `savedObjectType.attributes.title: + "myTitle"`. However, if you used a direct attribute of a saved + object, such as `updatedAt`, you must define your filter, for + example, `savedObjectType.updatedAt > 2018-12-22`. + in: query + name: filter + schema: + type: string + - description: >- + Filters the rules that have a relation with the reference objects + with a specific type and identifier. + in: query + name: has_reference + schema: + type: object + properties: + id: + type: string + type: + type: string + - description: The page number to return. + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: The number of alerts to return per page. + example: 20 + in: query + name: per_page + schema: + default: 20 + type: integer + - description: >- + An Elasticsearch `simple_query_string` query that filters the alerts + in the response. + in: query + name: search + schema: + type: string + - description: >- + The fields to perform the `simple_query_string` parsed query + against. + in: query + name: search_fields + schema: + oneOf: + - type: string + - items: + type: string + type: array + - description: > + Determines which field is used to sort the results. The field must + exist in the `attributes` key of the response. + in: query + name: sort_field + schema: + type: string + - description: Determines the sort order. + example: asc + in: query + name: sort_order + schema: + default: desc + enum: + - asc + - desc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: '#/components/schemas/Alerting_alert_response_properties' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get a paginated set of alerts + tags: + - alerting + /api/alerts/alerts/_health: + get: + deprecated: true + description: Deprecated in 7.13.0. Use the get alerting framework health API instead. + operationId: legacyGetAlertingHealth + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + alertingFrameworkHealth: + description: > + Three substates identify the health of the alerting + framework: `decryptionHealth`, `executionHealth`, and + `readHealth`. + type: object + properties: + decryptionHealth: + description: The timestamp and status of the alert decryption. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + executionHealth: + description: The timestamp and status of the alert execution. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + readHealth: + description: The timestamp and status of the alert reading events. + type: object + properties: + status: + enum: + - error + - ok + - warn + example: ok + type: string + timestamp: + example: '2023-01-13T01:28:00.280Z' + format: date-time + type: string + hasPermanentEncryptionKey: + description: >- + If `false`, the encrypted saved object plugin does not + have a permanent encryption key. + example: true + type: boolean + isSufficientlySecure: + description: If `false`, security is enabled but TLS is not. + example: true + type: boolean + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the alerting framework health + tags: + - alerting + /api/alerts/alerts/list_alert_types: + get: + deprecated: true + description: Deprecated in 7.13.0. Use the get rule types API instead. + operationId: legacyGetAlertTypes + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + actionGroups: + description: > + An explicit list of groups for which the alert type can + schedule actions, each with the action group's unique ID + and human readable name. Alert actions validation uses + this configuration to ensure that groups are valid. + items: + type: object + properties: + id: + type: string + name: + type: string + type: array + actionVariables: + description: > + A list of action variables that the alert type makes + available via context and state in action parameter + templates, and a short human readable description. The + Alert UI will use this information to prompt users for + these variables in action parameter editors. + type: object + properties: + context: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + params: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + state: + items: + type: object + properties: + description: + type: string + name: + type: string + type: array + authorizedConsumers: + description: >- + The list of the plugins IDs that have access to the + alert type. + type: object + defaultActionGroupId: + description: The default identifier for the alert type group. + type: string + enabledInLicense: + description: >- + Indicates whether the rule type is enabled based on the + subscription. + type: boolean + id: + description: The unique identifier for the alert type. + type: string + isExportable: + description: >- + Indicates whether the alert type is exportable in Saved + Objects Management UI. + type: boolean + minimumLicenseRequired: + description: The subscriptions required to use the alert type. + type: string + name: + description: The descriptive name of the alert type. + type: string + producer: + description: >- + An identifier for the application that produces this + alert type. + type: string + recoveryActionGroup: + description: > + An action group to use when an alert instance goes from + an active state to an inactive one. If it is not + specified, the default recovered action group is used. + type: object + properties: + id: + type: string + name: + type: string + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the alert types + tags: + - alerting + /api/apm/agent_keys: + post: + description: Create a new agent key for APM. + operationId: createAgentKey + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + privileges: + items: + enum: + - event:write + - config_agent:read + type: string + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + description: Agent key created successfully + summary: Create an APM agent key + tags: + - APM agent keys + /api/apm/services/{serviceName}/annotation: + post: + description: Create a new annotation for a specific service. + operationId: createAnnotation + parameters: + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + '@timestamp': + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + version: + type: string + tags: + items: + type: string + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _id: + type: string + _index: + type: string + _source: + type: object + properties: + '@timestamp': + type: string + annotation: + type: string + event: + type: object + properties: + created: + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + description: Annotation created successfully + summary: Create a service annotation + tags: + - APM annotations + /api/apm/services/{serviceName}/annotation/search: + get: + description: Search for annotations related to a specific service. + operationId: getAnnotation + parameters: + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + in: query + name: start + required: false + schema: + type: string + - description: The end date for the search + in: query + name: end + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + annotations: + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + description: Successful response + summary: Search for annotations + tags: + - APM annotations + /api/asset_criticality: + delete: + description: Delete the asset criticality record for a specific asset if it exists. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IdField + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + deleted: + description: >- + True if the record was deleted or false if the record did + not exist. + type: boolean + record: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete Criticality Record + tags: + - Security Solution Entity Analytics API + get: + description: Get the criticality record for a specific asset. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IdField + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get Criticality Record + tags: + - Security Solution Entity Analytics API + post: + description: Create or update a criticality record for a specific asset. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + refresh: + description: >- + If 'wait_for' the request will wait for the index + refresh. + enum: + - wait_for + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + summary: Upsert Criticality Record + tags: + - Security Solution Entity Analytics API + /api/asset_criticality/bulk: + post: + description: >- + Bulk upsert up to 1000 asset criticality records, creating or updating + them as needed. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk Upsert Asset Criticality Records + tags: + - Security Solution Entity Analytics API + /api/asset_criticality/list: + get: + description: List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - \@timestamp + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Bulk upload successful + summary: List Asset Criticality Records + tags: + - Security Solution Entity Analytics API + /api/cases: + delete: + description: > + You must have `read` or `all` privileges and the `delete` sub-feature + privilege for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_ids' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Delete cases + tags: + - cases + patch: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case you're + updating. + operationId: updateCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateCaseRequest: + $ref: '#/components/examples/Cases_update_case_request' + schema: + $ref: '#/components/schemas/Cases_update_case_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateCaseResponse: + $ref: '#/components/examples/Cases_update_case_response' + schema: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Update cases + tags: + - cases + post: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the + Kibana feature privileges, depending on the owner of the case you're + creating. + operationId: createCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createCaseRequest: + $ref: '#/components/examples/Cases_create_case_request' + schema: + $ref: '#/components/schemas/Cases_create_case_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createCaseResponse: + $ref: '#/components/examples/Cases_create_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Create a case + tags: + - cases + /api/cases/_find: + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. + operationId: findCasesDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_assignees' + - $ref: '#/components/parameters/Cases_category' + - $ref: '#/components/parameters/Cases_defaultSearchOperator' + - $ref: '#/components/parameters/Cases_from' + - $ref: '#/components/parameters/Cases_owner' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_reporters' + - $ref: '#/components/parameters/Cases_search' + - $ref: '#/components/parameters/Cases_searchFields' + - $ref: '#/components/parameters/Cases_severity' + - $ref: '#/components/parameters/Cases_sortField' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_status' + - $ref: '#/components/parameters/Cases_tags' + - $ref: '#/components/parameters/Cases_to' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + findCaseResponse: + $ref: '#/components/examples/Cases_find_case_response' + schema: + type: object + properties: + cases: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + maxItems: 10000 + type: array + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Search cases + tags: + - cases + /api/cases/{caseId}: + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're seeking. + operationId: getCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_includeComments' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getDefaultCaseResponse: + $ref: '#/components/examples/Cases_get_case_response' + getDefaultObservabilityCaseReponse: + $ref: '#/components/examples/Cases_get_case_observability_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case information + tags: + - cases + /api/cases/{caseId}/alerts: + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseAlertsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getCaseAlertsResponse: + $ref: '#/components/examples/Cases_get_case_alerts_response' + schema: + items: + $ref: '#/components/schemas/Cases_alert_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get all alerts for a case + tags: + - cases + x-technical-preview: true + /api/cases/{caseId}/comments: + delete: + description: > + Deletes all comments and alerts from a case. You must have `all` + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Delete all case comments and alerts + tags: + - cases + get: + deprecated: true + description: > + Deprecated in 8.1.0. This API is deprecated and will be removed in a + future release; instead, use the get case comment API, which requires a + comment identifier in the path. You must have `read` privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on the + owner of the cases with the comments you're seeking. + operationId: getAllCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get all case comments + tags: + - cases + patch: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're updating. + NOTE: You cannot change the comment type or the owner of a comment. + operationId: updateCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateCaseCommentRequest: + $ref: '#/components/examples/Cases_update_comment_request' + schema: + $ref: '#/components/schemas/Cases_update_case_comment_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateCaseCommentResponse: + $ref: '#/components/examples/Cases_update_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Update a case comment or alert + tags: + - cases + post: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're creating. + NOTE: Each case can have a maximum of 1,000 alerts. + operationId: addCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createCaseCommentRequest: + $ref: '#/components/examples/Cases_add_comment_request' + schema: + $ref: '#/components/schemas/Cases_add_case_comment_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createCaseCommentResponse: + $ref: '#/components/examples/Cases_add_comment_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Add a case comment or alert + tags: + - cases + /api/cases/{caseId}/comments/_find: + get: + description: > + Retrieves a paginated list of comments for a case. You must have `read` + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases with the comments you're + seeking. + operationId: findCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Find case comments and alerts + tags: + - cases + /api/cases/{caseId}/comments/{commentId}: + delete: + description: > + You must have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '204': + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Delete a case comment or alert + tags: + - cases + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases with the + comments you're seeking. + operationId: getCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getCaseCommentResponse: + $ref: '#/components/examples/Cases_get_comment_response' + schema: + oneOf: + - $ref: >- + #/components/schemas/Cases_alert_comment_response_properties + - $ref: >- + #/components/schemas/Cases_user_comment_response_properties + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get a case comment or alert + tags: + - cases + /api/cases/{caseId}/connector/{connectorId}/_push: + post: + description: > + You must have `all` privileges for the **Actions and Connectors** + feature in the **Management** section of the Kibana feature privileges. + You must also have `all` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the case you're pushing. + operationId: pushCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_connector_id' + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + nullable: true + type: object + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + pushCaseResponse: + $ref: '#/components/examples/Cases_push_case_response' + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Push a case to an external service + tags: + - cases + /api/cases/{caseId}/user_actions: + get: + deprecated: true + description: > + Returns all user activity for a case. Deprecated in 8.1.0. This API is + deprecated and will be removed in a future release; use the find user + actions API instead. You must have `read` privileges for the **Cases** + feature in the **Management**, **Observability**, or **Security** + section of the Kibana feature privileges, depending on the owner of the + case you're seeking. + operationId: getCaseActivityDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: '#/components/schemas/Cases_user_actions_response_properties' + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case activity + tags: + - cases + /api/cases/{caseId}/user_actions/_find: + get: + description: > + Retrives a paginated list of user activity for a case. You must have + `read` privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the case you're seeking. + operationId: findCaseActivityDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_user_action_types' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + findCaseActivityResponse: + $ref: '#/components/examples/Cases_find_case_activity_response' + schema: + type: object + properties: + page: + type: integer + perPage: + type: integer + total: + type: integer + userActions: + items: + $ref: >- + #/components/schemas/Cases_user_actions_find_response_properties + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Find case activity + tags: + - cases + /api/cases/alerts/{alertId}: + get: + description: > + You must have `read` privileges for the **Cases** feature in the + **Management**, **Observability**, or **Security** section of the Kibana + feature privileges, depending on the owner of the cases you're seeking. + operationId: getCasesByAlertDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_alert_id' + - $ref: '#/components/parameters/Cases_owner' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 + title: security_case + items: + type: object + properties: + id: + description: The case identifier. + type: string + title: + description: The case title. + type: string + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get cases for an alert + tags: + - cases + x-technical-preview: true + /api/cases/configure: + get: + description: > + Get setting details such as the closure type, custom fields, templatse, + and the default connector for cases. You must have `read` privileges for + the **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where the cases were created. + operationId: getCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getConfigurationResponse: + $ref: '#/components/examples/Cases_get_case_configuration_response' + schema: + items: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are + not used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want + a default connector, use `none`. To retrieve + connector IDs, use the find connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the + `type` is `text`, the default value must be a + string. If the `type` is `toggle`, the default + value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: >- + The custom field label that is displayed in the + case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If + `false`, the custom field can be set to null or + omitted when a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case settings + tags: + - cases + post: + description: > + Case settings include external connection details, custom fields, and + templates. Connectors are used to interface with external systems. You + must create a connector before you can use it in your cases. If you set + a default connector, it is automatically selected when you create cases + in Kibana. If you use the create case API, however, you must still + specify all of the connector details. You must have `all` privileges for + the **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where you are creating cases. + operationId: setCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + setCaseConfigRequest: + $ref: '#/components/examples/Cases_set_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_set_case_configuration_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + setCaseConfigResponse: + $ref: '#/components/examples/Cases_set_case_configuration_response' + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector + IDs, use the find connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` + is `text`, the default value must be a string. If + the `type` is `toggle`, the default value must be + boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: >- + The custom field label that is displayed in the + case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, + the custom field can be set to null or omitted when + a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Add case settings + tags: + - cases + /api/cases/configure/{configurationId}: + patch: + description: > + Updates setting details such as the closure type, custom fields, + templates, and the default connector for cases. Connectors are used to + interface with external systems. You must create a connector before you + can use it in your cases. You must have `all` privileges for the + **Cases** feature in the **Management**, **Observability**, or + **Security** section of the Kibana feature privileges, depending on + where the case was created. + operationId: updateCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Cases_configuration_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateCaseConfigurationRequest: + $ref: '#/components/examples/Cases_update_case_configuration_request' + schema: + $ref: '#/components/schemas/Cases_update_case_configuration_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateCaseConfigurationResponse: + $ref: >- + #/components/examples/Cases_update_case_configuration_response + schema: + type: object + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, + therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector + IDs, use the find connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a + default connector, use `none`. To retrieve connector + names, use the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + created_at: + example: '2022-06-01T17:07:17.767Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + customFields: + description: Custom fields configuration details. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` + is `text`, the default value must be a string. If + the `type` is `toggle`, the default value must be + boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower + case and composed only of a-z, 0-9, '_', and '-' + characters. It is used in API calls to refer to a + specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: >- + The custom field label that is displayed in the + case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, + the custom field can be set to null or omitted when + a case is created or updated. + type: boolean + type: array + error: + example: null + nullable: true + type: string + id: + example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + type: string + mappings: + items: + type: object + properties: + action_type: + example: overwrite + type: string + source: + example: title + type: string + target: + example: summary + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + example: '2022-06-01T19:58:48.169Z' + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzIwNzMsMV0= + type: string + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Update case settings + tags: + - cases + /api/cases/configure/connectors/_find: + get: + description: > + Get information about connectors that are supported for use in cases. + You must have `read` privileges for the **Actions and Connectors** + feature in the **Management** section of the Kibana feature privileges. + operationId: findCaseConnectorsDefaultSpace + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + findConnectorResponse: + $ref: '#/components/examples/Cases_find_connector_response' + schema: + items: + type: object + properties: + actionTypeId: + $ref: '#/components/schemas/Cases_connector_types' + config: + additionalProperties: true + type: object + properties: + apiUrl: + type: string + projectKey: + type: string + id: + type: string + isDeprecated: + type: boolean + isMissingSecrets: + type: boolean + isPreconfigured: + type: boolean + name: + type: string + referencedByCount: + type: integer + maxItems: 1000 + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case connectors + tags: + - cases + /api/cases/reporters: + get: + description: > + Returns information about the users who opened cases. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases. The API returns + information about the users as they existed at the time of the case + creation, including their name, full name, and email address. If any of + those details change thereafter or if a user is deleted, the information + returned by this API is unchanged. + operationId: getCaseReportersDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getReportersResponse: + $ref: '#/components/examples/Cases_get_reporters_response' + schema: + items: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case creators + tags: + - cases + /api/cases/status: + get: + deprecated: true + description: > + Returns the number of cases that are open, closed, and in progress. + Deprecated in 8.1.0. This API is deprecated and will be removed in a + future release; use the find cases API instead. You must have `read` + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're seeking. + operationId: getCaseStatusDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case status summary + tags: + - cases + /api/cases/tags: + get: + description: > + Aggregates and returns a list of case tags. You must have read + privileges for the **Cases** feature in the **Management**, + **Observability**, or **Security** section of the Kibana feature + privileges, depending on the owner of the cases you're seeking. + operationId: getCaseTagsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getTagsResponse: + $ref: '#/components/examples/Cases_get_tags_response' + schema: + items: + type: string + maxItems: 10000 + type: array + description: Indicates a successful call. + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case tags + tags: + - cases + /api/data_views: + get: + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + /api/data_views/data_view: + post: + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + /api/data_views/data_view/{viewId}: + delete: + description: | + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '204': + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + get: + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + post: + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + /api/data_views/data_view/{viewId}/fields: + post: + description: > + Update fields presentation metadata such as count, customLabel, + customDescription, and format. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' + schema: + type: object + properties: + fields: + description: The field object. + type: object + required: + - fields + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + /api/data_views/data_view/{viewId}/runtime_field: + post: + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + put: + operationId: createUpdateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + delete: + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view + tags: + - data views + get: + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + post: + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + /api/data_views/default: + get: + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getDefaultDataViewResponse: + $ref: >- + #/components/examples/Data_views_get_default_data_view_response + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + post: + operationId: setDefaultDatailViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: > + The data view identifier. NOTE: The API does not validate + whether it is a valid identifier. Use `null` to unset the + default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + /api/data_views/swap_references: + post: + description: > + Changes saved object references from one data view identifier to + another. WARNING: Misuse can break large numbers of saved objects! + Practicing with a backup is recommended. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + /api/data_views/swap_references/_preview: + post: + description: > + Preview the impact of swapping saved object references from one data + view identifier to another. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + previewSwapDataViewRequest: + $ref: >- + #/components/examples/Data_views_preview_swap_data_view_request + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview a saved object reference swap + tags: + - data views + /api/detection_engine/index: + delete: + operationId: DeleteAlertsIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not enough permissions response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: string + description: Index does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Delete an alerts index + tags: + - Security Solution Detections API + - Alert index API + get: + operationId: ReadAlertsIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + index_mapping_outdated: + nullable: true + type: boolean + name: + type: string + required: + - name + - index_mapping_outdated + description: Successful response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not enough permissions response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Reads the alert index name if it exists + tags: + - Security Solution Detections API + - Alert index API + post: + operationId: CreateAlertsIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not enough permissions response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Create an alerts index + tags: + - Security Solution Detections API + - Alert index API + /api/detection_engine/privileges: + get: + description: > + Retrieves whether or not the user is authenticated, and the user's + Kibana + + space and index privileges, which determine if the user can create an + + index for the Elastic Security alerts generated by + + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Solution Detections API + - Privileges API + /api/detection_engine/rules: + delete: + description: Delete a detection rule using the `rule_id` or `id` field. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Solution Detections API + - Rules API + get: + description: Retrieve a detection rule using the `rule_id` or `id` field. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Retrieve a detection rule + tags: + - Security Solution Detections API + - Rules API + patch: + description: >- + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + operationId: PatchRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePatchProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Solution Detections API + - Rules API + post: + description: Create a new detection rule. + operationId: CreateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleCreateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Solution Detections API + - Rules API + put: + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: UpdateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleUpdateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Solution Detections API + - Rules API + /api/detection_engine/rules/_bulk_action: + post: + description: >- + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + operationId: PerformRulesBulkAction + parameters: + - description: Enables dry run mode for the request call. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDeleteRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDisableRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEnableRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkExportRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkManualRuleRun + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditRules + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkExportActionResponse + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_bulk_create: + post: + deprecated: true + description: Create new detection rules in bulk. + operationId: BulkCreateRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleCreateProps + type: array + description: A JSON array of rules, where each rule contains the required fields. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + summary: Create multiple detection rules + tags: + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_bulk_delete: + delete: + deprecated: true + description: Delete detection rules in bulk. + operationId: BulkDeleteRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + type: array + description: >- + A JSON array of `id` or `rule_id` fields of the rules you want to + delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Delete multiple detection rules + tags: + - Security Solution Detections API + - Bulk API + post: + deprecated: true + description: Deletes multiple rules. + operationId: BulkDeleteRulesPost + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + type: array + description: >- + A JSON array of `id` or `rule_id` fields of the rules you want to + delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Delete multiple detection rules + tags: + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_bulk_update: + patch: + deprecated: true + description: >- + Update specific fields of existing detection rules using the `rule_id` + or `id` field. + operationId: BulkPatchRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePatchProps + type: array + description: A JSON array of rules, where each rule contains the required fields. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + summary: Patch multiple detection rules + tags: + - Security Solution Detections API + - Bulk API + put: + deprecated: true + description: > + Update multiple detection rules using the `rule_id` or `id` field. The + original rules are replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: BulkUpdateRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleUpdateProps + type: array + description: >- + A JSON array where each element includes the `id` or `rule_id` field + of the rule you want to update and the fields you want to modify. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + summary: Update multiple detection rules + tags: + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_export: + post: + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > You cannot export prebuilt rules. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: File name for saving the exported rules. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + nullable: true + type: object + properties: + objects: + description: >- + Array of `rule_id` fields. Exports all rules when + unspecified. + items: + type: object + properties: + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: An `.ndjson` file containing the returned rules. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Solution Detections API + - Import/Export API + /api/detection_engine/rules/_find: + get: + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. + operationId: FindRules + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_FindRulesSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + summary: List all detection rules + tags: + - Security Solution Detections API + - Rules API + /api/detection_engine/rules/_import: + post: + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. + operationId: ImportRules + parameters: + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_WarningSchema + type: array + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + exceptions_errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Solution Detections API + - Import/Export API + /api/detection_engine/rules/{id}/exceptions: + post: + description: Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_RuleId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemProps + type: array + required: + - items + description: Rule exception list items + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Create rule exception list items + tags: + - Security Solution Exceptions API + /api/detection_engine/rules/prepackaged: + put: + description: Install and update all Elastic prebuilt detection rules and Timelines. + operationId: InstallPrebuiltRulesAndTimelines + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + rules_installed: + description: The number of rules installed + minimum: 0 + type: integer + rules_updated: + description: The number of rules updated + minimum: 0 + type: integer + timelines_installed: + description: The number of timelines installed + minimum: 0 + type: integer + timelines_updated: + description: The number of timelines updated + minimum: 0 + type: integer + required: + - rules_installed + - rules_updated + - timelines_installed + - timelines_updated + description: Indicates a successful call + summary: Install prebuilt detection rules and Timelines + tags: + - Security Solution Detections API + - Prebuilt Rules API + /api/detection_engine/rules/prepackaged/_status: + get: + description: >- + Retrieve the status of all Elastic prebuilt detection rules and + Timelines. + operationId: ReadPrebuiltRulesAndTimelinesStatus + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + rules_custom_installed: + description: The total number of custom rules + minimum: 0 + type: integer + rules_installed: + description: The total number of installed prebuilt rules + minimum: 0 + type: integer + rules_not_installed: + description: >- + The total number of available prebuilt rules that are not + installed + minimum: 0 + type: integer + rules_not_updated: + description: The total number of outdated prebuilt rules + minimum: 0 + type: integer + timelines_installed: + description: The total number of installed prebuilt timelines + minimum: 0 + type: integer + timelines_not_installed: + description: >- + The total number of available prebuilt timelines that are + not installed + minimum: 0 + type: integer + timelines_not_updated: + description: The total number of outdated prebuilt timelines + minimum: 0 + type: integer + required: + - rules_custom_installed + - rules_installed + - rules_not_installed + - rules_not_updated + - timelines_installed + - timelines_not_installed + - timelines_not_updated + description: Indicates a successful call + summary: Retrieve the status of prebuilt detection rules and Timelines + tags: + - Security Solution Detections API + - Prebuilt Rules API + /api/detection_engine/rules/preview: + post: + operationId: RulePreview + parameters: + - description: >- + Enables logging and returning in response ES queries, performed + during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + discriminator: + propertyName: type + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewLogs + type: array + previewId: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + required: + - logs + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Solution Detections API + - Rule preview API + /api/detection_engine/signals/assignees: + post: + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + assignees: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertAssignees + description: Details about the assignees to assign and unassign. + ids: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertIds + description: List of alerts ids to assign and unassign passed assignees. + required: + - assignees + - ids + required: true + responses: + '200': + description: Indicates a successful call. + '400': + description: Invalid request. + summary: Assign and unassign users from detection alerts + tags: + - Security Solution Detections API + /api/detection_engine/signals/finalize_migration: + post: + description: > + Finalize successful migrations of detection alerts. This replaces the + original index's alias with the successfully migrated index's alias. + + The endpoint is idempotent; therefore, it can safely be used to poll a + given migration and, upon completion, + + finalize it. + operationId: FinalizeAlertsMigration + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + migration_ids: + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to finalize + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MigrationFinalizationResult + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Finalize detection alert migrations + tags: + - Security Solution Detections API + - Alerts migration API + /api/detection_engine/signals/migration: + delete: + description: > + Migrations favor data integrity over shard size. Consequently, unused or + orphaned indices are artifacts of + + the migration process. A successful migration will result in both the + old and new indices being present. + + As such, the old, orphaned index can (and likely should) be deleted. + + + While you can delete these indices manually, + + the endpoint accomplishes this task by applying a deletion policy to the + relevant index, causing it to be deleted + + after 30 days. It also deletes other artifacts specific to the migration + implementation. + operationId: AlertsMigrationCleanup + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + migration_ids: + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to cleanup + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MigrationCleanupResult + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Clean up detection alert migrations + tags: + - Security Solution Detections API + - Alerts migration API + post: + description: > + Initiate a migration of detection alerts. + + Migrations are initiated per index. While the process is neither + destructive nor interferes with existing data, it may be + resource-intensive. As such, it is recommended that you plan your + migrations accordingly. + operationId: CreateAlertsMigration + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - type: object + properties: + index: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + required: + - index + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsReindexOptions + description: Alerts migration parameters + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + indices: + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexMigrationSuccess + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexMigrationError + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SkippedAlertsIndexMigration + type: array + required: + - indices + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Initiate a detection alert migration + tags: + - Security Solution Detections API + - Alerts migration API + /api/detection_engine/signals/migration_status: + post: + description: >- + Retrieve indices that contain detection alerts of a particular age, + along with migration information for each of those indices. + operationId: ReadAlertsMigrationStatus + parameters: + - description: Maximum age of qualifying detection alerts + in: query + name: from + required: true + schema: + description: > + Time from which data is analyzed. For example, now-4200s means the + rule analyzes data from 70 minutes + + before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + indices: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexMigrationStatus + type: array + required: + - indices + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Retrieve the status of detection alert migrations + tags: + - Security Solution Detections API + - Alerts migration API + /api/detection_engine/signals/search: + post: + description: Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + description: Elasticsearch query and aggregation request + type: object + properties: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object + fields: + items: + type: string + type: array + query: + additionalProperties: true + type: object + runtime_mappings: + additionalProperties: true + type: object + size: + minimum: 0 + type: integer + sort: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSort + track_total_hits: + type: boolean + description: Search and/or aggregation query + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Solution Detections API + - Alerts API + /api/detection_engine/signals/status: + post: + description: Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Solution Detections API + - Alerts API + /api/detection_engine/signals/tags: + post: + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertIds + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertTags + required: + - ids + - tags + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Solution Detections API + - Alerts API + /api/detection_engine/tags: + get: + description: List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Solution Detections API + - Tags API + /api/encrypted_saved_objects/_rotate_key: + post: + description: > + Superuser role required. + + + If a saved object cannot be decrypted using the primary encryption key, + then Kibana will attempt to decrypt it using the specified + decryption-only keys. In most of the cases this overhead is negligible, + but if you're dealing with a large number of saved objects and + experiencing performance issues, you may want to rotate the encryption + key. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: rotateEncryptionKey + parameters: + - description: > + Specifies a maximum number of saved objects that Kibana can process + in a single batch. Bulk key rotation is an iterative process since + Kibana may not be able to fetch and process all required saved + objects in one go and splits processing into consequent batches. By + default, the batch size is 10000, which is also a maximum allowed + value. + in: query + name: batch_size + required: false + schema: + default: 10000 + type: number + - description: > + Limits encryption key rotation only to the saved objects with the + specified type. By default, Kibana tries to rotate the encryption + key for all saved object types that may contain encrypted + attributes. + in: query + name: type + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + rotateEncryptionKeyResponse: + $ref: '#/components/examples/Saved_objects_key_rotation_response' + schema: + type: object + properties: + failed: + description: > + Indicates the number of the saved objects that were still + encrypted with one of the old encryption keys that Kibana + failed to re-encrypt with the primary key. + type: number + successful: + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. + + + NOTE: In most cases, `total` will be greater than + `successful` even if `failed` is zero. The reason is that + Kibana may not need or may not be able to rotate + encryption keys for all encrypted saved objects. + type: number + total: + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. + type: number + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + '429': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Already in progress. + summary: Rotate a key for encrypted saved objects + tags: + - saved objects + /api/endpoint_list: + post: + description: >- + Create an endpoint exception list, which groups endpoint exception list + items. If an endpoint exception list already exists, an empty response + is returned. + operationId: CreateEndpointList + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an endpoint exception list + tags: + - Security Solution Endpoint Exceptions API + /api/endpoint_list/items: + delete: + description: >- + Delete an endpoint exception list item using the `id` or `item_id` + field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Delete an endpoint exception list item + tags: + - Security Solution Endpoint Exceptions API + get: + description: >- + Get the details of an endpoint exception list item using the `id` or + `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get an endpoint exception list item + tags: + - Security Solution Endpoint Exceptions API + post: + description: >- + Create an endpoint exception list item, and associate it with the + endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item already exists + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an endpoint exception list item + tags: + - Security Solution Endpoint Exceptions API + put: + description: >- + Update an endpoint exception list item using the `id` or `item_id` + field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Update an endpoint exception list item + tags: + - Security Solution Endpoint Exceptions API + /api/endpoint_list/items/_find: + get: + description: Get a list of all endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_FindEndpointListItemsFilter + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get endpoint exception list items + tags: + - Security Solution Endpoint Exceptions API + /api/endpoint/action: + get: + description: Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetEndpointActionListRouteQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get response actions + tags: + - Security Solution Endpoint Management API + /api/endpoint/action_log/{agent_id}: + get: + deprecated: true + description: Get an action request log for the specified agent ID. + operationId: EndpointGetActionLog + parameters: + - in: path + name: agent_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionLogRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get an action request log + tags: + - Security Solution Endpoint Management API + /api/endpoint/action_status: + get: + description: Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agent_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionStatusSuccessResponse + description: OK + summary: Get response actions status + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/{action_id}: + get: + description: Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get action details + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: Get information for the specified file using the file ID. + operationId: EndpointFileInfo + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get file information + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: Download a file from an endpoint. + operationId: EndpointFileDownload + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Download a file + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/execute: + post: + description: Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ExecuteRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Run a command + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/get_file: + post: + description: Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetFileRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get a file + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/isolate: + post: + description: >- + Isolate an endpoint from the network. The endpoint remains isolated + until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_IsolateRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Isolate an endpoint + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/kill_process: + post: + description: Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_KillProcessRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Terminate a process + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/running_procs: + post: + description: Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetProcessesRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get running processes + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/scan: + post: + description: Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ScanRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Scan a file or directory + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/state: + get: + description: >- + Get a response actions state, which reports whether encryption is + enabled. + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionStateSuccessResponse + description: OK + summary: Get actions state + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/suspend_process: + post: + description: Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuspendProcessRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Suspend a process + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/unisolate: + post: + description: Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UnisolateRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Release an isolated endpoint + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/upload: + post: + description: Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UploadRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Upload a file + tags: + - Security Solution Endpoint Management API + /api/endpoint/isolate: + post: + deprecated: true + description: > + Isolate an endpoint from the network. + + > info + + > This URL will return a 308 permanent redirect to `POST :/api/endpoint/action/isolate`. + operationId: EndpointIsolateRedirect + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + '308': + description: Permanent Redirect + headers: + Location: + description: Permanently redirects to "/api/endpoint/action/isolate" + schema: + example: /api/endpoint/action/isolate + type: string + summary: Isolate an endpoint + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata: + get: + operationId: GetEndpointMetadataList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ListRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get a metadata list + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata/{id}: + get: + operationId: GetEndpointMetadata + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get metadata + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata/transforms: + get: + operationId: GetEndpointMetadataTransform + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get metadata transforms + tags: + - Security Solution Endpoint Management API + /api/endpoint/policy_response: + get: + operationId: GetPolicyResponse + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agentId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get a policy response + tags: + - Security Solution Endpoint Management API + /api/endpoint/policy/summaries: + get: + deprecated: true + operationId: GetAgentPolicySummary + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + package_name: + type: string + policy_id: + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get an agent policy summary + tags: + - Security Solution Endpoint Management API + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + operationId: GetProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: OK + summary: Get a protection updates note + tags: + - Security Solution Endpoint Management API + post: + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + note: + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: OK + summary: Create or update a protection updates note + tags: + - Security Solution Endpoint Management API + /api/endpoint/suggestions/{suggestion_type}: + post: + operationId: GetEndpointSuggestions + parameters: + - in: path + name: suggestion_type + required: true + schema: + enum: + - eventFilters + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + field: + type: string + fieldMeta: {} + filters: {} + query: + type: string + required: + - parameters + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get suggestions + tags: + - Security Solution Endpoint Management API + /api/endpoint/unisolate: + post: + deprecated: true + description: > + Release an isolated endpoint, allowing it to rejoin a network. + + > info + + > This URL will return a 308 permanent redirect to `POST :/api/endpoint/action/unisolate`. + operationId: EndpointUnisolateRedirect + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + '308': + description: Permanent Redirect + headers: + Location: + description: Permanently redirects to "/api/endpoint/action/unisolate" + schema: + example: /api/endpoint/action/unisolate + type: string + summary: Release an isolated endpoint + tags: + - Security Solution Endpoint Management API + /api/entity_store/engines: + get: + operationId: ListEntityStoreEngines + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + count: + type: integer + engines: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineDescriptor + type: array + description: Successful response + summary: List the Entity Store engines + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityStore + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + - description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + deleted: + type: boolean + description: Successful response + summary: Delete the Entity Store engine + tags: + - Security Solution Entity Analytics API + get: + operationId: GetEntityStoreEngine + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Get the Entity Store engine + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}/init: + post: + operationId: InitEntityStore + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + filter: + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IndexPattern + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Initialize the Entity Store + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}/start: + post: + operationId: StartEntityStore + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + started: + type: boolean + description: Successful response + summary: Start the Entity Store engine + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}/stats: + post: + operationId: GetEntityStoreStats + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + indexPattern: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IndexPattern + indices: + items: + type: object + type: array + status: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineStatus + transforms: + items: + type: object + type: array + type: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + description: Successful response + summary: Get the Entity Store engine stats + tags: + - Security Solution Entity Analytics API + /api/entity_store/engines/{entityType}/stop: + post: + operationId: StopEntityStore + parameters: + - description: The entity type of the store (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + stopped: + type: boolean + description: Successful response + summary: Stop the Entity Store engine + tags: + - Security Solution Entity Analytics API + /api/entity_store/entities/list: + get: + description: List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - in: query + name: sort_field + required: false + schema: + type: string + - in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - in: query + name: entities_types + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + inspect: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_InspectQuery + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_Entity + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Solution Entity Analytics API + /api/exception_lists: + delete: + description: Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Delete an exception list + tags: + - Security Solution Exceptions API + get: + description: Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get exception list details + tags: + - Security Solution Exceptions API + post: + description: > + An exception list groups exception items and can be associated with + detection rules. You can assign detection rules with multiple exception + lists. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Create an exception list + tags: + - Security Solution Exceptions API + put: + description: Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Update an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_duplicate: + post: + description: Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list to duplicate not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Duplicate an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_export: + post: + description: Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - description: Exception list's identifier + in: query + name: id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: >- + A `.ndjson` file containing specified exception list and its + items + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Export an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_find: + get: + description: Get a list of all exception lists. + operationId: FindExceptionLists + parameters: + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: + + + - `exception-list`: Specify a space-aware exception list. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + minimum: 1 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get exception lists + tags: + - Security Solution Exceptions API + /api/exception_lists/_import: + post: + description: Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + errors: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListsImportBulkErrorArray + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Import an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/items: + delete: + description: Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Delete an exception list item + tags: + - Security Solution Exceptions API + get: + description: >- + Get the details of an exception list item using the `id` or `item_id` + field. + operationId: ReadExceptionListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get an exception list item + tags: + - Security Solution Exceptions API + post: + description: > + Create an exception item and associate it with the specified exception + list. + + > info + + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - list_id + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Create an exception list item + tags: + - Security Solution Exceptions API + put: + description: Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_UpdateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Update an exception list item + tags: + - Security Solution Exceptions API + /api/exception_lists/items/_find: + get: + description: Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + type: array + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_FindExceptionListItemsFilter + type: array + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + type: array + - in: query + name: search + required: false + schema: + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_NonEmptyString + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get exception list items + tags: + - Security Solution Exceptions API + /api/exception_lists/summary: + get: + description: Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Exception list's human readable identifier + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Solution Exceptions API + /api/exceptions/shared: + post: + description: > + An exception list groups exception items and can be associated with + detection rules. A shared exception list can apply to multiple detection + rules. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + required: + - name + - description + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Create a shared exception list + tags: + - Security Solution Exceptions API + /api/fleet/agent_download_sources: + get: + operationId: get-download-sources + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_download_sources' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent binary download sources + tags: + - Elastic Agent binary download sources + post: + operationId: post-download-sources + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + type: string + id: + type: string + is_default: + type: boolean + name: + type: string + required: + - name + - host + - is_default + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent binary download source + tags: + - Elastic Agent binary download sources + /api/fleet/agent_download_sources/{sourceId}: + delete: + operationId: delete-download-source + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent binary download source by ID + tags: + - Elastic Agent binary download sources + get: + operationId: get-one-download-source + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent binary download source by ID + tags: + - Elastic Agent binary download sources + parameters: + - in: path + name: sourceId + required: true + schema: + type: string + put: + operationId: update-download-source + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + type: string + is_default: + type: boolean + name: + type: string + required: + - name + - is_default + - host + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent binary download source by ID + tags: + - Elastic Agent binary download sources + /api/fleet/agent_policies: + get: + description: '' + operationId: agent-policy-list + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_format' + - description: >- + When set to true, retrieve the related package policies for each + agent policy. + in: query + name: full + schema: + type: boolean + - description: >- + When set to true, do not count how many agents are in the agent + policy, this can improve performance if you are searching over a + large number of agent policies. The "agents" property will always be + 0 if set to true. + in: query + name: noAgentCount + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent policies + tags: + - Elastic Agent policies + post: + operationId: create-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_policy_create_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent policy + tags: + - Elastic Agent policies + /api/fleet/agent_policies/_bulk_get: + post: + operationId: bulk-get-agent-policies + parameters: + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of agent policy ids + items: + type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent_policy' + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get agent policies + tags: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: Get one agent policy + operationId: agent-policy-info + parameters: [] + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - $ref: '#/components/parameters/Fleet_format' + put: + operationId: update-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_policy_update_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/copy: + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - $ref: '#/components/parameters/Fleet_format' + post: + operationId: agent-policy-copy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + type: string + name: + type: string + required: + - name + description: '' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Copy agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + operationId: agent-policy-download + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Download agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: string + - in: query + name: standalone + required: false + schema: + type: string + - in: query + name: kubernetes + required: false + schema: + type: string + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + operationId: agent-policy-full + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + oneOf: + - type: string + - $ref: '#/components/schemas/Fleet_agent_policy_full' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get full agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: string + - in: query + name: standalone + required: false + schema: + type: string + - in: query + name: kubernetes + required: false + schema: + type: string + /api/fleet/agent_policies/delete: + parameters: [] + post: + operationId: delete-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + agentPolicyId: + type: string + force: + description: >- + bypass validation checks that can prevent agent policy + deletion + type: boolean + required: + - agentPolicyId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + success: + type: boolean + required: + - id + - success + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_status: + get: + operationId: get-agent-status + parameters: + - in: query + name: policyId + required: false + schema: + type: string + - deprecated: true + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + active: + type: integer + all: + type: integer + error: + type: integer + events: + type: integer + inactive: + type: integer + offline: + type: integer + online: + type: integer + other: + type: integer + total: + deprecated: true + type: integer + unenrolled: + type: integer + updating: + type: integer + required: + - active + - all + - error + - events + - inactive + - offline + - online + - other + - total + - updating + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent status summary + tags: + - Elastic Agent status + /api/fleet/agent_status/data: + get: + operationId: get-agent-data + parameters: + - in: query + name: agentsIds + required: true + schema: + items: + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + additionalProperties: + type: object + properties: + data: + type: boolean + type: object + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get incoming agent data + tags: + - Elastic Agent status + /api/fleet/agent-status: + get: + deprecated: true + operationId: get-agent-status-deprecated + parameters: + - in: query + name: policyId + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: integer + events: + type: integer + inactive: + type: integer + offline: + type: integer + online: + type: integer + other: + type: integer + total: + type: integer + updating: + type: integer + required: + - error + - events + - inactive + - offline + - online + - other + - total + - updating + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent status summary + tags: + - Elastic Agent status + /api/fleet/agents: + get: + operationId: get-agents + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_show_inactive' + - $ref: '#/components/parameters/Fleet_show_upgradeable' + - $ref: '#/components/parameters/Fleet_sort_field' + - $ref: '#/components/parameters/Fleet_sort_order' + - $ref: '#/components/parameters/Fleet_with_metrics' + - in: query + name: getStatusSummary + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_agents_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agents + tags: + - Elastic Agents + post: + operationId: get-agents-by-actions + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionIds: + items: + type: string + type: array + required: + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_get_by_actions' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agents by action ids + tags: + - Elastic Agents + /api/fleet/agents/{agentId}: + delete: + operationId: delete-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent by ID + tags: + - Elastic Agents + get: + operationId: get-agent + parameters: + - $ref: '#/components/parameters/Fleet_with_metrics' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent by ID + tags: + - Elastic Agents + parameters: + - in: path + name: agentId + required: true + schema: + type: string + put: + operationId: update-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + tags: + items: + type: string + type: array + user_provided_metadata: + type: object + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent by ID + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/actions: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: new-agent-action + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + $ref: '#/components/schemas/Fleet_agent_action' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + items: + type: number + type: array + headers: + type: string + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent action + tags: + - Elastic Agent actions + /api/fleet/agents/{agentId}/reassign: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: reassign-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + policy_id: + type: string + required: + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Reassign agent + tags: + - Elastic Agents + put: + deprecated: true + operationId: reassign-agent-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + policy_id: + type: string + required: + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Reassign agent + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/request_diagnostics: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: request-diagnostics-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + additional_metrics: + items: + oneOf: + - enum: + - CPU + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Request agent diagnostics + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/unenroll: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: unenroll-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + revoke: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: OK + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: number + description: BAD REQUEST + summary: Unenroll agent + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/upgrade: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: upgrade-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_upgrade_agent' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_upgrade_agent' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Upgrade agent + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/uploads: + get: + operationId: list-agent-uploads + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + item: + items: + $ref: '#/components/schemas/Fleet_agent_diagnostics' + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent uploads + tags: + - Elastic Agents + parameters: + - in: path + name: agentId + required: true + schema: + type: string + /api/fleet/agents/action_status: + get: + operationId: agents-action-status + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - in: query + name: errorSize + schema: + default: 5 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + latestErrors: + description: >- + latest errors that happened when the agents executed + the action + items: + type: object + properties: + agentId: + type: string + error: + type: string + timestamp: + type: string + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: string + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - POLICY_REASSIGN + - UPGRADE + - UNENROLL + - FORCE_UNENROLL + - UPDATE_TAGS + - CANCEL + - REQUEST_DIAGNOSTICS + - SETTINGS + - POLICY_CHANGE + - INPUT_ACTION + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - complete + - nbAgentsActioned + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - status + - creationTime + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent action status + tags: + - Elastic Agent actions + /api/fleet/agents/actions/{actionId}/cancel: + parameters: + - in: path + name: actionId + required: true + schema: + type: string + post: + operationId: agent-action-cancel + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_action' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Cancel agent action + tags: + - Elastic Agent actions + /api/fleet/agents/bulk_reassign: + post: + operationId: bulk-reassign-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' + policy_id: policy_id + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + policy_id: + description: new agent policy id + type: string + required: + - policy_id + - agents + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk reassign agents + tags: + - Elastic Agents + /api/fleet/agents/bulk_request_diagnostics: + post: + operationId: bulk-request-diagnostics + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' + schema: + type: object + properties: + additional_metrics: + items: + oneOf: + - enum: + - CPU + type: string + type: array + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + batchSize: + type: number + required: + - agents + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk request diagnostics from agents + tags: + - Elastic Agents + /api/fleet/agents/bulk_unenroll: + post: + operationId: bulk-unenroll-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + force: false + revoke: true + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: >- + When passing agents by KQL query, unenrolls inactive agents + too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk unenroll agents + tags: + - Elastic Agents + /api/fleet/agents/bulk_update_agent_tags: + post: + operationId: bulk-update-agent-tags + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + tagsToAdd: + - newTag + tagsToRemove: + - existingTag + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + batchSize: + type: number + tagsToAdd: + items: + type: string + type: array + tagsToRemove: + items: + type: string + type: array + required: + - agents + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk update agent tags + tags: + - Elastic Agents + /api/fleet/agents/bulk_upgrade: + post: + operationId: bulk-upgrade-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + rollout_duration_seconds: 3600 + source_uri: https://artifacts.elastic.co/downloads/beats/elastic-agent + start_time: '2022-08-03T14:00:00.000Z' + version: 8.4.0 + schema: + $ref: '#/components/schemas/Fleet_bulk_upgrade_agents' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk upgrade agents + tags: + - Elastic Agents + /api/fleet/agents/files/{fileId}: + delete: + operationId: delete-agent-upload-file + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + deleted: + type: boolean + id: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete file uploaded by agent + tags: + - Elastic Agents + parameters: + - in: path + name: fileId + required: true + schema: + type: string + /api/fleet/agents/files/{fileId}/{fileName}: + get: + operationId: get-agent-upload-file + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + items: + type: object + properties: + body: {} + headers: {} + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get file uploaded by agent + tags: + - Elastic Agents + parameters: + - in: path + name: fileId + required: true + schema: + type: string + - in: path + name: fileName + required: true + schema: + type: string + /api/fleet/agents/setup: + get: + operationId: get-agents-setup-status + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_status_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent setup info + tags: + - Elastic Agents + post: + operationId: setup-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + admin_password: + type: string + admin_username: + type: string + required: + - admin_username + - admin_password + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_setup_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Initiate agent setup + tags: + - Elastic Agents + /api/fleet/agents/tags: + get: + operationId: get-agent-tags + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_agent_tags_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent tags + tags: + - Elastic Agents + /api/fleet/data_streams: + get: + operationId: data-streams-list + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data_streams: + items: + $ref: '#/components/schemas/Fleet_data_stream' + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List data streams + tags: + - Data streams + parameters: [] + /api/fleet/enrollment_api_keys: + get: + operationId: get-enrollment-api-keys + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - page + - perPage + - total + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List enrollment API keys + tags: + - Fleet enrollment API keys + post: + operationId: create-enrollment-api-keys + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + description: The name of the enrollment API key. Must be unique. + type: string + policy_id: + description: >- + The ID of the agent policy the Elastic Agent will be + enrolled in. + type: string + required: + - policy_id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create enrollment API key + tags: + - Fleet enrollment API keys + /api/fleet/enrollment_api_keys/{keyId}: + delete: + operationId: delete-enrollment-api-key + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Revoke enrollment API key by ID by marking it as inactive + tags: + - Fleet enrollment API keys + get: + operationId: get-enrollment-api-key + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get enrollment API key by ID + tags: + - Fleet enrollment API keys + parameters: + - in: path + name: keyId + required: true + schema: + type: string + /api/fleet/enrollment-api-keys: + get: + deprecated: true + operationId: get-enrollment-api-keys-deprecated + parameters: [] + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - page + - perPage + - total + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List enrollment API keys + tags: + - Fleet enrollment API keys + post: + deprecated: true + operationId: create-enrollment-api-keys-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create enrollment API key + tags: + - Fleet enrollment API keys + /api/fleet/enrollment-api-keys/{keyId}: + delete: + deprecated: true + operationId: delete-enrollment-api-key-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete enrollment API key by ID + tags: + - Fleet enrollment API keys + get: + deprecated: true + operationId: get-enrollment-api-key-deprecated + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get enrollment API key by ID + tags: + - Fleet enrollment API keys + parameters: + - in: path + name: keyId + required: true + schema: + type: string + /api/fleet/epm/bulk_assets: + post: + operationId: bulk-get-assets + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + assetIds: + description: list of items necessary to fetch assets + items: + type: object + properties: + id: + type: string + type: + type: string + type: array + required: + - assetIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_bulk_assets_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get assets + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/categories: + get: + operationId: get-package-categories + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_categories_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List package categories + tags: + - Elastic Package Manager (EPM) + parameters: + - description: >- + Whether to include prerelease packages in categories count (e.g. beta, + rc, preview) + in: query + name: prerelease + schema: + default: false + type: boolean + - deprecated: true + in: query + name: experimental + schema: + default: false + type: boolean + - in: query + name: include_policy_templates + schema: + default: false + type: boolean + /api/fleet/epm/packages: + get: + operationId: list-all-packages + parameters: + - description: >- + Whether to exclude the install status of each package. Enabling this + option will opt in to caching for the response via `cache-control` + headers. If you don't need up-to-date installation info for a + package, and are querying for a list of available packages, + providing this flag can improve performance substantially. + in: query + name: excludeInstallStatus + schema: + default: false + type: boolean + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + - deprecated: true + in: query + name: experimental + schema: + default: false + type: boolean + - in: query + name: category + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_packages_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List packages + tags: + - Elastic Package Manager (EPM) + post: + description: '' + operationId: install-package-by-upload + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/gzip; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + application/zip; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _meta: + type: object + properties: + install_source: + enum: + - upload + - registry + - bundled + type: string + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '429': + $ref: '#/components/responses/Fleet_error' + summary: Install by package by direct upload + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/_bulk: + post: + operationId: bulk-install-packages + parameters: + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + description: force install to ignore package verification errors + type: boolean + packages: + description: list of packages to install + items: + oneOf: + - description: package name + type: string + - type: object + properties: + name: + description: package name + type: string + version: + description: package version + type: string + type: array + required: + - packages + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_bulk_install_packages_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk install packages + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgkey}: + delete: + deprecated: true + operationId: delete-package-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgkey + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete ackage + tags: + - Elastic Package Manager (EPM) + get: + deprecated: true + operationId: get-package-deprecated + parameters: + - in: path + name: pkgkey + required: true + schema: + type: string + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - properties: + response: + $ref: '#/components/schemas/Fleet_package_info' + - properties: + savedObject: + type: string + status: + enum: + - installed + - installing + - install_failed + - not_installed + type: string + required: + - status + - savedObject + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package + tags: + - Elastic Package Manager (EPM) + post: + deprecated: true + description: '' + operationId: install-package-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgkey + required: true + schema: + type: string + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Install package + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: + operationId: delete-package + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: delete package even if policies used by agents + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + deprecated: true + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package + tags: + - Elastic Package Manager (EPM) + get: + operationId: get-package + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - properties: + item: + $ref: '#/components/schemas/Fleet_package_info' + - properties: + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + licensePath: + type: string + notice: + type: string + savedObject: + deprecated: true + type: object + status: + enum: + - installed + - installing + - install_failed + - not_installed + type: string + required: + - status + - savedObject + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: Ignore if the package is fails signature verification + in: query + name: ignoreUnverified + schema: + type: boolean + - description: >- + Return all fields from the package manifest, not just those supported + by the Elastic Package Registry + in: query + name: full + schema: + type: boolean + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + post: + description: '' + operationId: install-package + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + ignore_constraints: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _meta: + type: object + properties: + install_source: + enum: + - registry + - upload + - bundled + type: string + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Install package + tags: + - Elastic Package Manager (EPM) + put: + description: '' + operationId: update-package + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + keepPoliciesUpToDate: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + operationId: packages-get-file + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + headers: + type: object + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package file + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: path + name: filePath + required: true + schema: + type: string + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: '' + operationId: reauthorize-transforms + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: >- + Whether to include prerelease packages in categories count (e.g. + beta, rc, preview) + in: query + name: prerelease + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + transforms: + items: + type: object + properties: + transformId: + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + error: + type: string + success: + type: boolean + transformId: + type: string + required: + - transformId + - error + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Authorize transforms + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/stats: + get: + operationId: get-package-stats + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + $ref: '#/components/schemas/Fleet_package_usage_stats' + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package stats + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + /api/fleet/epm/packages/limited: + get: + operationId: list-limited-packages + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: string + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get limited package list + tags: + - Elastic Package Manager (EPM) + parameters: [] + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + operationId: get-inputs-template + responses: + '200': + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get inputs template + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: Format of response - json or yaml + in: query + name: format + schema: + enum: + - json + - yaml + - yml + type: string + - description: Specify if version is prerelease + in: query + name: prerelease + schema: + type: boolean + - description: Ignore if the package is fails signature verification + in: query + name: ignoreUnverified + schema: + type: boolean + /api/fleet/epm/verification_key_id: + get: + operationId: packages-get-verification-key-id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + id: + description: >- + the key ID of the GPG key used to verify package + signatures + nullable: true + type: string + headers: + type: object + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package signature verification key ID + tags: + - Elastic Package Manager (EPM) + parameters: [] + /api/fleet/fleet_server_hosts: + get: + operationId: get-fleet-server-hosts + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_fleet_server_host' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List Fleet Server hosts + tags: + - Fleet Server hosts + post: + operationId: post-fleet-server-hosts + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host_urls: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this fleet server host. See + the proxies API for more information. + type: string + required: + - name + - host_urls + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create Fleet Server host + tags: + - Fleet Server hosts + /api/fleet/fleet_server_hosts/{itemId}: + delete: + operationId: delete-fleet-server-hosts + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete Fleet Server host by ID + tags: + - Fleet Server hosts + get: + operationId: get-one-fleet-server-hosts + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get Fleet Server host by ID + tags: + - Fleet Server hosts + parameters: + - in: path + name: itemId + required: true + schema: + type: string + put: + operationId: update-fleet-server-hosts + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host_urls: + items: + type: string + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this fleet server host. See + the proxies API for more information. + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update Fleet Server host by ID + tags: + - Fleet Server hosts + /api/fleet/health_check: + post: + operationId: fleet-server-health-check + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + deprecated: true + type: string + id: + type: string + required: + - id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + deprecated: true + type: string + id: + description: Fleet Server host id + type: string + status: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Fleet Server health check + tags: + - Fleet internals + /api/fleet/kubernetes: + get: + operationId: get-full-k8s-manifest + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get full K8s agent manifest + tags: + - Fleet Kubernetes + /api/fleet/logstash_api_keys: + post: + operationId: generate-logstash-api-key + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + api_key: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Generate Logstash API key + tags: + - Fleet outputs + /api/fleet/outputs: + get: + operationId: get-outputs + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_output_create_request' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List outputs + tags: + - Fleet outputs + post: + operationId: post-outputs + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_output_create_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_create_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create output + tags: + - Fleet outputs + /api/fleet/outputs/{outputId}: + delete: + operationId: delete-output + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete output by ID + tags: + - Fleet outputs + get: + operationId: get-output + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_create_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get output by ID + tags: + - Fleet outputs + parameters: + - in: path + name: outputId + required: true + schema: + type: string + put: + operationId: update-output + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_output_update_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_update_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update output by ID + tags: + - Fleet outputs + /api/fleet/outputs/{outputId}/health: + get: + operationId: get-output-health + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get latest output health + tags: + - Fleet outputs + parameters: + - in: path + name: outputId + required: true + schema: + type: string + /api/fleet/package_policies: + get: + operationId: get-package-policies + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_format' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List package policies + tags: + - Fleet package policies + parameters: [] + post: + operationId: create-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_package_policy_request' + description: >- + You should use inputs as an object and not use the deprecated inputs + array. + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '409': + $ref: '#/components/responses/Fleet_error' + summary: Create package policy + tags: + - Fleet package policies + /api/fleet/package_policies/_bulk_get: + post: + operationId: bulk-get-package-policies + parameters: + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + description: list of package policy ids + items: + type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get package policies + tags: + - Fleet package policies + /api/fleet/package_policies/{packagePolicyId}: + delete: + operationId: delete-package-policy + parameters: + - in: query + name: force + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package policy by ID + tags: + - Fleet package policies + get: + operationId: get-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_format' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package policy by ID + tags: + - Fleet package policies + parameters: + - in: path + name: packagePolicyId + required: true + schema: + type: string + put: + operationId: update-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_package_policy_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + sucess: + type: boolean + required: + - item + - sucess + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update package policy by ID + tags: + - Fleet package policies + /api/fleet/package_policies/delete: + post: + operationId: post-delete-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + type: string + name: + type: string + success: + type: boolean + required: + - id + - success + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package policy + tags: + - Fleet package policies + /api/fleet/package_policies/upgrade: + post: + operationId: upgrade-package-policy + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + type: string + name: + type: string + success: + type: boolean + required: + - id + - success + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '409': + $ref: '#/components/responses/Fleet_error' + summary: Upgrade package policy to a newer package version + tags: + - Fleet package policies + /api/fleet/package_policies/upgrade/dryrun: + post: + operationId: upgrade-package-policy-dry-run + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + packagePolicyIds: + items: + type: string + type: array + packageVersion: + type: string + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + agent_diff: + $ref: '#/components/schemas/Fleet_upgrade_agent_diff' + diff: + $ref: '#/components/schemas/Fleet_upgrade_diff' + hasErrors: + type: boolean + required: + - hasErrors + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Dry run package policy upgrade + tags: + - Fleet package policies + /api/fleet/proxies: + get: + operationId: get-fleet-proxies + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_proxies' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List proxies + tags: + - Fleet proxies + post: + operationId: post-fleet-proxies + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + id: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + required: + - name + - url + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create proxy + tags: + - Fleet proxies + /api/fleet/proxies/{itemId}: + delete: + operationId: delete-fleet-proxies + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete proxy by ID + tags: + - Fleet proxies + get: + operationId: get-one-fleet-proxies + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get proxy by ID + tags: + - Fleet proxies + parameters: + - in: path + name: itemId + required: true + schema: + type: string + put: + operationId: update-fleet-proxies + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update proxy by ID + tags: + - Fleet proxies + /api/fleet/service_tokens: + post: + operationId: generate-service-token + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + value: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create service token + tags: + - Fleet service tokens + /api/fleet/service-tokens: + post: + deprecated: true + operationId: generate-service-token-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + value: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create service token + tags: + - Fleet service tokens + /api/fleet/settings: + get: + operationId: get-settings + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_settings_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get settings + tags: + - Fleet internals + put: + operationId: update-settings + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + additional_yaml_config: + type: string + fleet_server_hosts: + description: Protocol and path must be the same for each URL + items: + type: string + type: array + has_seen_add_data_notice: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_settings_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update settings + tags: + - Fleet internals + /api/fleet/setup: + post: + operationId: setup + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_setup_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + description: Internal Server Error + summary: Initiate Fleet setup + tags: + - Fleet internals + /api/fleet/uninstall_tokens: + get: + operationId: get-uninstall-tokens + parameters: + - description: The number of items to return + in: query + name: perPage + required: false + schema: + default: 20 + minimum: 5 + type: integer + - $ref: '#/components/parameters/Fleet_page_index' + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + created_at: + type: string + id: + type: string + policy_id: + type: string + required: + - id + - policy_id + - created_at + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List metadata for latest uninstall tokens per agent policy + tags: + - Fleet uninstall tokens + /api/fleet/uninstall_tokens/{uninstallTokenId}: + get: + operationId: get-uninstall-token + parameters: + - in: path + name: uninstallTokenId + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: object + properties: + created_at: + type: string + id: + type: string + policy_id: + type: string + token: + type: string + required: + - id + - token + - policy_id + - created_at + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get one decrypted uninstall token by its ID + tags: + - Fleet uninstall tokens + /api/lists: + delete: + description: | + Delete a list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - in: query + name: deleteReferences + required: false + schema: + default: false + type: boolean + - in: query + name: ignoreReferences + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Delete a list + tags: + - Security Solution Lists API + get: + description: Get the details of a list using the list ID. + operationId: ReadList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get list details + tags: + - Security Solution Lists API + patch: + description: Update specific fields of an existing list using the list ID. + operationId: PatchList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Patch a list + tags: + - Security Solution Lists API + post: + description: Create a new list. + operationId: CreateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + serializer: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Create a list + tags: + - Security Solution Lists API + put: + description: > + Update a list using the list ID. The original list is replaced, and all + unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + - name + - description + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Update a list + tags: + - Security Solution Lists API + /api/lists/_find: + get: + description: >- + Get a paginated subset of lists. By default, the first page is returned, + with 20 results per page. + operationId: FindLists + parameters: + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of lists to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_FindListsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListsCursor + data: + items: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get lists + tags: + - Security Solution Lists API + /api/lists/index: + delete: + description: Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Delete list data streams + tags: + - Security Solution Lists API + get: + description: Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream(s) not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get status of list data streams + tags: + - Security Solution Lists API + post: + description: Create `.lists` and `.items` data streams in the relevant space. + operationId: CreateListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Create list data streams + tags: + - Security Solution Lists API + /api/lists/items: + delete: + description: Delete a list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + - items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Delete a list item + tags: + - Security Solution Lists API + get: + description: Get the details of a list item. + operationId: ReadListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + - items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get a list item + tags: + - Security Solution Lists API + patch: + description: Update specific fields of an existing list item using the list item ID. + operationId: PatchListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - id + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Patch a list item + tags: + - Security Solution Lists API + post: + description: > + Create a list item and associate it with the specified list. + + + All list items in the same list must be the same type. For example, each + list item in an `ip` list must define a specific IP address. + + > info + + > Before creating a list item, you must create a list. + operationId: CreateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - list_id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Create a list item + tags: + - Security Solution Lists API + put: + description: > + Update a list item using the list item ID. The original list item is + replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Update a list item + tags: + - Security Solution Lists API + /api/lists/items/_export: + post: + description: Export list item values from the specified list. + operationId: ExportListItems + parameters: + - description: List's id to export + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: A `.txt` file containing list items from the specified list + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Export list items + tags: + - Security Solution Lists API + /api/lists/items/_find: + get: + description: Get all list items in the specified list. + operationId: FindListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of list items to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsCursor + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsFilter + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsCursor + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get list items + tags: + - Security Solution Lists API + /api/lists/items/_import: + post: + description: > + Import list items from a TXT or CSV file. The maximum file size is 9 + million bytes. + + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: > + Type of the importing list. + + + Required when importing a new list that is `list_id` is not + specified. + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + - in: query + name: serializer + required: false + schema: + type: string + - in: query + name: deserializer + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + type: string + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: >- + A `.txt` or `.csv` file containing newline separated list + items + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List with specified list_id does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Import list items + tags: + - Security Solution Lists API + /api/lists/privileges: + get: + operationId: ReadListPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemPrivileges + lists: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListPrivileges + required: + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get list privileges + tags: + - Security Solution Lists API + /api/ml/saved_objects/sync: + get: + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models in the default space. You must have `all` privileges for the + **Machine Learning** feature in the **Analytics** section of the Kibana + feature privileges. This API runs automatically when you start Kibana + and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space + tags: + - ml + /api/note: + delete: + description: Delete a note from a Timeline using the note ID. + operationId: DeleteNote + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + type: string + required: + - noteId + - type: object + properties: + noteIds: + items: + type: string + nullable: true + type: array + required: + - noteIds + description: The ID of the note to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + description: Indicates the note was successfully deleted. + summary: Delete a note + tags: + - Security Solution Timeline API + - access:securitySolution + get: + description: Get all notes for a given document. + operationId: GetNotes + parameters: + - in: query + name: documentIds + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_DocumentIds' + - in: query + name: page + schema: + nullable: true + type: number + - in: query + name: perPage + schema: + nullable: true + type: number + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: sortField + schema: + nullable: true + type: string + - in: query + name: sortOrder + schema: + nullable: true + type: string + - in: query + name: filter + schema: + nullable: true + type: string + responses: + '200': + description: Indicates the requested notes were returned. + summary: Get notes + tags: + - Security Solution Timeline API + - access:securitySolution + patch: + description: Add a note to a Timeline or update an existing note. + operationId: PersistNoteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventDataView: + nullable: true + type: string + eventIngested: + nullable: true + type: string + eventTimestamp: + nullable: true + type: string + note: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + noteId: + nullable: true + type: string + overrideOwner: + nullable: true + type: boolean + version: + nullable: true + type: string + required: + - note + description: The note to add or update, along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistNote: + type: object + properties: + code: + type: number + message: + type: string + note: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_Note + required: + - code + - message + - note + required: + - persistNote + required: + - data + description: Indicates the note was successfully created. + summary: Add or update a note + tags: + - Security Solution Timeline API + - access:securitySolution + /api/osquery/live_queries: + get: + description: Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindLiveQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live queries + tags: + - Security Solution Osquery API + post: + description: Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreateLiveQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a live query + tags: + - Security Solution Osquery API + /api/osquery/live_queries/{id}: + get: + description: Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: query + name: query + schema: + additionalProperties: true + type: object + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query details + tags: + - Security Solution Osquery API + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: path + name: actionId + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_GetLiveQueryResultsRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query results + tags: + - Security Solution Osquery API + /api/osquery/packs: + get: + description: Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindPacksRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get packs + tags: + - Security Solution Osquery API + post: + description: Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreatePacksRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a pack + tags: + - Security Solution Osquery API + /api/osquery/packs/{id}: + delete: + description: Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete a pack + tags: + - Security Solution Osquery API + get: + description: Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get pack details + tags: + - Security Solution Osquery API + put: + description: | + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_UpdatePacksRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update a pack + tags: + - Security Solution Osquery API + /api/osquery/saved_queries: + get: + description: Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindSavedQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved queries + tags: + - Security Solution Osquery API + post: + description: Create and run a saved query. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a saved query + tags: + - Security Solution Osquery API + /api/osquery/saved_queries/{id}: + delete: + description: Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete a saved query + tags: + - Security Solution Osquery API + get: + description: Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved query details + tags: + - Security Solution Osquery API + put: + description: | + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_UpdateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update a saved query + tags: + - Security Solution Osquery API + /api/pinned_event: + patch: + description: Pin an event to an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventId: + type: string + pinnedEventId: + nullable: true + type: string + timelineId: + type: string + required: + - eventId + - timelineId + description: The pinned event to add or update, along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistPinnedEventOnTimeline: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Timeline_API_PinnedEvent + - type: object + properties: + code: + type: number + message: + type: string + required: + - persistPinnedEventOnTimeline + required: + - data + description: Indicates the event was successfully pinned to the Timeline. + summary: Pin an event + tags: + - Security Solution Timeline API + - access:securitySolution + /api/risk_score/engine/schedule_now: + post: + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: {} + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_RiskEngineScheduleNowResponse + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse + description: Unexpected error + summary: Schedule the risk engine to run as soon as possible + tags: + - Security Solution Entity Analytics API + /api/saved_objects/_bulk_create: + post: + deprecated: true + operationId: bulkCreateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: When true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Create saved objects + tags: + - saved objects + /api/saved_objects/_bulk_delete: + post: + deprecated: true + description: | + WARNING: When you delete a saved object, it cannot be recovered. + operationId: bulkDeleteSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + When true, force delete objects that exist in multiple namespaces. + Note that the option applies to the whole request. Use the delete + object API to specify per-object deletion behavior. TIP: Use this if + you attempted to delete objects and received an HTTP 400 error with + the following message: "Unable to delete saved object that exists in + multiple namespaces, use the force option to delete it anyway". + WARNING: When you bulk delete objects that exist in multiple + namespaces, the API also deletes legacy url aliases that reference + the object. These requests are batched to minimise the impact but + they can place a heavy load on Kibana. Make sure you limit the + number of objects that exist in multiple namespaces in a single bulk + delete operation. + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Delete saved objects + tags: + - saved objects + /api/saved_objects/_bulk_get: + post: + deprecated: true + operationId: bulkGetSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Get saved objects + tags: + - saved objects + /api/saved_objects/_bulk_resolve: + post: + deprecated: true + description: > + Retrieve multiple Kibana saved objects by identifier using any legacy + URL aliases if they exist. Under certain circumstances when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved by the bulk resolve API + using either its new ID or its old ID. + operationId: bulkResolveSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Resolve saved objects + tags: + - saved objects + /api/saved_objects/_bulk_update: + post: + deprecated: true + description: Update the attributes for multiple Kibana saved objects. + operationId: bulkUpdateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Update saved objects + tags: + - saved objects + /api/saved_objects/_export: + post: + description: > + Retrieve sets of saved objects that you want to import into Kibana. + + You must include `type` or `objects` in the request body. + + + Exported saved objects are not backwards compatible and cannot be + imported into an older version of Kibana. + + + NOTE: The `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be exported. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: exportSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsRequest: + $ref: '#/components/examples/Saved_objects_export_objects_request' + schema: + type: object + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + includeReferencesDeep: + description: >- + Includes all of the referenced objects in the exported + objects. + type: boolean + objects: + description: A list of objects to export. + items: + type: object + type: array + type: + description: >- + The saved object types to include in the export. Use `*` to + export all the types. + oneOf: + - type: string + - items: + type: string + type: array + required: true + responses: + '200': + content: + application/x-ndjson; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsResponse: + $ref: '#/components/examples/Saved_objects_export_objects_response' + schema: + additionalProperties: true + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Export saved objects + tags: + - saved objects + /api/saved_objects/_find: + get: + deprecated: true + description: Retrieve a paginated set of Kibana saved objects. + operationId: findSavedObjects + parameters: + - description: > + An aggregation structure, serialized as a string. The field format + is similar to filter, meaning that to use a saved object type + attribute in the aggregation, the `savedObjectType.attributes.title: + "myTitle"` format must be used. For root fields, the syntax is + `savedObjectType.rootField`. NOTE: As objects change in Kibana, the + results on each page of the response also change. Use the find API + for traditional paginated results, but avoid using it to export + large amounts of data. + in: query + name: aggs + schema: + type: string + - description: The default operator to use for the `simple_query_string`. + in: query + name: default_search_operator + schema: + type: string + - description: The fields to return in the attributes key of the response. + in: query + name: fields + schema: + oneOf: + - type: string + - type: array + - description: > + The filter is a KQL string with the caveat that if you filter with + an attribute from your saved object type, it should look like that: + `savedObjectType.attributes.title: "myTitle"`. However, if you use a + root attribute of a saved object such as `updated_at`, you will have + to define your filter like that: `savedObjectType.updated_at > + 2018-12-22`. + in: query + name: filter + schema: + type: string + - description: >- + Filters to objects that do not have a relationship with the type and + identifier combination. + in: query + name: has_no_reference + schema: + type: object + - description: >- + The operator to use for the `has_no_reference` parameter. Either + `OR` or `AND`. Defaults to `OR`. + in: query + name: has_no_reference_operator + schema: + type: string + - description: >- + Filters to objects that have a relationship with the type and ID + combination. + in: query + name: has_reference + schema: + type: object + - description: >- + The operator to use for the `has_reference` parameter. Either `OR` + or `AND`. Defaults to `OR`. + in: query + name: has_reference_operator + schema: + type: string + - description: The page of objects to return. + in: query + name: page + schema: + type: integer + - description: The number of objects to return per page. + in: query + name: per_page + schema: + type: integer + - description: >- + An Elasticsearch `simple_query_string` query that filters the + objects in the response. + in: query + name: search + schema: + type: string + - description: >- + The fields to perform the `simple_query_string` parsed query + against. + in: query + name: search_fields + schema: + oneOf: + - type: string + - type: array + - description: > + Sorts the response. Includes "root" and "type" fields. "root" fields + exist for all saved objects, such as "updated_at". "type" fields are + specific to an object type, such as fields returned in the + attributes key of the response. When a single type is defined in the + type parameter, the "root" and "type" fields are allowed, and + validity checks are made in that order. When multiple types are + defined in the type parameter, only "root" fields are allowed. + in: query + name: sort_field + schema: + type: string + - description: The saved object types to include. + in: query + name: type + required: true + schema: + oneOf: + - type: string + - type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Search for saved objects + tags: + - saved objects + /api/saved_objects/_import: + post: + description: > + Create sets of Kibana saved objects from a file created by the export + API. + + Saved objects can be imported only into the same version, a newer minor + on the same major, or the next major. Exported saved objects are not + backwards compatible and cannot be imported into an older version of + Kibana. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: importSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + Creates copies of saved objects, regenerates each object ID, and + resets the origin. When used, potential conflict errors are avoided. + NOTE: This option cannot be used with the `overwrite` and + `compatibilityMode` options. + in: query + name: createNewCopies + required: false + schema: + type: boolean + - description: > + Overwrites saved objects when they already exist. When used, + potential conflict errors are automatically resolved by overwriting + the destination object. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: overwrite + required: false + schema: + type: boolean + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. Use this option only if you encounter issues with imported + saved objects. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + importObjectsRequest: + $ref: '#/components/examples/Saved_objects_import_objects_request' + schema: + type: object + properties: + file: + description: > + A file exported using the export API. NOTE: The + `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be included in + this file. Similarly, the + `savedObjects.maxImportPayloadBytes` setting limits the + overall size of the file that can be imported. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + importObjectsResponse: + $ref: '#/components/examples/Saved_objects_import_objects_response' + schema: + type: object + properties: + errors: + description: > + Indicates the import was unsuccessful and specifies the + objects that failed to import. + + + NOTE: One object may result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and conflict error. + items: + type: object + type: array + success: + description: > + Indicates when the import was successfully completed. When + set to false, some objects may not have been created. For + additional information, refer to the `errors` and + `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: integer + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are created only when all resolvable errors + are addressed, including conflicts and missing references. + If objects are created as new copies, each entry in the + `successResults` array includes a `destinationId` + attribute. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Import saved objects + tags: + - saved objects + x-codeSamples: + - label: Import with createNewCopies + lang: cURL + source: | + curl \ + -X POST api/saved_objects/_import?createNewCopies=true + -H "kbn-xsrf: true" + --form file=@file.ndjson + /api/saved_objects/_resolve_import_errors: + post: + description: > + To resolve errors from the Import objects API, you can: + + + * Retry certain saved objects + + * Overwrite specific saved objects + + * Change references to different saved objects + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: resolveImportErrors + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. When enabled during the initial import, also enable when + resolving import errors. This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + - description: > + Creates copies of the saved objects, regenerates each object ID, and + resets the origin. When enabled during the initial import, also + enable when resolving import errors. + in: query + name: createNewCopies + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + resolveImportErrorsRequest: + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_request + schema: + type: object + properties: + file: + description: The same file given to the import API. + format: binary + type: string + retries: + description: >- + The retry operations, which can specify how to resolve + different types of errors. + items: + type: object + properties: + destinationId: + description: >- + Specifies the destination ID that the imported object + should have, if different from the current ID. + type: string + id: + description: The saved object ID. + type: string + ignoreMissingReferences: + description: >- + When set to `true`, ignores missing reference errors. + When set to `false`, does nothing. + type: boolean + overwrite: + description: >- + When set to `true`, the source object overwrites the + conflicting destination object. When set to `false`, + does nothing. + type: boolean + replaceReferences: + description: >- + A list of `type`, `from`, and `to` used to change the + object references. + items: + type: object + properties: + from: + type: string + to: + type: string + type: + type: string + type: array + type: + description: The saved object type. + type: string + required: + - type + - id + type: array + required: + - retries + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + resolveImportErrorsResponse: + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_response + schema: + type: object + properties: + errors: + description: > + Specifies the objects that failed to resolve. + + + NOTE: One object can result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and a `conflict` error. + items: + type: object + type: array + success: + description: > + Indicates a successful import. When set to `false`, some + objects may not have been created. For additional + information, refer to the `errors` and `successResults` + properties. + type: boolean + successCount: + description: | + Indicates the number of successfully resolved records. + type: number + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are only created when all resolvable errors + are addressed, including conflict and missing references. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve import errors + tags: + - saved objects + /api/saved_objects/{type}: + post: + deprecated: true + description: Create a Kibana saved object with a randomly generated identifier. + operationId: createSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_references' + required: + - attributes + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + /api/saved_objects/{type}/{id}: + get: + deprecated: true + description: Retrieve a single Kibana saved object by identifier. + operationId: getSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Get a saved object + tags: + - saved objects + post: + deprecated: true + description: >- + Create a Kibana saved object and specify its identifier instead of using + a randomly generated ID. + operationId: createSavedObjectId + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + required: + - attributes + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + put: + deprecated: true + description: Update the attributes for Kibana saved objects. + operationId: updateSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates the object was not found. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Update a saved object + tags: + - saved objects + /api/saved_objects/resolve/{type}/{id}: + get: + deprecated: true + description: > + Retrieve a single Kibana saved object by identifier using any legacy URL + alias if it exists. Under certain circumstances, when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved using either its new ID or + its old ID. + operationId: resolveSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve a saved object + tags: + - saved objects + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: >- + Apply a bulk action to multiple anonymization fields. The bulk action is + applied to all anonymization fields that match the filter or to the list + of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of anonymization fields IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter anonymization fields + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Apply a bulk action to anonymization fields + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get anonymization fields + tags: + - Security AI Assistant API + - AnonymizationFields API + /api/security_ai_assistant/chat/complete: + post: + description: Create a model response for the given chat conversation. + operationId: ChatComplete + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + '200': + content: + application/octet-stream; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a model response + tags: + - Security AI Assistant API + - Chat Complete API + /api/security_ai_assistant/current_user/conversations: + post: + description: Create a new Security AI Assistant conversation. + operationId: CreateConversation + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: Get a list of all conversations for the current user. + operationId: FindConversations + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Conversations per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get conversations + tags: + - Security AI Assistant API + - Conversations API + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: Delete an existing conversation using the conversation ID. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Delete a conversation + tags: + - Security AI Assistant API + - Conversation API + get: + description: Get the details of an existing conversation using the conversation ID. + operationId: ReadConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get a conversation + tags: + - Security AI Assistant API + - Conversations API + put: + description: Update an existing conversation using the conversation ID. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Update a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: >- + Apply a bulk action to multiple prompts. The bulk action is applied to + all prompts that match the filter or to the list of prompts by their + IDs. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of prompts IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter promps + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Apply a bulk action to prompts + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/prompts/_find: + get: + description: Get a list of all prompts. + operationId: FindPrompts + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Prompts per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get prompts + tags: + - Security AI Assistant API + - Prompts API + /api/status: + get: + operationId: '%2Fapi%2Fstatus#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: >- + Kibana or some of it's essential services are unavailable. Kibana + may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + /api/timeline: + delete: + description: Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + savedObjectIds: + items: + type: string + type: array + searchIds: + description: >- + Saved search ids that should be deleted alongside the + timelines + items: + type: string + type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + deleteTimeline: + type: boolean + required: + - deleteTimeline + required: + - data + description: Indicates the Timeline was successfully deleted. + summary: Delete Timelines or Timeline templates + tags: + - Security Solution Timeline API + - access:securitySolution + get: + description: Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The ID of the template timeline to retrieve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + nullable: true + required: + - getOneTimeline + required: + - data + description: Indicates that the (template) Timeline was found and returned. + summary: Get Timeline or Timeline template details + tags: + - Security Solution Timeline API + - access:securitySolution + patch: + description: >- + Update an existing Timeline. You can update the title, description, date + range, pinned events, pinned queries, and/or pinned saved queries of an + existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + timelineId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates that the user does not have the required access to create + a draft Timeline. + summary: Update a Timeline + tags: + - Security Solution Timeline API + - access:securitySolution + post: + description: Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + status: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineStatus + nullable: true + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + timelineId: + nullable: true + type: string + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: >- + The required Timeline fields used to create a new Timeline, along with + optional fields that will be created if not provided. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - persistTimeline + required: + - data + description: Indicates the Timeline was successfully created. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_draft: + get: + description: >- + Get the details of the draft Timeline or Timeline template for the + current user. If the user doesn't have a draft Timeline, an empty + Timeline is returned. + operationId: GetDraftTimelines + parameters: + - in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: Indicates that the draft Timeline was successfully retrieved. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + If a draft Timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + This should never happen, but if a draft Timeline was not found and + we attempted to create one, it indicates that there is already a + draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Solution Timeline API + - access:securitySolution + post: + description: > + Create a clean draft Timeline or Timeline template for the current user. + + > info + + > If the user already has a draft Timeline, the existing draft Timeline + is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + required: + - timelineType + description: >- + The type of Timeline to create. Valid values are `default` and + `template`. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that there is already a draft Timeline with the given + `timelineId`. + summary: Create a clean draft Timeline or Timeline template + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_export: + post: + description: Export Timelines as an NDJSON file. + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + items: + type: string + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates the Timelines were successfully exported. + '400': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that the export size limit was exceeded. + summary: Export Timelines + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_favorite: + patch: + description: Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true + type: string + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistFavorite: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResponse + required: + - persistFavorite + required: + - data + description: Indicates the favorite status was successfully updated. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the user does not have the required permissions to persist + the favorite status. + summary: Favorite a Timeline or Timeline template + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_import: + post: + description: Import Timelines. + operationId: ImportTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Timeline_API_Readable + - type: object + properties: + hapi: + type: object + properties: + filename: + type: string + headers: + type: object + isImmutable: + enum: + - 'true' + - 'false' + type: string + required: + - filename + - headers + required: + - hapi + description: The Timelines to import as a readable stream. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelineResult + required: + - data + description: Indicates the import of Timelines was successful. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: >- + Indicates the import of Timelines was unsuccessful because of an + invalid file extension. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + statusCode: + type: number + description: >- + Indicates that we were unable to locate the saved object client + necessary to handle the import. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/_prepackaged: + post: + description: Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + prepackagedTimelines: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + type: array + timelinesToInstall: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelines + nullable: true + type: array + timelinesToUpdate: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelines + nullable: true + type: array + required: + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelineResult + required: + - data + description: Indicates the installation of prepackaged Timelines was successful. + '500': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the installation of prepackaged Timelines was + unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timeline/resolve: + get: + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + nullable: true + required: + - getOneTimeline + required: + - data + description: The (template) Timeline has been found + '400': + description: The request is missing parameters + '404': + description: The (template) Timeline was not found + summary: Get an existing saved Timeline or Timeline template + tags: + - Security Solution Timeline API + - access:securitySolution + /api/timelines: + get: + description: Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: >- + If true, only timelines that are marked as favorites by the user are + returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + nullable: true + - in: query + name: sort_field + schema: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SortFieldTimeline + - in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - in: query + name: page_size + schema: + nullable: true + type: string + - in: query + name: page_index + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: status + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + customTemplateTimelineCount: + type: number + defaultTimelineCount: + type: number + elasticTemplateTimelineCount: + type: number + favoriteCount: + type: number + templateTimelineCount: + type: number + timelines: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + type: array + totalCount: + type: number + required: + - timelines + - totalCount + - defaultTimelineCount + - templateTimelineCount + - favoriteCount + - elasticTemplateTimelineCount + - customTemplateTimelineCount + required: + - data + description: Indicates that the (template) Timelines were found and returned. + '400': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad request. The user supplied invalid data. + summary: Get Timelines or Timeline templates + tags: + - Security Solution Timeline API + - access:securitySolution + /s/{spaceId}/api/observability/slos: + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + post: + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Batch delete rollup and summary data + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}: + delete: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + put: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '200': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo +components: + examples: + Alerting_get_health_response: + summary: Retrieve information about the health of the alerting framework. + value: + alerting_framework_health: + decryption_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + execution_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + read_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + has_permanent_encryption_key: true + is_sufficiently_secure: true + Alerting_get_rule_types_response: + summary: Retrieve rule types associated with Kibana machine learning features + value: + - action_groups: + - id: anomaly_score_match + name: Anomaly score matched the condition + - id: recovered + name: Recovered + action_variables: + context: + - description: The bucket timestamp of the anomaly + name: timestamp + - description: The bucket time of the anomaly in ISO8601 format + name: timestampIso8601 + - description: List of job IDs that triggered the alert + name: jobIds + - description: Alert info message + name: message + - description: Indicate if top hits contain interim results + name: isInterim + - description: Anomaly score at the time of the notification action + name: score + - description: Top records + name: topRecords + - description: Top influencers + name: topInfluencers + - description: URL to open in the Anomaly Explorer + name: anomalyExplorerUrl + useWithTripleBracesInTemplates: true + params: [] + state: [] + alerts: + context: ml.anomaly-detection + mappings: + fieldMap: + kibana.alert.anomaly_score: + array: false + type: double + required: false + kibana.alert.anomaly_timestamp: + array: false + type: date + required: false + kibana.alert.is_interim: + array: false + type: boolean + required: false + kibana.alert.job_id: + array: false + type: keyword + required: true + kibana.alert.top_influencers: + array: true + dynamic: false + type: object + properties: + influencer_field_name: + type: keyword + influencer_field_value: + type: keyword + influencer_score: + type: double + initial_influencer_score: + type: double + is_interim: + type: boolean + job_id: + type: keyword + timestamp: + type: date + required: false + kibana.alert.top_records: + array: true + dynamic: false + type: object + properties: + actual: + type: double + by_field_name: + type: keyword + by_field_value: + type: keyword + detector_index: + type: integer + field_name: + type: keyword + function: + type: keyword + initial_record_score: + type: double + is_interim: + type: boolean + job_id: + type: keyword + over_field_name: + type: keyword + over_field_value: + type: keyword + partition_field_name: + type: keyword + partition_field_value: + type: keyword + record_score: + type: double + timestamp: + type: date + typical: + type: double + required: false + shouldWrite: true + authorized_consumers: + alerts: + all: true + read: true + apm: + all: true + read: true + discover: + all: true + read: true + infrastructure: + all: true + read: true + logs: + all: true + read: true + ml: + all: true + read: true + monitoring: + all: true + read: true + siem: + all: true + read: true + slo: + all: true + read: true + stackAlerts: + all: true + read: true + uptime: + all: true + read: true + category: management + default_action_group_id: anomaly_score_match + does_set_recovery_context: true + enabled_in_license: true + has_alerts_mappings: true + has_fields_for_a_a_d: false + id: xpack.ml.anomaly_detection_alert + is_exportable: true + minimum_license_required: platinum + name: Anomaly detection alert + producer: ml + recovery_action_group: + id: recovered + name: Recovered + rule_task_timeout: 5m + - action_groups: + - id: anomaly_detection_realtime_issue + name: Issue detected + - id: recovered + name: Recovered + action_variables: + context: + - description: Results of the rule execution + name: results + - description: Alert info message + name: message + params: [] + state: [] + authorized_consumers: + alerts: + all: true + read: true + apm: + all: true + read: true + discover: + all: true + read: true + infrastructure: + all: true + read: true + logs: + all: true + read: true + ml: + all: true + read: true + monitoring: + all: true + read: true + siem: + all: true + read: true + slo: + all: true + read: true + stackAlerts: + all: true + read: true + uptime: + all: true + read: true + category: management + default_action_group_id: anomaly_detection_realtime_issue + does_set_recovery_context: true + enabled_in_license: true + has_alerts_mappings: false + has_fields_for_a_a_d: false + id: xpack.ml.anomaly_detection_jobs_health + is_exportable: true + minimum_license_required: platinum + name: Anomaly detection jobs health + producer: ml + recovery_action_group: + id: recovered + name: Recovered + rule_task_timeout: 5m + Cases_add_comment_request: + summary: Adds a comment to a case. + value: + comment: A new comment. + owner: cases + type: user + Cases_add_comment_response: + summary: >- + The add comment to case API returns a JSON object that contains details + about the case and its comments. + value: + assignees: [] + category: null + closed_at: null + closed_by: null + comments: + - comment: A new comment. + created_at: '2022-10-02T00:49:47.716Z' + created_by: + email: null + full_name: null + username: elastic + id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + owner: cases + type: user + version: WzIwNDMxLDFd + connector: + fields: null + id: none + name: none + type: .none + created_at: '2022-03-24T00:37:03.906Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: Field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: true + description: A case description. + duration: null + external_service: null + id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 + owner: cases + settings: + syncAlerts: false + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + totalAlerts: 0 + totalComment: 1 + updated_at: '2022-06-03T00:49:47.716Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzIzMzgsMV0= + Cases_create_case_request: + summary: Create a security case that uses a Jira connector. + value: + connector: + fields: + issueType: '10006' + parent: null + priority: High + id: 131d4448-abe0-4789-939d-8ef60680b498 + name: My connector + type: .jira + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + description: A case description. + owner: cases + settings: + syncAlerts: true + tags: + - tag-1 + title: Case title 1 + Cases_create_case_response: + summary: >- + The create case API returns a JSON object that contains details about + the case. + value: + assignees: [] + closed_at: null + closed_by: null + comments: [] + connector: + fields: + issueType: '10006' + parent: null + priority: High + id: 131d4448-abe0-4789-939d-8ef60680b498 + name: My connector + type: .jira + created_at: '2022-10-13T15:33:50.604Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: null + description: A case description. + duration: null + external_service: null + id: 66b9aa00-94fa-11ea-9f74-e7e108796192 + owner: cases + settings: + syncAlerts: true + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + totalAlerts: 0 + totalComment: 0 + updated_at: null + updated_by: null + version: WzUzMiwxXQ== + Cases_find_case_activity_response: + summary: Retrieves all activity for a case + value: + page: 1 + perPage: 20 + total: 3 + userActions: + - action: create + comment_id: null + created_at: '2023-10-20T01:17:22.150Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: b4cd0770-07c9-11ed-a5fd-47154cb8767e + owner: cases + payload: + assignees: [] + category: null + connector: + fields: null + id: none + name: none + type: .none + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: null + description: A case description. + owner: cases + settings: + syncAlerts: false + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + type: create_case + version: WzM1ODg4LDFd + - action: create + comment_id: 578608d0-03b1-11ed-920c-974bfa104448 + created_at: '2023-10-14T20:12:53.354Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 57af14a0-03b1-11ed-920c-974bfa104448 + owner: cases + payload: + comment: A new comment + owner: cases + type: user + type: comment + version: WzM1ODg4LDFa + - action: add + comment_id: null + created_at: '2023-10-20T01:10:28.238Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 573c6980-6123-11ed-aa41-81a0a61fe447 + owner: cases + payload: + assignees: + uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + type: assignees + version: WzM1ODg4LDFb + Cases_find_case_response: + summary: >- + Retrieve the first five cases with the `tag-1` tag, in ascending order + by last update time. + value: + cases: + - assignees: [] + category: null + closed_at: null + closed_by: null + comments: [] + connector: + fields: null + id: none + name: none + type: .none + created_at: '2023-10-12T00:16:36.371Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: null + description: Case description + duration: null + external_service: null + id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + owner: cases + settings: + syncAlerts: true + severity: low + status: open + tags: + - tag-1 + title: Case title + totalAlerts: 0 + totalComment: 1 + updated_at: '2023-10-12T00:27:58.162Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzExMCwxXQ== + count_closed_cases: 0 + count_in_progress_cases: 0 + count_open_cases: 1 + page: 1 + per_page: 5 + total: 1 + Cases_find_connector_response: + summary: Retrieve information about the connectors and their settings. + value: + - actionTypeId: .jira + config: + apiUrl: https://elastic.atlassian.net/ + projectKey: ES + id: 61787f53-4eee-4741-8df6-8fe84fa616f7 + isDeprecated: false + isMissingSecrets: false + isPreconfigured: false + name: my-Jira + referencedByCount: 0 + Cases_get_case_alerts_response: + summary: Retrieves all alerts attached to a case + value: + - attached_at: '2022-07-25T20:09:40.963Z' + id: f6a7d0c3-d52d-432c-b2e6-447cd7fce04d + index: .alerts-observability.logs.alerts-default + Cases_get_case_configuration_response: + summary: Get the case configuration. + value: + - closure_type: close-by-user + connector: + fields: null + id: none + name: none + type: .none + created_at: '2024-07-01T17:07:17.767Z' + created_by: + email: null + full_name: null + username: elastic + customFields: + - defaultValue: Custom text field value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: false + error: null + id: 856ee650-6c82-11ee-a20a-6164169afa58 + mappings: [] + owner: cases + templates: + - caseFields: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + category: Default-category + connector: + fields: null + id: none + name: none + type: .none + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: Default text field value. + description: A default description for cases. + settings: + syncAlerts: false + tags: + - Default case tag + title: Default case title + description: A description of the template. + key: 505932fe-ee3a-4960-a661-c781b5acdb05 + name: template-1 + tags: + - Template tag 1 + updated_at: null + updated_by: null + version: WzEyLDNd + Cases_get_case_observability_response: + summary: >- + Retrieves information about an Observability case including its alerts + and comments. + value: + assignees: + - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + category: null + closed_at: null + closed_by: null + comments: + - alertId: + - a6e12ac4-7bce-457b-84f6-d7ce8deb8446 + created_at: '2023-11-06T19:29:38.424Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 59d438d0-79a9-4864-8d4b-e63adacebf6e + index: + - .internal.alerts-observability.logs.alerts-default-000001 + owner: observability + pushed_at: null + pushed_by: null + rule: + id: 03e4eb87-62ca-4e5d-9570-3d7625e9669d + name: Observability rule + type: alert + updated_at: null + updated_by: null + version: WzY3LDJd + - comment: The first comment. + created_at: '2023-11-06T19:29:57.812Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: d99342d3-3aa3-4b80-90ec-a702607604f5 + owner: observability + pushed_at: null + pushed_by: null + type: user + updated_at: null + updated_by: null + version: WzcyLDJd + connector: + fields: null + id: none + name: none + type: .none + created_at: '2023-11-06T19:29:04.086Z' + created_by: + email: null + full_name: null + username: elastic + customFields: [] + description: An Observability case description. + duration: null + external_service: null + id: c3ff7550-def1-4e90-b6bc-c9969a4a09b1 + owner: observability + settings: + syncAlerts: false + severity: low + status: in-progress + tags: + - observability + - tag 1 + title: Observability case title 1 + totalAlerts: 1 + totalComment: 1 + updated_at: '2023-11-06T19:47:55.662Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzI0NywyXQ== + Cases_get_case_response: + summary: Retrieves information about a case including its comments. + value: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + category: null + closed_at: null + closed_by: null + comments: + - comment: A new comment + created_at: '2023-10-13T15:40:32.335Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 2134c1d0-02c2-11ed-85f2-4f7c222ca2fa + owner: cases + pushed_at: null + pushed_by: null + type: user + updated_at: null + updated_by: null + version: WzM3LDFd + connector: + fields: null + id: none + name: none + type: .none + created_at: '2023-10-13T15:33:50.604Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: null + description: A case description + duration: null + external_service: null + id: 31cdada0-02c1-11ed-85f2-4f7c222ca2fa + owner: cases + settings: + syncAlerts: true + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + totalAlerts: 0 + totalComment: 1 + updated_at: '2023-10-13T15:40:32.335Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzM2LDFd + Cases_get_comment_response: + summary: A single user comment retrieved from a case + value: + comment: A new comment + created_at: '2023-10-07T19:32:13.104Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 + owner: cases + pushed_at: null + pushed_by: null + type: user + updated_at: null + updated_by: null + version: WzIzLDFd + Cases_get_reporters_response: + summary: A list of two users that opened cases + value: + - email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + - email: jdoe@example.com + full_name: Jane Doe + profile_uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + username: jdoe + Cases_get_tags_response: + summary: A list of tags that are used in cases + value: + - observability + - security + - tag 1 + - tag 2 + Cases_push_case_response: + summary: >- + The push case API returns a JSON object with details about the case and + the external service. + value: + closed_at: null + closed_by: null + comments: [] + connector: + fields: + issueType: '10006' + parent: null + priority: Low + id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 + name: My connector + type: .jira + created_at: '2022-07-29T00:59:39.444Z' + created_by: + email: null + full_name: null + username: elastic + description: A case description. + duration: null + external_service: + connector_id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 + connector_name: My connector + external_id: '71926' + external_title: ES-554 + external_url: https://cases.jira.com + pushed_at: '2022-07-29T01:20:58.436Z' + pushed_by: + email: null + full_name: null + username: elastic + id: b917f300-0ed9-11ed-bd18-65557fe66949 + owner: cases + settings: + syncAlerts: true + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + totalAlerts: 0 + totalComment: 0 + updated_at: '2022-07-29T01:20:58.436Z' + updated_by: + email: null + full_name: null + username: elastic + version: WzE3NjgsM10= + Cases_set_case_configuration_request: + summary: >- + Set the closure type, custom fields, and default connector for Stack + Management cases. + value: + closure_type: close-by-user + connector: + fields: null + id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 + name: my-jira-connector + type: .jira + customFields: + - defaultValue: My custom field default value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: false + owner: cases + templates: + - caseFields: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + category: Default-category + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: A text field value for the template. + description: A default description for cases. + tags: + - Default case tag + title: Default case title + description: A description of the template. + key: 505932fe-ee3a-4960-a661-c781b5acdb05 + name: template-1 + tags: + - Template tag 1 + Cases_set_case_configuration_response: + summary: This is an example response for case settings. + value: + closure_type: close-by-user + connector: + fields: null + id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 + name: my-jira-connector + type: .jira + created_at: '2024-07-01T17:07:17.767Z' + created_by: + email: null, + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - defaultValue: My custom field default value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: false + error: null + id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + - action_type: overwrite + source: title + target: summary + - action_type: overwrite + source: description + target: description + - action_type: append + source: comments + target: comments + - action_type: overwrite + source: tags + target: labels + owner: cases + templates: + - caseFields: + assignees: + - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + category: Default-category + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: A text field value for the template. + description: A default description for cases. + tags: + - Default case tag + title: Default case title + description: A description of the template. + key: 505932fe-ee3a-4960-a661-c781b5acdb05 + name: template-1 + tags: + - Template tag 1 + updated_at: null + updated_by: null + version: WzIwNzMsMV0= + Cases_update_case_configuration_request: + summary: Update the case settings. + value: + closure_type: close-by-user + connector: + fields: null + id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 + name: my-jira-connector + type: .jira + customFields: + - defaultValue: A new default value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: true + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + label: my-toggle + type: toggle + required: false + version: WzExOSw0XQ== + Cases_update_case_configuration_response: + summary: This is an example response when the case configuration was updated. + value: + closure_type: close-by-user + connector: + fields: null + id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 + name: my-jira-connector + type: .jira + created_at: '2024-07-01T17:07:17.767Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - defaultValue: A new default value. + key: d312efda-ec2b-42ec-9e2c-84981795c581 + label: my-text-field + type: text + required: true + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + label: my-toggle + type: toggle + required: false + error: null + id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 + mappings: + - action_type: overwrite + source: title + target: summary + - action_type: overwrite + source: description + target: description + - action_type: overwrite + source: tags + target: labels + - action_type: append + source: comments + target: comments + owner: cases + templates: [] + updated_at: '2024-07-19T00:52:42.401Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzI2LDNd + Cases_update_case_request: + summary: Update the case description, tags, and connector. + value: + cases: + - connector: + fields: + issueType: '10006' + parent: null + priority: null + id: 131d4448-abe0-4789-939d-8ef60680b498 + name: My connector + type: .jira + customFields: + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: false + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My new field value + description: A case description. + id: a18b38a0-71b0-11ea-a0b2-c51ea50a58e2 + settings: + syncAlerts: true + tags: + - tag-1 + version: WzIzLDFd + Cases_update_case_response: + summary: >- + This is an example response when the case description, tags, and + connector were updated. + value: + - assignees: [] + category: null + closed_at: null + closed_by: null + comments: [] + connector: + fields: + issueType: '10006' + parent: null + priority: null + id: 131d4448-abe0-4789-939d-8ef60680b498 + name: My connector + type: .jira + created_at: '2023-10-13T09:16:17.416Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My new field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: false + description: A case description. + duration: null + external_service: + connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8 + connector_name: Jira + external_id: '10003' + external_title: IS-4 + external_url: https://hms.atlassian.net/browse/IS-4 + pushed_at: '2023-10-13T09:20:40.672Z' + pushed_by: + email: null + full_name: null + username: elastic + id: 66b9aa00-94fa-11ea-9f74-e7e108796192 + owner: cases + settings: + syncAlerts: true + severity: low + status: open + tags: + - tag-1 + title: Case title 1 + totalAlerts: 0 + totalComment: 0 + updated_at: '2023-10-13T09:48:33.043Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzU0OCwxXQ== + Cases_update_comment_request: + summary: Updates a comment of a case. + value: + comment: An updated comment. + id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + owner: cases + type: user + version: Wzk1LDFd + Cases_update_comment_response: + summary: >- + The add comment to case API returns a JSON object that contains details + about the case and its comments. + value: + assignees: [] + category: null + closed_at: null + closed_by: null + comments: + - comment: An updated comment. + created_at: '2023-10-24T00:37:10.832Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + owner: cases + pushed_at: null + pushed_by: null + type: user + updated_at: '2023-10-24T01:27:06.210Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzIwNjM3LDFd + connector: + fields: null + id: none + name: none + type: .none + created_at: '2023-10-24T00:37:03.906Z' + created_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + customFields: + - key: d312efda-ec2b-42ec-9e2c-84981795c581 + type: text + value: My new field value + - key: fcc6840d-eb14-42df-8aaf-232201a705ec + type: toggle + value: false + description: A case description. + duration: null + external_service: null + id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 + owner: cases + settings: + syncAlerts: false + severity: low + status: open + tags: + - tag 1 + title: Case title 1 + totalAlerts: 0 + totalComment: 1 + updated_at: '2023-10-24T01:27:06.210Z' + updated_by: + email: null + full_name: null + profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 + username: elastic + version: WzIwNjM2LDFd + Data_views_create_data_view_request: + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_get_data_view_response: + summary: >- + The get data view API returns a JSON object that contains information + about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: $0,0.00 + products.base_unit_price: + id: number + params: + pattern: $0,0.00 + products.min_price: + id: number + params: + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + summary: >- + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number + params: + pattern: $0,0.[00] + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: + summary: >- + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Saved_objects_export_objects_request: + summary: Export a specific saved object. + value: + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + type: map + Saved_objects_export_objects_response: + summary: >- + The export objects API response contains a JSON record for each exported + object. + value: + attributes: + description: '' + layerListJSON: >- + [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total + Requests by + Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web + logs + count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual + Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total + Requests and + Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web + logs + count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] + mapStateJSON: >- + {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} + title: '[Logs] Total Requests and Bytes' + uiStateJSON: '{"isDarkMode":false}' + coreMigrationVersion: 8.8.0 + created_at: '2023-08-23T20:03:32.204Z' + id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + managed: false + references: + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_1_join_0_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_2_source_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_3_source_index_pattern + type: index-pattern + type: map + typeMigrationVersion: 8.4.0 + updated_at: '2023-08-23T20:03:32.204Z' + version: WzEzLDFd + Saved_objects_import_objects_request: + value: + file: file.ndjson + Saved_objects_import_objects_response: + summary: >- + The import objects API response indicates a successful import and the + objects are created. Since these objects are created as new copies, each + entry in the successResults array includes a destinationId attribute. + value: + success: true + successCount: 1 + successResults: + - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + managed: false + meta: + icon: indexPatternApp + title: Kibana Sample Data Logs + type: index-pattern + Saved_objects_key_rotation_response: + summary: Encryption key rotation using default parameters. + value: + failed: 0 + successful: 300 + total: 1000 + Saved_objects_resolve_missing_reference_request: + value: + file: file.ndjson + retries: + - id: my-pattern + overwrite: true + type: index-pattern + - destinationId: another-vis + id: my-vis + overwrite: true + type: visualization + - destinationId: yet-another-canvas + id: my-canvas + overwrite: true + type: canvas + - id: my-dashboard + type: dashboard + Saved_objects_resolve_missing_reference_response: + summary: Resolve missing reference errors. + value: + success: true + successCount: 3 + successResults: + - id: my-vis + meta: + icon: visualizeApp + title: Look at my visualization + type: visualization + - id: my-search + meta: + icon: searchApp + title: Look at my search + type: search + - id: my-dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + type: dashboard + parameters: + Alerting_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Cases_alert_id: + description: An identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 + type: string + Cases_assignees: + description: > + Filters the returned cases by assignees. Valid values are `none` or + unique identifiers for the user profiles. These identifiers can be found + by using the suggest user profile API. + in: query + name: assignees + schema: + oneOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + Cases_case_id: + description: >- + The identifier for the case. To retrieve case IDs, use the find cases + API. All non-ASCII characters must be URL encoded. + in: path + name: caseId + required: true + schema: + example: 9c235210-6834-11ea-a78c-6ffb38a34414 + type: string + Cases_category: + description: Filters the returned cases by category. + in: query + name: category + schema: + oneOf: + - example: my-category + type: string + - items: + type: string + maxItems: 100 + type: array + Cases_comment_id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + case or find cases APIs. + in: path + name: commentId + required: true + schema: + example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 + type: string + Cases_configuration_id: + description: An identifier for the configuration. + in: path + name: configurationId + required: true + schema: + example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 + type: string + Cases_connector_id: + description: >- + An identifier for the connector. To retrieve connector IDs, use the find + connectors API. + in: path + name: connectorId + required: true + schema: + example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + type: string + Cases_defaultSearchOperator: + description: he default operator to use for the simple_query_string. + example: OR + in: query + name: defaultSearchOperator + schema: + default: OR + type: string + Cases_from: + description: > + Returns only cases that were created after a specific date. The date + must be specified as a KQL data range or date match expression. + in: query + name: from + schema: + example: now-1d + type: string + Cases_ids: + description: > + The cases that you want to removed. All non-ASCII characters must be URL + encoded. + example: d4e7abb0-b462-11ec-9a8d-698504725a43 + in: query + name: ids + required: true + schema: + items: + maxItems: 100 + minItems: 1 + type: string + type: array + Cases_includeComments: + deprecated: true + description: >- + Deprecated in 8.1.0. This parameter is deprecated and will be removed in + a future release. It determines whether case comments are returned. + in: query + name: includeComments + schema: + default: true + type: boolean + Cases_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Cases_owner: + description: > + A filter to limit the response to a specific set of applications. If + this parameter is omitted, the response contains information about all + the cases that the user has access to read. + example: cases + in: query + name: owner + schema: + oneOf: + - $ref: '#/components/schemas/Cases_owners' + - items: + $ref: '#/components/schemas/Cases_owners' + type: array + Cases_page_index: + description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + type: integer + Cases_page_size: + description: The number of items to return. Limited to 100 items. + in: query + name: perPage + required: false + schema: + default: 20 + maximum: 100 + type: integer + Cases_reporters: + description: Filters the returned cases by the user name of the reporter. + example: elastic + in: query + name: reporters + schema: + oneOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + Cases_search: + description: >- + An Elasticsearch simple_query_string query that filters the objects in + the response. + in: query + name: search + schema: + type: string + Cases_searchFields: + description: The fields to perform the simple_query_string parsed query against. + in: query + name: searchFields + schema: + oneOf: + - $ref: '#/components/schemas/Cases_searchFieldsType' + - items: + $ref: '#/components/schemas/Cases_searchFieldsType' + type: array + Cases_severity: + description: The severity of the case. + in: query + name: severity + schema: + enum: + - critical + - high + - low + - medium + type: string + Cases_sort_order: + description: Determines the sort order. + in: query + name: sortOrder + required: false + schema: + default: desc + enum: + - asc + - desc + type: string + Cases_sortField: + description: Determines which field is used to sort the results. + example: updatedAt + in: query + name: sortField + schema: + default: createdAt + enum: + - createdAt + - updatedAt + - closedAt + - title + - category + - status + - severity + type: string + Cases_status: + description: Filters the returned cases by state. + example: open + in: query + name: status + schema: + enum: + - closed + - in-progress + - open + type: string + Cases_tags: + description: Filters the returned cases by tags. + example: tag-1 + in: query + name: tags + schema: + oneOf: + - type: string + - items: + type: string + maxItems: 100 + type: array + Cases_to: + description: > + Returns only cases that were created before a specific date. The date + must be specified as a KQL data range or date match expression. + example: now+1d + in: query + name: to + schema: + type: string + Cases_user_action_types: + description: Determines the types of user actions to return. + example: create_case + in: query + name: types + schema: + items: + enum: + - action + - alert + - assignees + - attachment + - comment + - connector + - create_case + - description + - pushed + - settings + - severity + - status + - tags + - title + - user + type: string + type: array + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Fleet_format: + description: Simplified or legacy format for package inputs + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + Fleet_kbn_xsrf: + description: Kibana's anti Cross-Site Request Forgery token. Can be any string value. + in: header + name: kbn-xsrf + required: true + schema: + type: string + Fleet_kuery: + in: query + name: kuery + required: false + schema: + type: string + Fleet_page_index: + in: query + name: page + required: false + schema: + default: 1 + type: integer + Fleet_page_size: + description: The number of items to return + in: query + name: perPage + required: false + schema: + default: 20 + type: integer + Fleet_show_inactive: + in: query + name: showInactive + required: false + schema: + type: boolean + Fleet_show_upgradeable: + in: query + name: showUpgradeable + required: false + schema: + type: boolean + Fleet_sort_field: + in: query + name: sortField + required: false + schema: + deprecated: true + type: string + Fleet_sort_order: + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + Fleet_with_metrics: + description: Return agent metrics, false by default + in: query + name: withMetrics + required: false + schema: + type: boolean + Machine_learning_APIs_simulateParam: + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Saved_objects_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Saved_objects_saved_object_id: + description: An identifier for the saved object. + in: path + name: id + required: true + schema: + type: string + Saved_objects_saved_object_type: + description: >- + Valid options include `visualization`, `dashboard`, `search`, + `index-pattern`, `config`. + in: path + name: type + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + responses: + Fleet_error: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + schemas: + Alerting_401_response: + properties: + error: + enum: + - Unauthorized + example: Unauthorized + type: string + message: + type: string + statusCode: + enum: + - 401 + example: 401 + type: integer + title: Unsuccessful rule API response + type: object + Alerting_alert_response_properties: + title: Legacy alert response properties + type: object + properties: + actions: + items: + type: object + type: array + alertTypeId: + example: .index-threshold + type: string + apiKeyOwner: + example: elastic + nullable: true + type: string + createdAt: + description: The date and time that the alert was created. + example: '2022-12-05T23:36:58.284Z' + format: date-time + type: string + createdBy: + description: The identifier for the user that created the alert. + example: elastic + type: string + enabled: + description: Indicates whether the alert is currently enabled. + example: true + type: boolean + executionStatus: + type: object + properties: + lastExecutionDate: + example: '2022-12-06T00:13:43.890Z' + format: date-time + type: string + status: + example: ok + type: string + id: + description: The identifier for the alert. + example: b530fed0-74f5-11ed-9801-35303b735aef + type: string + muteAll: + example: false + type: boolean + mutedInstanceIds: + items: + type: string + nullable: true + type: array + name: + description: The name of the alert. + example: my alert + type: string + notifyWhen: + example: onActionGroupChange + type: string + params: + additionalProperties: true + type: object + schedule: + type: object + properties: + interval: + type: string + scheduledTaskId: + example: b530fed0-74f5-11ed-9801-35303b735aef + type: string + tags: + items: + type: string + type: array + throttle: + nullable: true + type: string + updatedAt: + example: '2022-12-05T23:36:58.284Z' + type: string + updatedBy: + description: The identifier for the user that updated this alert most recently. + example: elastic + nullable: true + type: string + Alerting_fieldmap_properties: + title: Field map objects in the get rule types response + type: object + properties: + array: + description: Indicates whether the field is an array. + type: boolean + dynamic: + description: Indicates whether it is a dynamic field mapping. + type: boolean + format: + description: > + Indicates the format of the field. For example, if the `type` is + `date_range`, the `format` can be + `epoch_millis||strict_date_optional_time`. + type: string + ignore_above: + description: >- + Specifies the maximum length of a string field. Longer strings are + not indexed or stored. + type: integer + index: + description: Indicates whether field values are indexed. + type: boolean + path: + description: TBD + type: string + properties: + additionalProperties: + type: object + properties: + type: + description: The data type for each object property. + type: string + description: > + Details about the object properties. This property is applicable + when `type` is `object`. + type: object + required: + description: Indicates whether the field is required. + type: boolean + scaling_factor: + description: > + The scaling factor to use when encoding values. This property is + applicable when `type` is `scaled_float`. Values will be multiplied + by this factor at index time and rounded to the closest long value. + type: integer + type: + description: Specifies the data type for the field. + example: scaled_float + type: string + Cases_4xx_response: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful cases API response + type: object + Cases_action_types: + description: The type of action. + enum: + - assignees + - create_case + - comment + - connector + - delete_case + - description + - pushed + - tags + - title + - status + - settings + - severity + example: create_case + type: string + Cases_actions: + enum: + - add + - create + - delete + - push_to_service + - update + example: create + type: string + Cases_add_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owners' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + required: + - alertId + - index + - owner + - rule + - type + title: Add case comment request properties for alerts + Cases_add_case_comment_request: + description: >- + The add comment to case API request body varies depending on whether you + are adding an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_add_alert_comment_request_properties' + user: '#/components/schemas/Cases_add_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' + title: Add case comment request + Cases_add_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + type: + description: The type of comment. + enum: + - user + example: user + type: string + required: + - comment + - owner + - type + title: Add case comment request properties for user comments + type: object + Cases_alert_comment_response_properties: + title: Add case comment response properties for alerts + type: object + properties: + alertId: + items: + example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 + type: string + type: array + created_at: + example: '2023-11-06T19:29:38.424Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + id: + example: 73362370-ab1a-11ec-985f-97e55adae8b9 + type: string + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + type: + enum: + - alert + example: alert + type: string + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzMwNDgsMV0= + type: string + required: + - type + Cases_alert_identifiers: + description: > + The alert identifiers. It is required only when `type` is `alert`. You + can use an array of strings to add multiple alerts to a case, provided + that they all relate to the same rule; `index` must also be an array + with the same length or number of elements. Adding multiple alerts in + this manner is recommended rather than calling the API multiple times. + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert identifiers + x-technical-preview: true + Cases_alert_indices: + description: > + The alert indices. It is required only when `type` is `alert`. If you + are adding multiple alerts to a case, use an array of strings; the + position of each index name in the array must match the position of the + corresponding alert identifier in the `alertId` array. This + functionality is in technical preview and may be changed or removed in a + future release. Elastic will work to fix any issues, but features in + technical preview are not subject to the support SLA of official GA + features. + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert indices + x-technical-preview: true + Cases_alert_response_properties: + type: object + properties: + attached_at: + format: date-time + type: string + id: + description: The alert identifier. + type: string + index: + description: The alert index. + type: string + Cases_assignees: + description: An array containing users that are assigned to the case. + items: + type: object + properties: + uid: + description: >- + A unique identifier for the user profile. These identifiers can be + found by using the suggest user profile API. + example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + type: string + required: + - uid + maxItems: 10 + nullable: true + type: array + Cases_case_category: + description: A word or phrase that categorizes the case. + maxLength: 50 + type: string + Cases_case_description: + description: The description for the case. + maxLength: 30000 + type: string + Cases_case_response_closed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for closed_by + type: object + Cases_case_response_created_by_properties: + title: Case response properties for created_by + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + Cases_case_response_properties: + title: Case response properties + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + comments: + description: An array of comment objects for the case. + items: + discriminator: + mapping: + alert: '#/components/schemas/Cases_alert_comment_response_properties' + user: '#/components/schemas/Cases_user_comment_response_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + maxItems: 10000 + title: Case response properties for comments + type: array + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified in the + case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: > + The elapsed time from the creation of the case to its closure (in + seconds). If the case has not been closed, the duration is set to + null. If the case was closed after less than half a second, the + duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 + type: string + totalAlerts: + example: 0 + type: integer + totalComment: + example: 0 + type: integer + updated_at: + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string + required: + - closed_at + - closed_by + - comments + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - updated_at + - updated_by + - version + Cases_case_response_pushed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for pushed_by + type: object + Cases_case_response_updated_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for updated_by + type: object + Cases_case_severity: + default: low + description: The severity of the case. + enum: + - critical + - high + - low + - medium + type: string + Cases_case_status: + description: The status of the case. + enum: + - closed + - in-progress + - open + type: string + Cases_case_tags: + description: > + The words and phrases that help categorize cases. It can be an empty + array. + items: + maxLength: 256 + type: string + maxItems: 200 + type: array + Cases_case_title: + description: A title for the case. + maxLength: 160 + type: string + Cases_closure_types: + description: >- + Indicates whether a case is automatically closed when it is pushed to + external systems (`close-by-pushing`) or not automatically closed + (`close-by-user`). + enum: + - close-by-pushing + - close-by-user + example: close-by-user + type: string + Cases_connector_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + fields: + example: null + nullable: true + type: string + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .cases-webhook + example: .cases-webhook + type: string + required: + - fields + - id + - name + - type + title: Create or upate case request properties for Cases Webhook connector + Cases_connector_properties_jira: + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + issueType: + description: The type of issue. + nullable: true + type: string + parent: + description: The key of the parent issue, when the issue type is sub-task. + nullable: true + type: string + priority: + description: The priority of the issue. + nullable: true + type: string + required: + - issueType + - parent + - priority + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .jira + example: .jira + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for a Jira connector + Cases_connector_properties_none: + description: Defines properties for connectors when type is `.none`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a case without + a connector, specify null. To update a case to remove the connector, + specify null. + example: null + nullable: true + type: string + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. To update a case to remove the connector, + specify `none`. + example: none + type: string + name: + description: >- + The name of the connector. To create a case without a connector, use + `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + type: + description: >- + The type of connector. To create a case without a connector, use + `.none`. To update a case to remove the connector, specify `.none`. + enum: + - .none + example: .none + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for no connector + Cases_connector_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + nullable: true + type: object + properties: + issueTypes: + description: The type of incident. + items: + type: string + type: array + severityCode: + description: The severity code of the incident. + type: string + required: + - issueTypes + - severityCode + id: + description: The identifier for the connector. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .resilient + example: .resilient + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a IBM Resilient connector + Cases_connector_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + impact: + description: The effect an incident had on business. + nullable: true + type: string + severity: + description: The severity of the incident. + nullable: true + type: string + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + urgency: + description: The extent to which the incident resolution can be delayed. + nullable: true + type: string + required: + - category + - impact + - severity + - subcategory + - urgency + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow + example: .servicenow + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow ITSM connector + Cases_connector_properties_servicenow_sir: + description: Defines properties for connectors when type is `.servicenow-sir`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs. + nullable: true + type: boolean + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes. + nullable: true + type: boolean + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs. + nullable: true + type: boolean + priority: + description: The priority of the issue. + nullable: true + type: string + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + required: + - category + - destIp + - malwareHash + - malwareUrl + - priority + - sourceIp + - subcategory + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow-sir + example: .servicenow-sir + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow SecOps connector + Cases_connector_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + nullable: true + type: string + required: + - caseId + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .swimlane + example: .swimlane + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a Swimlane connector + Cases_connector_types: + description: The type of connector. + enum: + - .cases-webhook + - .jira + - .none + - .resilient + - .servicenow + - .servicenow-sir + - .swimlane + example: .none + type: string + Cases_create_case_request: + description: >- + The create case API request body varies depending on the type of + connector. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: > + Custom field values for a case. Any optional custom fields that are + not specified in the request are set to null. + items: + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified in the + case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + owner: + $ref: '#/components/schemas/Cases_owners' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + required: + - connector + - description + - owner + - settings + - tags + - title + title: Create case request + type: object + Cases_external_service: + nullable: true + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + format: date-time + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + Cases_owners: + description: > + The application that owns the cases: Stack Management, Observability, or + Elastic Security. + enum: + - cases + - observability + - securitySolution + example: cases + type: string + Cases_payload_alert_comment: + type: object + properties: + comment: + type: object + properties: + alertId: + oneOf: + - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d + type: string + - items: + type: string + type: array + index: + oneOf: + - example: .alerts-observability.logs.alerts-default + type: string + - items: + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + type: + enum: + - alert + type: string + Cases_payload_assignees: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + Cases_payload_connector: + type: object + properties: + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a case + without a connector, specify null. If you want to omit any + individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: >- + The effect an incident had on business for ServiceNow ITSM + connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: >- + The key of the parent issue, when the issue type is sub-task + for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow SecOps + connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: string + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be delayed + for ServiceNow ITSM connectors. + type: string + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. + example: none + type: string + name: + description: >- + The name of the connector. To create a case without a connector, + use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + Cases_payload_create_case: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a case + without a connector, specify null. If you want to omit any + individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: >- + The effect an incident had on business for ServiceNow ITSM + connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: >- + The key of the parent issue, when the issue type is sub-task + for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow SecOps + connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: string + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be delayed + for ServiceNow ITSM connectors. + type: string + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. + example: none + type: string + name: + description: >- + The name of the connector. To create a case without a connector, + use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + description: + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + items: + example: + - tag-1 + type: string + type: array + title: + type: string + Cases_payload_delete: + description: >- + If the `action` is `delete` and the `type` is `delete_case`, the payload + is nullable. + nullable: true + type: object + Cases_payload_description: + type: object + properties: + description: + type: string + Cases_payload_pushed: + type: object + properties: + externalService: + $ref: '#/components/schemas/Cases_external_service' + Cases_payload_settings: + type: object + properties: + settings: + $ref: '#/components/schemas/Cases_settings' + Cases_payload_severity: + type: object + properties: + severity: + $ref: '#/components/schemas/Cases_case_severity' + Cases_payload_status: + type: object + properties: + status: + $ref: '#/components/schemas/Cases_case_status' + Cases_payload_tags: + type: object + properties: + tags: + example: + - tag-1 + items: + type: string + type: array + Cases_payload_title: + type: object + properties: + title: + type: string + Cases_payload_user_comment: + type: object + properties: + comment: + type: object + properties: + comment: + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + type: + enum: + - user + type: string + Cases_rule: + description: > + The rule that is associated with the alerts. It is required only when + `type` is `alert`. This functionality is in technical preview and may be + changed or removed in a future release. Elastic will work to fix any + issues, but features in technical preview are not subject to the support + SLA of official GA features. + title: Alerting rule + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + x-technical-preview: true + Cases_searchFieldsType: + description: The fields to perform the `simple_query_string` parsed query against. + enum: + - description + - title + type: string + Cases_set_case_configuration_request: + description: >- + External connection details, such as the closure type and default + connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not used and + are not propagated to individual cases, therefore it is + recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a default + connector, use `none`. To retrieve connector IDs, use the find + connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use the find + connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` is `text`, + the default value must be a string. If the `type` is `toggle`, + the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower case and + composed only of a-z, 0-9, '_', and '-' characters. It is used + in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, the + custom field can be set to null or omitted when a case is + created or updated. + type: boolean + required: + - key + - label + - required + - type + maxItems: 10 + minItems: 0 + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + templates: + $ref: '#/components/schemas/Cases_templates' + required: + - closure_type + - connector + - owner + title: Set case configuration request + type: object + Cases_settings: + description: An object that contains the case settings. + type: object + properties: + syncAlerts: + description: Turns alert syncing on or off. + example: true + type: boolean + required: + - syncAlerts + Cases_template_tags: + description: > + The words and phrases that help categorize templates. It can be an empty + array. + items: + maxLength: 256 + type: string + maxItems: 200 + type: array + Cases_templates: + items: + type: object + properties: + caseFields: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, therefore + it is recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector IDs, + use the find connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use + the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + customFields: + description: Custom field values in the template. + items: + type: object + properties: + key: + description: The unique key for the custom field. + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + value: + description: > + The default value for the custom field when a case uses + the template. If the `type` is `text`, the default value + must be a string. If the `type` is `toggle`, the default + value must be boolean. + oneOf: + - type: string + - type: boolean + type: array + x-technical-preview: true + description: + $ref: '#/components/schemas/Cases_case_description' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + description: + description: A description for the template. + type: string + key: + description: > + A unique key for the template. Must be lower case and composed + only of a-z, 0-9, '_', and '-' characters. It is used in API calls + to refer to a specific template. + type: string + name: + description: The name of the template. + type: string + tags: + $ref: '#/components/schemas/Cases_template_tags' + type: array + x-technical-preview: true + Cases_update_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owners' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + version: + description: > + The current comment version. To retrieve version values, use the get + comments API. + example: Wzk1LDFd + type: string + required: + - alertId + - id + - index + - owner + - rule + - type + - version + title: Update case comment request properties for alerts + Cases_update_case_comment_request: + description: >- + The update case comment API request body varies depending on whether you + are updating an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_update_alert_comment_request_properties' + user: '#/components/schemas/Cases_update_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' + title: Update case comment request + Cases_update_case_configuration_request: + description: > + You can update settings such as the closure type, custom fields, + templates, and the default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not used and + are not propagated to individual cases, therefore it is + recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a default + connector, use `none`. To retrieve connector IDs, use the find + connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use the find + connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` is `text`, + the default value must be a string. If the `type` is `toggle`, + the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower case and + composed only of a-z, 0-9, '_', and '-' characters. It is used + in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, the + custom field can be set to null or omitted when a case is + created or updated. + type: boolean + required: + - key + - label + - required + - type + type: array + templates: + $ref: '#/components/schemas/Cases_templates' + version: + description: > + The version of the connector. To retrieve the version value, use the + get configuration API. + example: WzIwMiwxXQ== + type: string + required: + - version + title: Update case configuration request + type: object + Cases_update_case_request: + description: >- + The update case API request body varies depending on the type of + connector. + properties: + cases: + description: An array containing one or more case objects. + items: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: >- + #/components/schemas/Cases_connector_properties_cases_webhook + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: >- + #/components/schemas/Cases_connector_properties_servicenow_sir + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: > + Custom field values for a case. Any optional custom fields + that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key + value must exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified + in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, + it cannot be explicitly set to null. However, for cases + that existed when the required custom field was added, + the default value stored in Elasticsearch is + `undefined`. The value returned in the API and user + interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + id: + description: The identifier for the case. + maxLength: 30000 + type: string + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + version: + description: >- + The current version of the case. To determine this value, use + the get case or find cases APIs. + type: string + required: + - id + - version + maxItems: 100 + minItems: 1 + type: array + required: + - cases + title: Update case request + type: object + Cases_update_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + type: + description: The type of comment. + enum: + - user + example: user + type: string + version: + description: > + The current comment version. To retrieve version values, use the get + comments API. + example: Wzk1LDFd + type: string + required: + - comment + - id + - owner + - type + - version + title: Update case comment request properties for user comments + type: object + Cases_user_actions_find_response_properties: + type: object + properties: + action: + $ref: '#/components/schemas/Cases_actions' + comment_id: + example: 578608d0-03b1-11ed-920c-974bfa104448 + nullable: true + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + id: + example: 22fd3e30-03b1-11ed-920c-974bfa104448 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + description: The type of action. + enum: + - assignees + - create_case + - comment + - connector + - description + - pushed + - tags + - title + - status + - settings + - severity + example: create_case + type: string + version: + example: WzM1ODg4LDFd + type: string + required: + - action + - comment_id + - created_at + - created_by + - id + - owner + - payload + - type + - version + Cases_user_actions_response_properties: + type: object + properties: + action: + $ref: '#/components/schemas/Cases_actions' + action_id: + example: 22fd3e30-03b1-11ed-920c-974bfa104448 + type: string + case_id: + example: 22df07d0-03b1-11ed-920c-974bfa104448 + type: string + comment_id: + example: 578608d0-03b1-11ed-920c-974bfa104448 + nullable: true + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + owner: + $ref: '#/components/schemas/Cases_owners' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + $ref: '#/components/schemas/Cases_action_types' + required: + - action + - action_id + - case_id + - comment_id + - created_at + - created_by + - owner + - payload + - type + Cases_user_comment_response_properties: + title: Case response properties for user comments + type: object + properties: + comment: + example: A new comment. + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - user + example: user + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: >- + Override an existing data view if a data view with the provided + title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: >- + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Fleet_agent: + title: Agent + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + components: + items: + $ref: '#/components/schemas/Fleet_agent_component' + type: array + default_api_key: + type: string + default_api_key_id: + type: string + enrolled_at: + type: string + id: + type: string + last_checkin: + type: string + local_metadata: + $ref: '#/components/schemas/Fleet_agent_metadata' + metrics: + type: object + properties: + cpu_avg: + description: >- + Average agent CPU usage during the last 5 minutes, number + between 0-1 + type: number + memory_size_byte_avg: + description: Average agent memory consumption during the last 5 minutes + type: number + policy_id: + type: string + policy_revision: + type: number + status: + $ref: '#/components/schemas/Fleet_agent_status' + type: + $ref: '#/components/schemas/Fleet_agent_type' + unenrolled_at: + type: string + unenrollment_started_at: + type: string + user_provided_metadata: + $ref: '#/components/schemas/Fleet_agent_metadata' + required: + - type + - active + - enrolled_at + - id + - status + Fleet_agent_action: + oneOf: + - properties: + ack_data: + type: string + data: + type: string + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + - properties: + data: + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + type: + type: string + title: Agent action + Fleet_agent_component: + title: Agent component + type: object + properties: + id: + type: string + message: + type: string + status: + $ref: '#/components/schemas/Fleet_agent_component_status' + type: + type: string + units: + items: + $ref: '#/components/schemas/Fleet_agent_component_unit' + type: array + Fleet_agent_component_status: + enum: + - starting + - configuring + - healthy + - degraded + - failed + - stopping + - stopped + title: Agent component status + type: string + Fleet_agent_component_unit: + title: Agent component unit + type: object + properties: + id: + type: string + message: + type: string + payload: + type: object + status: + $ref: '#/components/schemas/Fleet_agent_component_status' + type: + $ref: '#/components/schemas/Fleet_agent_component_unit_type' + Fleet_agent_component_unit_type: + enum: + - input + - output + title: Agent component unit type + type: string + Fleet_agent_diagnostics: + title: Agent diagnostics + type: object + properties: + actionId: + type: string + createTime: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - IN_PROGRESS + required: + - id + - name + - createTime + - filePath + - actionId + - status + Fleet_agent_get_by_actions: + items: + items: + type: string + type: array + title: Agents get by action ids + type: array + Fleet_agent_metadata: + title: Agent metadata + type: object + Fleet_agent_policy: + title: Agent Policy + type: object + properties: + advanced_settings: + description: >- + Advanced settings stored in the agent policy, e.g. + agent_limits_go_max_procs + nullable: true + type: object + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + agents: + type: number + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + id: + type: string + inactivity_timeout: + type: integer + is_protected: + description: >- + Indicates whether the agent policy has tamper protection enabled. + Default false. + type: boolean + keep_monitoring_alive: + description: >- + When set to true, monitoring will be enabled but logs/metrics + collection will be disabled + nullable: true + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + overrides: + description: >- + Override settings that are defined in the agent policy. Input + settings cannot be overridden. The override option should be used + only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_policies: + description: >- + This field is present only when retrieving a single agent policy, or + when retrieving a list of agent policies with the ?full=true + parameter + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + revision: + type: number + supports_agentless: + description: >- + Indicates whether the agent policy supports agentless integrations. + Only allowed in a serverless environment. + type: boolean + unenroll_timeout: + type: integer + unprivileged_agents: + type: number + updated_by: + type: string + updated_on: + format: date-time + type: string + required: + - id + - status + - name + - namespace + Fleet_agent_policy_create_request: + title: Create agent policy request + type: object + properties: + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + description: Force agent policy creation even if packages are not verified. + type: boolean + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + id: + type: string + inactivity_timeout: + type: integer + is_protected: + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + unenroll_timeout: + type: integer + required: + - name + - namespace + Fleet_agent_policy_full: + oneOf: + - type: object + properties: + item: + type: string + - type: object + properties: + item: + $ref: '#/components/schemas/Fleet_full_agent_policy' + title: Agent policy full response + type: object + Fleet_agent_policy_update_request: + title: Update agent policy request + type: object + properties: + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + description: Force agent policy creation even if packages are not verified. + type: boolean + inactivity_timeout: + type: integer + is_protected: + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + unenroll_timeout: + type: integer + required: + - name + - namespace + Fleet_agent_status: + enum: + - offline + - error + - online + - inactive + - warning + title: Elastic Agent status + type: string + Fleet_agent_type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + title: Agent type + type: string + Fleet_bulk_install_packages_response: + title: Bulk install packages response + type: object + properties: + items: + items: + type: object + properties: + name: + type: string + version: + type: string + type: array + response: + deprecated: true + items: + type: object + properties: + name: + type: string + version: + type: string + type: array + required: + - items + Fleet_bulk_upgrade_agents: + title: Bulk upgrade agents + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + force: + description: Force upgrade, skipping validation (should be used with caution) + type: boolean + rollout_duration_seconds: + description: rolling upgrade window duration in seconds + type: number + skipRateLimitCheck: + description: Skip rate limit check for upgrade + type: boolean + source_uri: + description: alternative upgrade binary download url + type: string + start_time: + description: start time of upgrade in ISO 8601 format + type: string + version: + description: version to upgrade to + type: string + required: + - agents + - version + Fleet_data_stream: + title: Data stream + type: object + properties: + dashboard: + items: + type: object + properties: + id: + type: string + title: + type: string + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + size_in_bytes: + type: number + size_in_bytes_formatted: + type: string + type: + type: string + Fleet_download_sources: + title: Download Source + type: object + properties: + host: + type: string + id: + type: string + is_default: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this download source. See the proxies + API for more information. + nullable: true + type: string + required: + - is_default + - name + - host + Fleet_elasticsearch_asset_type: + enum: + - component_template + - ingest_pipeline + - index_template + - ilm_policy + - transform + - data_stream_ilm_policy + title: Elasticsearch asset type + type: string + Fleet_enrollment_api_key: + title: Enrollment API key + type: object + properties: + active: + description: >- + When false, the enrollment API key is revoked and cannot be used for + enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + Fleet_fleet_server_host: + title: Fleet Server Host + type: object + properties: + host_urls: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + proxy_id: + type: string + required: + - fleet_server_hosts + - id + - is_default + - is_preconfigured + - host_urls + Fleet_fleet_settings_response: + title: Fleet settings response + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_settings' + required: + - item + Fleet_fleet_setup_response: + title: Fleet Setup response + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + type: array + required: + - isInitialized + - nonFatalErrors + Fleet_fleet_status_response: + title: Fleet status response + type: object + properties: + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + type: array + missing_requirements: + items: + enum: + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + Fleet_full_agent_policy: + title: Full agent policy + type: object + properties: + agent: + nullable: true + type: string + fleet: + oneOf: + - type: object + properties: + hosts: + items: + type: string + type: array + proxy_headers: {} + proxy_url: + type: string + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + - type: object + properties: + kibana: + type: object + properties: + hosts: + items: + type: string + type: array + path: + type: string + protocol: + type: string + id: + type: string + inputs: + type: string + output_permissions: + additionalProperties: + type: object + properties: + data: + $ref: >- + #/components/schemas/Fleet_full_agent_policy_output_permissions + output: + type: integer + type: object + outputs: + additionalProperties: + $ref: '#/components/schemas/Fleet_full_agent_policy_output' + type: object + revision: + type: number + secret_references: + items: + type: object + properties: + id: + type: string + type: array + required: + - id + - outputs + - inputs + Fleet_full_agent_policy_input: + allOf: + - additionalProperties: true + type: object + properties: + data_stream: + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + revision: + type: number + streams: + $ref: '#/components/schemas/Fleet_full_agent_policy_input_stream' + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + title: Full agent policy input + Fleet_full_agent_policy_input_stream: + allOf: + - additionalProperties: true + type: object + properties: + data_stream: + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + - type + id: + type: string + required: + - id + - data_stream + title: Full agent policy input stream + Fleet_full_agent_policy_output: + title: Full agent policy + type: object + properties: + additionalProperties: + type: object + properties: + text: {} + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + type: array + proxy_headers: {} + proxy_url: + type: string + type: {} + required: + - type + - hosts + - ca_sha256 + Fleet_full_agent_policy_output_permissions: + additionalProperties: + type: object + properties: + data: + type: object + properties: + cluster: + items: + type: string + type: array + indices: + items: + type: object + properties: + names: + items: + type: string + type: array + privileges: + items: + type: string + type: array + type: array + packagePolicyName: + type: string + title: Full agent policy output permissions + Fleet_get_agent_tags_response: + title: Get Agent Tags response + type: object + properties: + items: + items: + type: string + type: array + Fleet_get_agents_response: + title: Get Agent response + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_agent' + type: array + page: + type: number + perPage: + type: number + statusSummary: + type: object + properties: + degraded': + type: number + enrolling: + type: number + error: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + unenrolled: + type: number + unenrolling: + type: number + updating: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + Fleet_get_bulk_assets_response: + deprecated: true + properties: + items: + items: + type: object + properties: + appLink: + type: string + attributes: + type: object + properties: + description: + type: string + title: + type: string + id: + type: string + type: + $ref: '#/components/schemas/Fleet_saved_object_type' + updatedAt: + type: string + type: array + required: + - items + title: Bulk get assets response + type: object + Fleet_get_categories_response: + title: Get categories response + type: object + properties: + items: + items: + type: object + properties: + count: + type: number + id: + type: string + title: + type: string + required: + - id + - title + - count + type: array + response: + items: + deprecated: true + type: object + properties: + count: + type: number + id: + type: string + title: + type: string + required: + - id + - title + - count + type: array + required: + - items + Fleet_get_packages_response: + title: Get Packages response + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_search_result' + type: array + response: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_search_result' + type: array + required: + - items + Fleet_installation_info: + title: Installation info object + type: object + properties: + created_at: + type: string + experimental_data_stream_features: + type: array + properties: + data_stream: + type: string + features: + type: object + properties: + doc_value_only_numeric: + nullable: true + type: boolean + doc_value_only_other: + nullable: true + type: boolean + synthetic_source: + nullable: true + type: boolean + tsdb: + nullable: true + type: boolean + install_format_schema_version: + type: string + install_kibana_space_id: + type: string + install_source: + enum: + - registry + - upload + - bundled + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + $ref: '#/components/schemas/Fleet_elasticsearch_asset_type' + installed_kibana: + type: object + properties: + id: + type: string + type: + $ref: '#/components/schemas/Fleet_kibana_saved_object_type' + latest_executed_state: + description: Latest successfully executed state in package install state machine + type: object + properties: + error: + type: string + name: + enum: + - create_restart_installation + - install_kibana_assets + - install_ilm_policies + - install_ml_model + - install_index_template_pipelines + - remove_legacy_templates + - update_current_write_indices + - install_transforms + - delete_previous_pipelines + - save_archive_entries_from_assets_map + - update_so + type: string + started_at: + type: string + latest_install_failed_attempts: + description: Latest failed install errors + items: + type: object + properties: + created_at: + type: string + error: + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + target_version: + type: string + type: array + name: + type: string + namespaces: + items: + type: string + type: array + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - verified + - unverified + - unknown + type: string + version: + type: string + required: + - installed_kibana + - installed_es + - name + - version + - install_status + - install_version + - install_started_at + - install_source + - verification_status + - latest_install_failed_attempts + Fleet_kibana_saved_object_type: + enum: + - dashboard + - visualization + - search + - index-pattern + - map + - lens + - ml-module + - security-rule + - csp_rule_template + title: Kibana saved object asset type + type: string + Fleet_new_package_policy: + description: '' + properties: + description: + type: string + enabled: + type: boolean + inputs: + items: + type: object + properties: + config: + type: object + enabled: + type: boolean + processors: + items: + type: string + type: array + streams: + items: {} + type: array + type: + type: string + vars: + type: object + required: + - type + - enabled + type: array + name: + type: string + namespace: + type: string + output_id: + type: string + overrides: + type: object + package: + type: object + properties: + name: + type: string + requires_root: + type: boolean + title: + type: string + version: + type: string + required: + - name + - version + policy_id: + deprecated: true + nullable: true + type: string + policy_ids: + items: + type: string + type: array + required: + - inputs + - name + title: New package policy + type: object + Fleet_output_create_request: + discriminator: + mapping: + elasticsearch: '#/components/schemas/Fleet_output_create_request_elasticsearch' + kafka: '#/components/schemas/Fleet_output_create_request_kafka' + logstash: '#/components/schemas/Fleet_output_create_request_logstash' + remote_elasticsearch: >- + #/components/schemas/Fleet_output_create_request_remote_elasticsearch + propertyName: type + oneOf: + - $ref: '#/components/schemas/Fleet_output_create_request_elasticsearch' + - $ref: '#/components/schemas/Fleet_output_create_request_kafka' + - $ref: '#/components/schemas/Fleet_output_create_request_logstash' + - $ref: >- + #/components/schemas/Fleet_output_create_request_remote_elasticsearch + title: Output + Fleet_output_create_request_elasticsearch: + title: elasticsearch + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - elasticsearch + type: string + required: + - name + Fleet_output_create_request_kafka: + title: kafka + type: object + properties: + auth_type: + type: string + broker_timeout: + type: number + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + client_id: + type: string + compression: + type: string + compression_level: + type: number + config: + type: object + config_yaml: + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + headers: + items: + type: object + properties: + key: + type: string + value: + type: string + type: array + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + key: + type: string + name: + type: string + partition: + type: string + password: + type: string + proxy_id: + type: string + random: + type: object + properties: + group_events: + type: number + required_acks: + type: number + round_robin: + type: object + properties: + group_events: + type: number + sasl: + type: object + properties: + mechanism: + type: string + secrets: + type: object + properties: + password: + type: string + ssl: + type: object + properties: + key: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + verification_mode: + enum: + - none + - full + - certificate + - strict + type: string + timeout: + type: number + topic: + type: string + topics: + deprecated: true + description: Use topic instead. + items: + type: object + properties: + topic: + type: string + when: + deprecated: true + description: >- + Deprecated, kafka output do not support conditionnal topics + anymore. + type: object + properties: + condition: + type: string + type: + type: string + type: array + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + - type + - topics + - auth_type + - hosts + Fleet_output_create_request_logstash: + title: logstash + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + type: string + secrets: + type: object + properties: + ssl: + type: object + properties: + key: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - logstash + type: string + required: + - name + - hosts + - type + Fleet_output_create_request_remote_elasticsearch: + title: remote_elasticsearch + type: object + properties: + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + secrets: + type: object + properties: + service_token: + type: string + service_token: + type: string + type: + enum: + - remote_elasticsearch + type: string + required: + - name + Fleet_output_update_request: + discriminator: + mapping: + elasticsearch: '#/components/schemas/Fleet_output_update_request_elasticsearch' + kafka: '#/components/schemas/Fleet_output_update_request_kafka' + logstash: '#/components/schemas/Fleet_output_update_request_logstash' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Fleet_output_update_request_elasticsearch' + - $ref: '#/components/schemas/Fleet_output_update_request_kafka' + - $ref: '#/components/schemas/Fleet_output_update_request_logstash' + title: Output + Fleet_output_update_request_elasticsearch: + title: elasticsearch + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - elasticsearch + type: string + required: + - name + - hosts + - type + Fleet_output_update_request_kafka: + title: kafka + type: object + properties: + auth_type: + type: string + broker_timeout: + type: number + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + client_id: + type: string + compression: + type: string + compression_level: + type: number + config: + type: object + config_yaml: + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + headers: + items: + type: object + properties: + key: + type: string + value: + type: string + type: array + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + key: + type: string + name: + type: string + partition: + type: string + password: + type: string + proxy_id: + type: string + random: + type: object + properties: + group_events: + type: number + required_acks: + type: number + round_robin: + type: object + properties: + group_events: + type: number + sasl: + type: object + properties: + mechanism: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + verification_mode: + enum: + - none + - full + - certificate + - strict + type: string + timeout: + type: number + topic: + type: string + topics: + deprecated: true + description: Use topic instead. + items: + type: object + properties: + topic: + type: string + when: + deprecated: true + description: >- + Deprecated, kafka output do not support conditionnal topics + anymore. + type: object + properties: + condition: + type: string + type: + type: string + type: array + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + Fleet_output_update_request_logstash: + title: logstash + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - logstash + type: string + required: + - name + Fleet_package_info: + title: Package information + type: object + properties: + assets: + items: + type: string + type: array + categories: + items: + type: string + type: array + conditions: + type: object + properties: + elasticsearch: + type: object + properties: + subscription: + enum: + - basic + - gold + - platinum + - enterprise + type: string + kibana: + type: object + properties: + versions: + type: string + data_streams: + items: + type: object + properties: + ingeset_pipeline: + type: string + name: + type: string + package: + type: string + release: + type: string + title: + type: string + type: + type: string + vars: + items: + type: object + properties: + default: + type: string + name: + type: string + required: + - name + - default + type: array + required: + - title + - name + - release + - ingeset_pipeline + - type + - package + type: array + description: + type: string + download: + type: string + elasticsearch: + type: object + properties: + privileges: + type: object + properties: + cluster: + items: + type: string + type: array + format_version: + type: string + icons: + items: + type: string + type: array + internal: + type: boolean + name: + type: string + path: + type: string + readme: + type: string + release: + deprecated: true + description: >- + release label is deprecated, derive from the version instead + (packages follow semver) + enum: + - experimental + - beta + - ga + type: string + screenshots: + items: + type: object + properties: + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + - path + type: array + source: + type: object + properties: + license: + enum: + - Apache-2.0 + - Elastic-2.0 + type: string + title: + type: string + type: + type: string + version: + type: string + required: + - name + - title + - version + - description + - type + - categories + - conditions + - assets + - format_version + - download + - path + Fleet_package_policy: + allOf: + - type: object + properties: + id: + type: string + inputs: + oneOf: + - items: {} + type: array + - type: object + revision: + type: number + required: + - id + - revision + - $ref: '#/components/schemas/Fleet_new_package_policy' + title: Package policy + Fleet_package_policy_request: + title: Package Policy Request + type: object + properties: + description: + description: Package policy description + example: my description + type: string + force: + description: >- + Force package policy creation even if package is not verified, or if + the agent policy is managed. + type: boolean + id: + description: Package policy unique identifier + type: string + inputs: + additionalProperties: + type: object + properties: + enabled: + description: enable or disable that input, (default to true) + type: boolean + streams: + additionalProperties: + type: object + properties: + enabled: + description: enable or disable that stream, (default to true) + type: boolean + vars: + description: >- + Stream level variable (see integration documentation for + more information) + type: object + description: >- + Input streams (see integration documentation to know what + streams are available) + type: object + vars: + description: >- + Input level variable (see integration documentation for more + information) + type: object + description: >- + Package policy inputs (see integration documentation to know what + inputs are available) + example: + nginx-logfile: + enabled: true + streams: + nginx.access: + enabled: true + vars: + ignore_older: 72h + paths: + - /var/log/nginx/access.log* + preserve_original_event: false + tags: + - nginx-access + type: object + name: + description: Package policy name (should be unique) + example: nginx-123 + type: string + namespace: + description: >- + The package policy namespace. Leave blank to inherit the agent + policy's namespace. + example: customnamespace + type: string + output_id: + description: Output ID to send package data to + example: output-id + nullable: true + type: string + overrides: + description: >- + Override settings that are defined in the package policy. The + override option should be used only in unusual circumstances and not + as a routine procedure. + nullable: true + type: object + properties: + inputs: + type: object + package: + type: object + properties: + name: + description: Package name + example: nginx + type: string + version: + description: Package version + example: 1.6.0 + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Agent policy ID where that package policy will be added + example: agent-policy-id + nullable: true + type: string + policy_ids: + description: Agent policy IDs where that package policy will be added + example: + - agent-policy-id + items: + type: string + type: array + vars: + description: >- + Package root level variable (see integration documentation for more + information) + type: object + required: + - name + - package + Fleet_package_usage_stats: + title: Package usage stats + type: object + properties: + agent_policy_count: + type: integer + required: + - agent_policy_count + Fleet_proxies: + title: Fleet Proxy + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + id: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + required: + - name + - url + Fleet_saved_object_type: + oneOf: + - enum: + - dashboard + - visualization + - search + - index_pattern + - map + - lens + - security_rule + - csp_rule_template + - ml_module + - tag + - osquery_pack_asset + - osquery_saved_query + type: string + - enum: + - index + - component_template + - ingest_pipeline + - index_template + - ilm_policy + - transform + - data_stream_ilm_policy + - ml_model + type: string + title: Saved Object type + Fleet_search_result: + title: Search result + type: object + properties: + description: + type: string + download: + type: string + icons: + type: string + installationInfo: + $ref: '#/components/schemas/Fleet_installation_info' + name: + type: string + path: + type: string + savedObject: + deprecated: true + type: object + status: + type: string + title: + type: string + type: + type: string + version: + type: string + required: + - description + - download + - icons + - name + - path + - title + - type + - version + - status + Fleet_settings: + title: Settings + type: object + properties: + fleet_server_hosts: + deprecated: true + items: + type: string + type: array + has_seen_add_data_notice: + type: boolean + id: + type: string + prerelease_integrations_enabled: + type: boolean + required: + - fleet_server_hosts + - id + Fleet_upgrade_agent: + title: Upgrade agent + type: object + properties: + force: + description: Force upgrade, skipping validation (should be used with caution) + type: boolean + skipRateLimitCheck: + description: Skip rate limit check for upgrade + type: boolean + source_uri: + type: string + version: + type: string + required: + - version + Fleet_upgrade_agent_diff: + items: + items: + $ref: '#/components/schemas/Fleet_full_agent_policy_input' + type: array + title: Package policy Upgrade dryrun + type: array + Fleet_upgrade_diff: + items: + allOf: + - $ref: '#/components/schemas/Fleet_package_policy' + - allOf: + - $ref: '#/components/schemas/Fleet_new_package_policy' + - type: object + properties: + errors: + items: + type: object + properties: + key: + type: string + message: + type: string + type: array + missingVars: + items: + type: string + type: array + type: object + title: Package policy Upgrade dryrun + type: array + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. + type: object + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: >- + Kibana's operational status as well as a detailed breakdown of plugin + statuses indication of various loads (like event loop utilization and + network traffic) at time of request. + type: object + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: >- + Unique, generated Kibana instance UUID. This UUID should persist + even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: >- + The build flavour determines configuration and behavior of + Kibana. On premise users will almost always run the + "traditional" flavour, while other flavours are reserved for + Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: >- + A unique hash value representing the git commit of this Kibana + build. + type: string + build_number: + description: >- + A monotonically increasing number, each subsequent build will + have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + Machine_learning_APIs_mlSync200Response: + properties: + datafeedsAdded: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. + type: object + datafeedsRemoved: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. + type: object + savedObjectsCreated: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + savedObjectsDeleted: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + title: Successful sync API response + type: object + Machine_learning_APIs_mlSync4xxResponse: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful sync API response + type: object + Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for anomaly detection jobs + type: object + Machine_learning_APIs_mlSyncResponseDatafeeds: + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for datafeeds + type: object + Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for data frame analytics jobs + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: If saved objects are missing for trained models, they are created. + type: object + title: Sync API response for created saved objects + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. + type: object + title: Sync API response for deleted saved objects + type: object + Machine_learning_APIs_mlSyncResponseSuccess: + description: The success or failure of the synchronization. + type: boolean + Machine_learning_APIs_mlSyncResponseTrainedModels: + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for trained models + type: object + Saved_objects_400_response: + title: Bad request + type: object + properties: + error: + enum: + - Bad Request + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + Saved_objects_attributes: + description: > + The data that you want to create. WARNING: When you create saved + objects, attributes are not validated, which allows you to pass + arbitrary and ill-formed data into the API that can break Kibana. Make + sure any data that you send to the API is properly formed. + type: object + Saved_objects_initial_namespaces: + description: > + Identifiers for the spaces in which this object is created. If this is + provided, the object is created only in the explicitly defined spaces. + If this is not provided, the object is created in the current space + (default behavior). For shareable object types (registered with + `namespaceType: 'multiple'`), this option can be used to specify one or + more spaces, including the "All spaces" identifier ('*'). For isolated + object types (registered with `namespaceType: 'single'` or + `namespaceType: 'multiple-isolated'`), this option can only be used to + specify a single space, and the "All spaces" identifier ('*') is not + allowed. For global object types (`registered with `namespaceType: + agnostic`), this option cannot be used. + type: array + Saved_objects_references: + description: > + Objects with `name`, `id`, and `type` properties that describe the other + saved objects that this object references. Use `name` in attributes to + refer to the other saved object, but never the `id`, which can update + automatically during migrations or import and export. + type: array + Security_AI_Assistant_API_AnonymizationFieldCreateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + field: + type: string + required: + - field + Security_AI_Assistant_API_AnonymizationFieldDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_AnonymizationFieldResponse: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + createdAt: + type: string + createdBy: + type: string + field: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + namespace: + description: Kibana space + type: string + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + required: + - id + - field + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: + enum: + - ANONYMIZATION_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + type: object + properties: + anonymization_fields_count: + type: integer + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + type: array + updated: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_AnonymizationFieldUpdateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + id: + type: string + required: + - id + Security_AI_Assistant_API_ApiConfig: + type: object + properties: + actionTypeId: + description: action type id + type: string + connectorId: + description: connector id + type: string + defaultSystemPromptId: + description: defaultSystemPromptId + type: string + model: + description: model + type: string + provider: + $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' + description: Provider + required: + - connectorId + - actionTypeId + Security_AI_Assistant_API_BulkCrudActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_AI_Assistant_API_ChatCompleteProps: + type: object + properties: + connectorId: + type: string + conversationId: + type: string + isStream: + type: boolean + langSmithApiKey: + type: string + langSmithProject: + type: string + messages: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' + type: array + model: + type: string + persist: + type: boolean + promptId: + type: string + responseLanguage: + type: string + required: + - messages + - persist + - connectorId + Security_AI_Assistant_API_ChatMessage: + description: AI assistant message. + type: object + properties: + content: + description: Message content. + type: string + data: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' + description: ECS object to attach to the context of the message. + fields_to_anonymize: + items: + type: string + type: array + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' + description: Message role. + required: + - role + Security_AI_Assistant_API_ChatMessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_ConversationCategory: + description: The conversation category. + enum: + - assistant + - insights + type: string + Security_AI_Assistant_API_ConversationConfidence: + description: The conversation confidence. + enum: + - low + - medium + - high + type: string + Security_AI_Assistant_API_ConversationCreateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + description: The conversation id. + type: string + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + type: string + required: + - title + Security_AI_Assistant_API_ConversationResponse: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + createdAt: + description: The last time conversation was updated. + type: string + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + namespace: + description: Kibana space + type: string + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + title: + description: The conversation title. + type: string + updatedAt: + description: The last time conversation was updated. + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - title + - createdAt + - users + - namespace + - category + Security_AI_Assistant_API_ConversationSummary: + type: object + properties: + confidence: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationConfidence + description: >- + How confident you are about this being a correct and useful + learning. + content: + description: Summary text of the conversation over time. + type: string + public: + description: Define if summary is marked as publicly available. + type: boolean + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp summary was updated. + Security_AI_Assistant_API_ConversationUpdateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + title: + description: The conversation title. + type: string + required: + - id + Security_AI_Assistant_API_FindAnonymizationFieldsSortField: + enum: + - created_at + - anonymized + - allowed + - field + - updated_at + type: string + Security_AI_Assistant_API_FindConversationsSortField: + enum: + - created_at + - is_default + - title + - updated_at + type: string + Security_AI_Assistant_API_FindPromptsSortField: + enum: + - created_at + - is_default + - name + - updated_at + type: string + Security_AI_Assistant_API_Message: + description: AI assistant conversation message. + type: object + properties: + content: + description: Message content. + type: string + isError: + description: Is error message. + type: boolean + reader: + $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' + description: Message content. + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' + description: Message role. + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp message was sent or received. + traceData: + $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' + description: trace Data + required: + - timestamp + - content + - role + Security_AI_Assistant_API_MessageData: + additionalProperties: true + type: object + Security_AI_Assistant_API_MessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_AI_Assistant_API_NormalizedAnonymizationFieldError: + type: object + properties: + anonymization_fields: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + type: array + err_code: + type: string + message: + type: string + status_code: + type: integer + required: + - message + - status_code + - anonymization_fields + Security_AI_Assistant_API_NormalizedPromptError: + type: object + properties: + err_code: + type: string + message: + type: string + prompts: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - prompts + Security_AI_Assistant_API_PromptCreateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + required: + - name + - content + - promptType + Security_AI_Assistant_API_PromptDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_PromptResponse: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + createdAt: + type: string + createdBy: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + namespace: + description: Kibana space + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - name + - promptType + - content + Security_AI_Assistant_API_PromptsBulkActionSkipReason: + enum: + - PROMPT_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_PromptsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_PromptsBulkCrudActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + prompts_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_PromptsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_PromptType: + description: Prompt type + enum: + - system + - quick + type: string + Security_AI_Assistant_API_PromptUpdateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + id: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + required: + - id + Security_AI_Assistant_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + type: string + Security_AI_Assistant_API_Reader: + additionalProperties: true + type: object + Security_AI_Assistant_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanomymize messsages + type: object + Security_AI_Assistant_API_SortOrder: + enum: + - asc + - desc + type: string + Security_AI_Assistant_API_TraceData: + description: trace Data + type: object + properties: + traceId: + description: Could be any string, not necessarily a UUID + type: string + transactionId: + description: Could be any string, not necessarily a UUID + type: string + Security_AI_Assistant_API_User: + description: Could be any string, not necessarily a UUID + type: object + properties: + id: + description: User id + type: string + name: + description: User name + type: string + Security_Solution_Detections_API_AlertAssignees: + type: object + properties: + add: + description: A list of users ids to assign. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + remove: + description: A list of users ids to unassign. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + required: + - add + - remove + Security_Solution_Detections_API_AlertIds: + description: A list of alerts ids. + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + minItems: 1 + type: array + Security_Solution_Detections_API_AlertsIndex: + deprecated: true + description: (deprecated) Has no effect. + type: string + Security_Solution_Detections_API_AlertsIndexMigrationError: + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + type: string + required: + - message + - status_code + index: + type: string + required: + - index + - error + Security_Solution_Detections_API_AlertsIndexMigrationSuccess: + type: object + properties: + index: + type: string + migration_id: + type: string + migration_index: + type: string + required: + - index + - migration_id + - migration_index + Security_Solution_Detections_API_AlertsIndexNamespace: + description: Has no effect. + type: string + Security_Solution_Detections_API_AlertsReindexOptions: + type: object + properties: + requests_per_second: + minimum: 1 + type: integer + size: + minimum: 1 + type: integer + slices: + minimum: 1 + type: integer + Security_Solution_Detections_API_AlertsSort: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSortCombinations + - items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSortCombinations + type: array + Security_Solution_Detections_API_AlertsSortCombinations: + anyOf: + - type: string + - additionalProperties: true + type: object + Security_Solution_Detections_API_AlertStatus: + enum: + - open + - closed + - acknowledged + - in-progress + type: string + Security_Solution_Detections_API_AlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionDuration + group_by: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionGroupBy + missing_fields_strategy: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionMissingFieldsStrategy + required: + - group_by + Security_Solution_Detections_API_AlertSuppressionDuration: + type: object + properties: + unit: + enum: + - s + - m + - h + type: string + value: + minimum: 1 + type: integer + required: + - value + - unit + Security_Solution_Detections_API_AlertSuppressionGroupBy: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Solution_Detections_API_AlertSuppressionMissingFieldsStrategy: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + + doNotSuppress - per each document a separate alert will be created + + suppress - only alert will be created per suppress by bucket + enum: + - doNotSuppress + - suppress + type: string + Security_Solution_Detections_API_AlertTag: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + Security_Solution_Detections_API_AlertTags: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTag' + type: array + Security_Solution_Detections_API_AlertVersion: + type: object + properties: + count: + type: integer + version: + type: integer + required: + - version + - count + Security_Solution_Detections_API_AnomalyThreshold: + description: Anomaly threshold + minimum: 0 + type: integer + Security_Solution_Detections_API_BuildingBlockType: + description: >- + Determines if the rule acts as a building block. By default, + building-block alerts are not displayed in the UI. These rules are used + as a foundation for other rules that do generate alerts. Its value must + be default. + type: string + Security_Solution_Detections_API_BulkActionEditPayload: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadSchedule + Security_Solution_Detections_API_BulkActionEditPayloadIndexPatterns: + type: object + properties: + overwrite_data_views: + type: boolean + type: + enum: + - add_index_patterns + - delete_index_patterns + - set_index_patterns + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadInvestigationFields: + type: object + properties: + type: + enum: + - add_investigation_fields + - delete_investigation_fields + - set_investigation_fields + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadRuleActions: + type: object + properties: + type: + enum: + - add_rule_actions + - set_rule_actions + type: string + value: + type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NormalizedRuleAction + type: array + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThrottleForBulkActions + required: + - actions + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadSchedule: + type: object + properties: + type: + enum: + - set_schedule + type: string + value: + type: object + properties: + interval: + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + lookback: + description: Lookback time for the rule + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + required: + - interval + - lookback + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadTags: + type: object + properties: + type: + enum: + - add_tags + - delete_tags + - set_tags + type: string + value: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleTagArray' + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadTimeline: + type: object + properties: + type: + enum: + - set_timeline + type: string + value: + type: object + properties: + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + required: + - timeline_id + - timeline_title + required: + - type + - value + Security_Solution_Detections_API_BulkActionsDryRunErrCode: + enum: + - IMMUTABLE + - MACHINE_LEARNING_AUTH + - MACHINE_LEARNING_INDEX_PATTERN + - ESQL_INDEX_PATTERN + - MANUAL_RULE_RUN_FEATURE + - MANUAL_RULE_RUN_DISABLED_RULE + type: string + Security_Solution_Detections_API_BulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditSkipReason + required: + - id + - skip_reason + Security_Solution_Detections_API_BulkCrudRulesResponse: + items: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + - $ref: '#/components/schemas/Security_Solution_Detections_API_ErrorSchema' + type: array + Security_Solution_Detections_API_BulkDeleteRules: + type: object + properties: + action: + enum: + - delete + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkDisableRules: + type: object + properties: + action: + enum: + - disable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkDuplicateRules: + type: object + properties: + action: + enum: + - duplicate + type: string + duplicate: + type: object + properties: + include_exceptions: + description: Whether to copy exceptions from the original rule + type: boolean + include_expired_exceptions: + description: Whether to copy expired exceptions from the original rule + type: boolean + required: + - include_exceptions + - include_expired_exceptions + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkEditActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NormalizedRuleError + type: array + results: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionResults + summary: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionSummary + required: + - results + - summary + message: + type: string + rules_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_Solution_Detections_API_BulkEditActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + deleted: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_Solution_Detections_API_BulkEditActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_Solution_Detections_API_BulkEditRules: + type: object + properties: + action: + enum: + - edit + type: string + edit: + description: Array of objects containing the edit operations + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayload + minItems: 1 + type: array + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + - edit + Security_Solution_Detections_API_BulkEditSkipReason: + enum: + - RULE_NOT_MODIFIED + type: string + Security_Solution_Detections_API_BulkEnableRules: + type: object + properties: + action: + enum: + - enable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkExportActionResponse: + type: string + Security_Solution_Detections_API_BulkExportRules: + type: object + properties: + action: + enum: + - export + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkManualRuleRun: + type: object + properties: + action: + enum: + - run + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + run: + type: object + properties: + end_date: + description: End date of the manual rule run + type: string + start_date: + description: Start date of the manual rule run + type: string + required: + - start_date + required: + - action + - run + Security_Solution_Detections_API_ConcurrentSearches: + minimum: 1 + type: integer + Security_Solution_Detections_API_DataViewId: + type: string + Security_Solution_Detections_API_DefaultParams: + type: object + properties: + command: + enum: + - isolate + type: string + comment: + type: string + required: + - command + Security_Solution_Detections_API_EcsMapping: + additionalProperties: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + type: object + Security_Solution_Detections_API_EndpointResponseAction: + type: object + properties: + action_type_id: + enum: + - .endpoint + type: string + params: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_DefaultParams + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ProcessesParams + required: + - action_type_id + - params + Security_Solution_Detections_API_EqlOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + event_category_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EventCategoryOverride + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + tiebreaker_field: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TiebreakerField + timestamp_field: + $ref: '#/components/schemas/Security_Solution_Detections_API_TimestampField' + Security_Solution_Detections_API_EqlQueryLanguage: + enum: + - eql + type: string + Security_Solution_Detections_API_EqlRequiredFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlQueryLanguage + description: Query language to use + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + required: + - type + - query + - language + Security_Solution_Detections_API_EqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleResponseFields + Security_Solution_Detections_API_EqlRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateFields + Security_Solution_Detections_API_EqlRulePatchFields: + allOf: + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlQueryLanguage + description: Query language to use + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRulePatchFields + Security_Solution_Detections_API_EqlRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateFields + Security_Solution_Detections_API_ErrorSchema: + additionalProperties: false + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + id: + type: string + item_id: + minLength: 1 + type: string + list_id: + minLength: 1 + type: string + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + required: + - error + Security_Solution_Detections_API_EsqlQueryLanguage: + enum: + - esql + type: string + Security_Solution_Detections_API_EsqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleResponseFields + Security_Solution_Detections_API_EsqlRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleRequiredFields + Security_Solution_Detections_API_EsqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateFields + Security_Solution_Detections_API_EsqlRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + Security_Solution_Detections_API_EsqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlQueryLanguage + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: ESQL query to execute + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + type: + description: Rule type + enum: + - esql + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + Security_Solution_Detections_API_EsqlRuleRequiredFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: ESQL query to execute + type: + description: Rule type + enum: + - esql + type: string + required: + - type + - language + - query + Security_Solution_Detections_API_EsqlRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleRequiredFields + Security_Solution_Detections_API_EsqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateFields + Security_Solution_Detections_API_EventCategoryOverride: + type: string + Security_Solution_Detections_API_ExceptionListType: + description: The exception type + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Detections_API_ExternalRuleSource: + description: >- + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. + type: object + properties: + is_customized: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsExternalRuleCustomized + type: + enum: + - external + type: string + required: + - type + - is_customized + Security_Solution_Detections_API_FindRulesSortField: + enum: + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status + - name + - risk_score + - riskScore + - severity + - updated_at + - updatedAt + type: string + Security_Solution_Detections_API_HistoryWindowStart: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + Security_Solution_Detections_API_IndexMigrationStatus: + type: object + properties: + index: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + is_outdated: + type: boolean + migrations: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MigrationStatus + type: array + signal_versions: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertVersion' + type: array + version: + type: integer + required: + - index + - version + - signal_versions + - migrations + - is_outdated + Security_Solution_Detections_API_IndexPatternArray: + items: + type: string + type: array + Security_Solution_Detections_API_InternalRuleSource: + description: >- + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. + type: object + properties: + type: + enum: + - internal + type: string + required: + - type + Security_Solution_Detections_API_InvestigationFields: + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. + + Added in PR #163235 + + Right now we only have a single field but anticipate adding more related + fields to store various + + configuration states such as `override` - where a user might say if they + want only these fields to + + display, or if they want these fields + the fields we select. When + expanding this field, it may look + + something like: + + ```typescript + + const investigationFields = z.object({ + field_names: NonEmptyArray(NonEmptyString), + override: z.boolean().optional(), + }); + + ``` + type: object + properties: + field_names: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + required: + - field_names + Security_Solution_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. + type: string + Security_Solution_Detections_API_IsExternalRuleCustomized: + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). + type: boolean + Security_Solution_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. + type: boolean + Security_Solution_Detections_API_IsRuleImmutable: + deprecated: true + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. + type: boolean + Security_Solution_Detections_API_ItemsPerSearch: + minimum: 1 + type: integer + Security_Solution_Detections_API_KqlQueryLanguage: + enum: + - kuery + - lucene + type: string + Security_Solution_Detections_API_MachineLearningJobId: + description: Machine learning job ID + oneOf: + - type: string + - items: + type: string + minItems: 1 + type: array + Security_Solution_Detections_API_MachineLearningRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleResponseFields + Security_Solution_Detections_API_MachineLearningRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateFields + Security_Solution_Detections_API_MachineLearningRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + Security_Solution_Detections_API_MachineLearningRulePatchFields: + allOf: + - type: object + properties: + anomaly_threshold: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AnomalyThreshold + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRulePatchFields + Security_Solution_Detections_API_MachineLearningRuleRequiredFields: + type: object + properties: + anomaly_threshold: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AnomalyThreshold + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning + type: string + required: + - type + - machine_learning_job_id + - anomaly_threshold + Security_Solution_Detections_API_MachineLearningRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateFields + Security_Solution_Detections_API_MaxSignals: + minimum: 1 + type: integer + Security_Solution_Detections_API_MigrationCleanupResult: + type: object + properties: + destinationIndex: + type: string + error: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - message + - status_code + id: + type: string + sourceIndex: + type: string + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: string + required: + - id + - destinationIndex + - status + - sourceIndex + - version + - updated + Security_Solution_Detections_API_MigrationFinalizationResult: + type: object + properties: + completed: + type: boolean + destinationIndex: + type: string + error: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - message + - status_code + id: + type: string + sourceIndex: + type: string + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: string + required: + - id + - completed + - destinationIndex + - status + - sourceIndex + - version + - updated + Security_Solution_Detections_API_MigrationStatus: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: integer + required: + - id + - status + - version + - updated + Security_Solution_Detections_API_NewTermsFields: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Solution_Detections_API_NewTermsRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleResponseFields + Security_Solution_Detections_API_NewTermsRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleDefaultableFields + Security_Solution_Detections_API_NewTermsRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateFields + Security_Solution_Detections_API_NewTermsRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_NewTermsRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + Security_Solution_Detections_API_NewTermsRulePatchFields: + allOf: + - type: object + properties: + history_window_start: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_HistoryWindowStart + new_terms_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsFields + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleDefaultableFields + Security_Solution_Detections_API_NewTermsRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRulePatchFields + Security_Solution_Detections_API_NewTermsRuleRequiredFields: + type: object + properties: + history_window_start: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_HistoryWindowStart + new_terms_fields: + $ref: '#/components/schemas/Security_Solution_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + required: + - type + - query + - new_terms_fields + - history_window_start + Security_Solution_Detections_API_NewTermsRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_NewTermsRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateFields + Security_Solution_Detections_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Detections_API_NormalizedRuleAction: + additionalProperties: false + type: object + properties: + alerts_filter: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionAlertsFilter + frequency: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionFrequency + group: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionGroup + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleActionId' + params: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionParams + required: + - id + - params + Security_Solution_Detections_API_NormalizedRuleError: + type: object + properties: + err_code: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionsDryRunErrCode + message: + type: string + rules: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - rules + Security_Solution_Detections_API_OsqueryParams: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_EcsMapping' + pack_id: + type: string + queries: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_OsqueryQuery' + type: array + query: + type: string + saved_query_id: + type: string + timeout: + type: number + Security_Solution_Detections_API_OsqueryQuery: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_EcsMapping' + id: + description: Query ID + type: string + platform: + type: string + query: + description: Query to run + type: string + removed: + type: boolean + snapshot: + type: boolean + version: + description: Query version + type: string + required: + - id + - query + Security_Solution_Detections_API_OsqueryResponseAction: + type: object + properties: + action_type_id: + enum: + - .osquery + type: string + params: + $ref: '#/components/schemas/Security_Solution_Detections_API_OsqueryParams' + required: + - action_type_id + - params + Security_Solution_Detections_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Detections_API_ProcessesParams: + type: object + properties: + command: + enum: + - kill-process + - suspend-process + type: string + comment: + type: string + config: + type: object + properties: + field: + description: Field to use instead of process.pid + type: string + overwrite: + default: true + description: Whether to overwrite field with process.pid + type: boolean + required: + - field + required: + - command + - config + Security_Solution_Detections_API_QueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleResponseFields + Security_Solution_Detections_API_QueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleDefaultableFields + Security_Solution_Detections_API_QueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateFields + Security_Solution_Detections_API_QueryRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + Security_Solution_Detections_API_QueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + Security_Solution_Detections_API_QueryRulePatchFields: + allOf: + - type: object + properties: + type: + description: Rule type + enum: + - query + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleDefaultableFields + Security_Solution_Detections_API_QueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRulePatchFields + Security_Solution_Detections_API_QueryRuleRequiredFields: + type: object + properties: + type: + description: Rule type + enum: + - query + type: string + required: + - type + Security_Solution_Detections_API_QueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + required: + - query + - language + Security_Solution_Detections_API_QueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateFields + Security_Solution_Detections_API_RelatedIntegration: + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. + + + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + + + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: + + + - `package`: name of the package (required, unique id) + + - `version`: version of the package (required, semver-compatible) + + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + + several integrations; in this case, `integration` should be specified. + + + @example + + const x: RelatedIntegration = { + package: 'windows', + version: '1.5.x', + }; + + + @example + + const x: RelatedIntegration = { + package: 'azure', + version: '~1.1.6', + integration: 'activitylogs', + }; + type: object + properties: + integration: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - package + - version + Security_Solution_Detections_API_RelatedIntegrationArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegration + type: array + Security_Solution_Detections_API_RequiredField: + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and + + the rule will generate an alert. + + + Required field is an event field that must be present in the source + indices of a given rule. + + + @example + + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + + @example + + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; + type: object + properties: + ecs: + description: Whether the field is an ECS field + type: boolean + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Type of the Elasticsearch field + required: + - name + - type + - ecs + Security_Solution_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RequiredField' + type: array + Security_Solution_Detections_API_RequiredFieldInput: + description: >- + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. + type: object + properties: + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Type of an Elasticsearch field + required: + - name + - type + Security_Solution_Detections_API_ResponseAction: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_OsqueryResponseAction + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EndpointResponseAction + Security_Solution_Detections_API_ResponseFields: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + type: string + execution_summary: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionSummary + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + immutable: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleImmutable + required_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldArray + revision: + minimum: 0 + type: integer + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_source: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleSource' + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - rule_id + - immutable + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + Security_Solution_Detections_API_RiskScore: + description: Risk score (0 to 100) + maximum: 100 + minimum: 0 + type: integer + Security_Solution_Detections_API_RiskScoreMapping: + description: >- + Overrides generated alerts' risk_score with a value from the source + event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: array + Security_Solution_Detections_API_RuleAction: + type: object + properties: + action_type_id: + description: The action type used for sending notifications. + type: string + alerts_filter: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionAlertsFilter + frequency: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionFrequency + group: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionGroup + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleActionId' + params: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionParams + uuid: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + Security_Solution_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + type: object + Security_Solution_Detections_API_RuleActionFrequency: + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). + type: object + properties: + notifyWhen: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionNotifyWhen + summary: + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + nullable: true + required: + - summary + - notifyWhen + - throttle + Security_Solution_Detections_API_RuleActionGroup: + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. + type: string + Security_Solution_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Solution_Detections_API_RuleActionNotifyWhen: + description: >- + The condition for throttling the notification: `onActionGroupChange`, + `onActiveAlert`, or `onThrottleInterval` + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Solution_Detections_API_RuleActionParams: + additionalProperties: true + description: >- + Object containing the allowed connector fields, which varies according + to the connector type. + type: object + Security_Solution_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule + type: string + - description: Time interval in seconds, minutes, hours, or days. + example: 1h + pattern: ^[1-9]\d*[smhd]$ + type: string + Security_Solution_Detections_API_RuleAuthorArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleCreateProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateProps + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleDescription: + minLength: 1 + type: string + Security_Solution_Detections_API_RuleDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_Solution_Detections_API_RuleExceptionList: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: ID of the exception container + list_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: List ID of the exception container + namespace_type: + description: Determines the exceptions validity in rule's Kibana space + enum: + - agnostic + - single + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ExceptionListType + required: + - id + - list_id + - type + - namespace_type + Security_Solution_Detections_API_RuleExecutionMetrics: + type: object + properties: + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + total_enrichment_duration_ms: + description: >- + Total time spent enriching documents during current rule execution + cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during current rule execution + cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response + minimum: 0 + type: integer + Security_Solution_Detections_API_RuleExecutionStatus: + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. + enum: + - going to run + - running + - partial failure + - failed + - succeeded + type: string + Security_Solution_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Solution_Detections_API_RuleExecutionSummary: + type: object + properties: + last_execution: + type: object + properties: + date: + description: Date of the last execution + format: date-time + type: string + message: + type: string + metrics: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionMetrics + status: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionStatus + description: Status of the last execution + status_order: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionStatusOrder + required: + - date + - status + - status_order + - message + - metrics + required: + - last_execution + Security_Solution_Detections_API_RuleFalsePositiveArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleFilterArray: + items: {} + type: array + Security_Solution_Detections_API_RuleInterval: + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). + type: string + Security_Solution_Detections_API_RuleIntervalFrom: + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + Security_Solution_Detections_API_RuleIntervalTo: + type: string + Security_Solution_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Solution_Detections_API_RuleMetadata: + additionalProperties: true + type: object + Security_Solution_Detections_API_RuleName: + minLength: 1 + type: string + Security_Solution_Detections_API_RuleNameOverride: + description: Sets the source field for the alert's signal.rule.name value + type: string + Security_Solution_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Solution_Detections_API_UUID' + Security_Solution_Detections_API_RulePatchProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRulePatchProps + Security_Solution_Detections_API_RulePreviewLoggedRequest: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + duration: + type: integer + request: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - request + Security_Solution_Detections_API_RulePreviewLogs: + type: object + properties: + duration: + description: Execution duration in milliseconds + type: integer + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + requests: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewLoggedRequest + type: array + startedAt: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + warnings: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + required: + - errors + - warnings + - duration + Security_Solution_Detections_API_RulePreviewParams: + type: object + properties: + invocationCount: + type: integer + timeframeEnd: + format: date-time + type: string + required: + - invocationCount + - timeframeEnd + Security_Solution_Detections_API_RuleQuery: + type: string + Security_Solution_Detections_API_RuleReferenceArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Solution_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdRule' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRule + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRule + - $ref: '#/components/schemas/Security_Solution_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_EsqlRule' + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleSignatureId: + description: Could be any string, not necessarily a UUID + type: string + Security_Solution_Detections_API_RuleSource: + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. + discriminator: + propertyName: type + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ExternalRuleSource + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_InternalRuleSource + Security_Solution_Detections_API_RuleTagArray: + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. + items: + type: string + type: array + Security_Solution_Detections_API_RuleUpdateProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleUpdateProps + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleVersion: + description: The rule's version number. + minimum: 1 + type: integer + Security_Solution_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Solution_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Solution_Detections_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Solution_Detections_API_SavedQueryId: + type: string + Security_Solution_Detections_API_SavedQueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleResponseFields + Security_Solution_Detections_API_SavedQueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleDefaultableFields + Security_Solution_Detections_API_SavedQueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateFields + Security_Solution_Detections_API_SavedQueryRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_SavedQueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + Security_Solution_Detections_API_SavedQueryRulePatchFields: + allOf: + - type: object + properties: + saved_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryId + type: + description: Rule type + enum: + - saved_query + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleDefaultableFields + Security_Solution_Detections_API_SavedQueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRulePatchFields + Security_Solution_Detections_API_SavedQueryRuleRequiredFields: + type: object + properties: + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query + type: string + required: + - type + - saved_id + Security_Solution_Detections_API_SavedQueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_SavedQueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateFields + Security_Solution_Detections_API_SetAlertsStatusByIds: + type: object + properties: + signal_ids: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertStatus' + required: + - signal_ids + - status + Security_Solution_Detections_API_SetAlertsStatusByQuery: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertStatus' + required: + - query + - status + Security_Solution_Detections_API_SetAlertTags: + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Solution_Detections_API_SetupGuide: + type: string + Security_Solution_Detections_API_Severity: + description: Severity of the rule + enum: + - low + - medium + - high + - critical + type: string + Security_Solution_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Solution_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Detections_API_SkippedAlertsIndexMigration: + type: object + properties: + index: + type: string + required: + - index + Security_Solution_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Solution_Detections_API_Threat: + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatTechnique + type: array + required: + - framework + - tactic + Security_Solution_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threat' + type: array + Security_Solution_Detections_API_ThreatFilters: + items: + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values + type: array + Security_Solution_Detections_API_ThreatIndex: + items: + type: string + type: array + Security_Solution_Detections_API_ThreatIndicatorPath: + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) + type: string + Security_Solution_Detections_API_ThreatMapping: + items: + type: object + properties: + entries: + items: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: + enum: + - mapping + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + required: + - field + - type + - value + type: array + required: + - entries + minItems: 1 + type: array + Security_Solution_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleResponseFields + Security_Solution_Detections_API_ThreatMatchRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields + Security_Solution_Detections_API_ThreatMatchRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateFields + Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThreatMatchRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + concurrent_searches: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ConcurrentSearches + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + items_per_search: + $ref: '#/components/schemas/Security_Solution_Detections_API_ItemsPerSearch' + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + threat_filters: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatIndicatorPath + threat_language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThreatMatchRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threat_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatIndex + threat_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMapping + threat_query: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatQuery + type: + description: Rule type + enum: + - threat_match + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields + Security_Solution_Detections_API_ThreatMatchRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRulePatchFields + Security_Solution_Detections_API_ThreatMatchRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match + type: string + required: + - type + - query + - threat_query + - threat_mapping + - threat_index + Security_Solution_Detections_API_ThreatMatchRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_ThreatMatchRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateFields + Security_Solution_Detections_API_ThreatQuery: + description: Query to run + type: string + Security_Solution_Detections_API_ThreatSubtechnique: + type: object + properties: + id: + description: Subtechnique ID + type: string + name: + description: Subtechnique name + type: string + reference: + description: Subtechnique reference + type: string + required: + - id + - name + - reference + Security_Solution_Detections_API_ThreatTactic: + type: object + properties: + id: + description: Tactic ID + type: string + name: + description: Tactic name + type: string + reference: + description: Tactic reference + type: string + required: + - id + - name + - reference + Security_Solution_Detections_API_ThreatTechnique: + type: object + properties: + id: + description: Technique ID + type: string + name: + description: Technique name + type: string + reference: + description: Technique reference + type: string + subtechnique: + description: Array containing more specific information on the attack technique + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatSubtechnique + type: array + required: + - id + - name + - reference + Security_Solution_Detections_API_Threshold: + type: object + properties: + cardinality: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdCardinality + field: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdValue' + required: + - field + - value + Security_Solution_Detections_API_ThresholdAlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionDuration + required: + - duration + Security_Solution_Detections_API_ThresholdCardinality: + items: + type: object + properties: + field: + type: string + value: + minimum: 0 + type: integer + required: + - field + - value + type: array + Security_Solution_Detections_API_ThresholdField: + description: Field to aggregate on + oneOf: + - type: string + - items: + type: string + type: array + Security_Solution_Detections_API_ThresholdRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleResponseFields + Security_Solution_Detections_API_ThresholdRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleDefaultableFields + Security_Solution_Detections_API_ThresholdRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateFields + Security_Solution_Detections_API_ThresholdRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThresholdRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdAlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + Security_Solution_Detections_API_ThresholdRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleDefaultableFields + Security_Solution_Detections_API_ThresholdRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRulePatchFields + Security_Solution_Detections_API_ThresholdRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + required: + - type + - query + - threshold + Security_Solution_Detections_API_ThresholdRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_ThresholdRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateFields + Security_Solution_Detections_API_ThresholdValue: + description: Threshold value + minimum: 1 + type: integer + Security_Solution_Detections_API_ThrottleForBulkActions: + description: >- + The condition for throttling the notification: 'rule', 'no_actions', or + time duration + enum: + - rule + - 1h + - 1d + - 7d + type: string + Security_Solution_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Solution_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Solution_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Solution_Detections_API_TimestampField: + description: Contains the event timestamp used for sorting a sequence of events + type: string + Security_Solution_Detections_API_TimestampOverride: + description: Sets the time field used to query indices + type: string + Security_Solution_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Solution_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Solution_Detections_API_WarningSchema: + type: object + properties: + actionPath: + type: string + buttonLabel: + type: string + message: + type: string + type: + type: string + required: + - type + - message + - actionPath + Security_Solution_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionList + - additionalProperties: false + type: object + Security_Solution_Endpoint_Exceptions_API_EndpointListItem: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItem + Security_Solution_Endpoint_Exceptions_API_ExceptionList: + type: object + properties: + _version: + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListDescription: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + description: Human readable string identifier, e.g. `trusted-linux-processes` + Security_Solution_Endpoint_Exceptions_API_ExceptionListId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + created_at: + format: date-time + type: string + created_by: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + updated_at: + format: date-time + type: string + updated_by: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - id + - comment + - created_at + - created_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemComment + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntry + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + list: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ListId + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ListType + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Solution_Endpoint_Exceptions_API_ExceptionListName: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Solution_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ListId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Endpoint_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Endpoint_Management_API_ActionLogRequestQuery: + type: object + properties: + end_date: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndDate + page: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Page' + page_size: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PageSize + start_date: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_StartDate + Security_Solution_Endpoint_Management_API_ActionStateSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + canEncrypt: + type: boolean + required: + - data + required: + - body + Security_Solution_Endpoint_Management_API_ActionStatusSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + agent_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + pending_actions: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionsSchema + required: + - agent_id + - pending_actions + required: + - data + required: + - body + Security_Solution_Endpoint_Management_API_AgentId: + description: Agent ID + type: string + Security_Solution_Endpoint_Management_API_AgentIds: + minLength: 1 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_AgentTypes: + enum: + - endpoint + - sentinel_one + - crowdstrike + type: string + Security_Solution_Endpoint_Management_API_AlertIds: + description: A list of alerts ids. + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NonEmptyString + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_CaseIds: + description: Case IDs to be updated (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_Command: + description: The command to be executed (cannot be an empty string) + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_Commands: + items: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Command' + type: array + Security_Solution_Endpoint_Management_API_Comment: + description: Optional comment + type: string + Security_Solution_Endpoint_Management_API_EndDate: + description: End date + type: string + Security_Solution_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_EntityId: + type: object + properties: + entity_id: + minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_ExecuteRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + command: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Command + timeout: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Timeout + required: + - command + required: + - parameters + Security_Solution_Endpoint_Management_API_GetEndpointActionListRouteQuery: + type: object + properties: + agentIds: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentIds + agentTypes: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + commands: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Commands + endDate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndDate + page: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Page' + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + startDate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_StartDate + types: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Types' + userIds: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UserIds + withOutputs: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_WithOutputs + Security_Solution_Endpoint_Management_API_GetFileRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Solution_Endpoint_Management_API_GetProcessesRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_IsolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_KillProcessRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Pid + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EntityId + - type: object + properties: + process_name: + description: Valid for SentinelOne agent type only + minLength: 1 + type: string + required: + - parameters + Security_Solution_Endpoint_Management_API_ListRequestQuery: + type: object + properties: + hostStatuses: + items: + enum: + - healthy + - offline + - updating + - inactive + - unenrolled + type: string + type: array + kuery: + nullable: true + type: string + page: + default: 0 + description: Page number + minimum: 0 + type: integer + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + sortDirection: + enum: + - asc + - desc + nullable: true + type: string + sortField: + enum: + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin + type: string + required: + - hostStatuses + Security_Solution_Endpoint_Management_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Endpoint_Management_API_NoParametersRequestSchema: + type: object + properties: + body: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: + - body + Security_Solution_Endpoint_Management_API_Page: + default: 1 + description: Page number + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + maximum: 100 + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_Parameters: + description: Optional parameters object + type: object + Security_Solution_Endpoint_Management_API_PendingActionDataType: + type: integer + Security_Solution_Endpoint_Management_API_PendingActionsSchema: + oneOf: + - type: object + properties: + execute: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + get-file: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + isolate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + kill-process: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + running-processes: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + scan: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + suspend-process: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + unisolate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + upload: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + - additionalProperties: true + type: object + Security_Solution_Endpoint_Management_API_Pid: + type: object + properties: + pid: + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + type: object + properties: + note: + type: string + Security_Solution_Endpoint_Management_API_ScanRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Solution_Endpoint_Management_API_StartDate: + description: Start date + type: string + Security_Solution_Endpoint_Management_API_SuccessResponse: + type: object + properties: {} + Security_Solution_Endpoint_Management_API_SuspendProcessRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Pid + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EntityId + required: + - parameters + Security_Solution_Endpoint_Management_API_Timeout: + description: The maximum timeout value in milliseconds (optional) + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Solution_Endpoint_Management_API_Types: + description: List of types of response actions + items: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Solution_Endpoint_Management_API_UnisolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_UploadRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + file: + format: binary + type: string + parameters: + type: object + properties: + overwrite: + default: false + type: boolean + required: + - parameters + - file + Security_Solution_Endpoint_Management_API_UserIds: + description: User IDs + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_WithOutputs: + description: Shows detailed outputs for an action response + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + type: object + properties: + index: + type: integer + message: + type: string + required: + - message + - index + Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + type: object + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + Security_Solution_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + Security_Solution_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + '@timestamp': + description: The time the record was created or updated. + example: '2017-07-21T17:32:28Z' + format: date-time + type: string + required: + - '@timestamp' + Security_Solution_Entity_Analytics_API_AssetCriticalityRecordIdParts: + type: object + properties: + id_field: + $ref: '#/components/schemas/Security_Solution_Entity_Analytics_API_IdField' + description: The field representing the ID. + example: host.name + id_value: + description: The ID value of the asset. + type: string + required: + - id_value + - id_field + Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality_level + Security_Solution_Entity_Analytics_API_EngineDescriptor: + type: object + properties: + filter: + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IndexPattern + status: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EngineStatus + type: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_EntityType + Security_Solution_Entity_Analytics_API_EngineStatus: + enum: + - installing + - started + - stopped + type: string + Security_Solution_Entity_Analytics_API_Entity: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_UserEntity + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_HostEntity + Security_Solution_Entity_Analytics_API_EntityType: + enum: + - user + - host + type: string + Security_Solution_Entity_Analytics_API_HostEntity: + type: object + properties: + entity: + type: object + properties: + definitionId: + type: string + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + host: + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + type: + items: + type: string + type: array + required: + - name + Security_Solution_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + type: string + Security_Solution_Entity_Analytics_API_IndexPattern: + type: string + Security_Solution_Entity_Analytics_API_InspectQuery: + type: object + properties: + dsl: + items: + type: string + type: array + response: + items: + type: string + type: array + required: + - dsl + - response + Security_Solution_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: + type: object + properties: + full_error: + type: string + message: + type: string + required: + - message + - full_error + Security_Solution_Entity_Analytics_API_RiskEngineScheduleNowResponse: + type: object + properties: + success: + type: boolean + Security_Solution_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable + type: object + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + Security_Solution_Entity_Analytics_API_UserEntity: + type: object + properties: + entity: + type: object + properties: + definitionId: + type: string + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + user: + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + roles: + items: + type: string + type: array + required: + - name + Security_Solution_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateExceptionListItemComment + type: array + Security_Solution_Exceptions_API_CreateRuleExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemComment + type: array + Security_Solution_Exceptions_API_CreateRuleExceptionListItemProps: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + Security_Solution_Exceptions_API_ExceptionList: + type: object + properties: + _version: + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Exceptions_API_ExceptionListDescription: + type: string + Security_Solution_Exceptions_API_ExceptionListHumanId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + description: Human readable string identifier, e.g. `trusted-linux-processes` + Security_Solution_Exceptions_API_ExceptionListId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + created_at: + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + updated_at: + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Solution_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemComment + type: array + Security_Solution_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Solution_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Solution_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntry + type: array + Security_Solution_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Solution_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryExists + Security_Solution_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Solution_Exceptions_API_ExceptionListItemHumanId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Solution_Exceptions_API_ExceptionListItemName: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Exceptions_API_ExceptionListItemTags: + items: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + type: array + Security_Solution_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Solution_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Solution_Exceptions_API_ExceptionListName: + type: string + Security_Solution_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Solution_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Exceptions_API_ExceptionListsImportBulkError: + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + required: + - error + Security_Solution_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListsImportBulkError + type: array + Security_Solution_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Solution_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Solution_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Solution_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_FindExceptionListsFilter: + type: string + Security_Solution_Exceptions_API_ListId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_UUID' + Security_Solution_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Exceptions_API_UpdateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_UpdateExceptionListItemComment + type: array + Security_Solution_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Solution_Lists_API_FindListItemsCursor: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_FindListItemsFilter: + type: string + Security_Solution_Lists_API_FindListsCursor: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_FindListsFilter: + type: string + Security_Solution_Lists_API_List: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListDescription' + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + minimum: 1 + type: integer + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Lists_API_ListDescription: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListId: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListItem: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemMetadata' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + value: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Lists_API_ListItemId: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListItemMetadata: + additionalProperties: true + type: object + Security_Solution_Lists_API_ListItemPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Solution_Lists_API_ListItemValue: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListMetadata: + additionalProperties: true + type: object + Security_Solution_Lists_API_ListName: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Solution_Lists_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Lists_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Lists_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Lists_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Osquery_API_ArrayQueries: + items: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ArrayQueriesItem' + type: array + Security_Solution_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PlatformOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_CreateLiveQueryRequestBody: + type: object + properties: + agent_all: + type: boolean + agent_ids: + items: + type: string + type: array + agent_platforms: + items: + type: string + type: array + agent_policy_ids: + items: + type: string + type: array + alert_ids: + items: + type: string + type: array + case_ids: + items: + type: string + type: array + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + event_ids: + items: + type: string + type: array + metadata: + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + saved_query_id: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SavedQueryIdOrUndefined + Security_Solution_Osquery_API_CreatePacksRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + enabled: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_EnabledOrUndefined + name: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackName' + policy_ids: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PolicyIdsOrUndefined + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Shards' + Security_Solution_Osquery_API_CreateSavedQueryRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Interval' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_DefaultSuccessResponse: + type: object + properties: {} + Security_Solution_Osquery_API_Description: + type: string + Security_Solution_Osquery_API_DescriptionOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Description' + nullable: true + Security_Solution_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ECSMappingItem' + type: object + Security_Solution_Osquery_API_ECSMappingItem: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + Security_Solution_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ECSMapping' + nullable: true + Security_Solution_Osquery_API_Enabled: + type: boolean + Security_Solution_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Enabled' + nullable: true + Security_Solution_Osquery_API_FindLiveQueryRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Solution_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_FindPacksRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_FindSavedQueryRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_GetLiveQueryResultsRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Solution_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_Id: + type: string + Security_Solution_Osquery_API_Interval: + type: string + Security_Solution_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Interval' + nullable: true + Security_Solution_Osquery_API_KueryOrUndefined: + nullable: true + type: string + Security_Solution_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueriesItem' + type: object + Security_Solution_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PlatformOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + saved_query_id: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SavedQueryIdOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_PackId: + type: string + Security_Solution_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + nullable: true + Security_Solution_Osquery_API_PackName: + type: string + Security_Solution_Osquery_API_PageOrUndefined: + nullable: true + type: integer + Security_Solution_Osquery_API_PageSizeOrUndefined: + nullable: true + type: integer + Security_Solution_Osquery_API_Platform: + type: string + Security_Solution_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Platform' + nullable: true + Security_Solution_Osquery_API_PolicyIds: + items: + type: string + type: array + Security_Solution_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PolicyIds' + nullable: true + Security_Solution_Osquery_API_Query: + type: string + Security_Solution_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + nullable: true + Security_Solution_Osquery_API_Removed: + type: boolean + Security_Solution_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Removed' + nullable: true + Security_Solution_Osquery_API_SavedQueryId: + type: string + Security_Solution_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + nullable: true + Security_Solution_Osquery_API_Shards: + additionalProperties: + type: number + type: object + Security_Solution_Osquery_API_Snapshot: + type: boolean + Security_Solution_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Snapshot' + nullable: true + Security_Solution_Osquery_API_SortOrderOrUndefined: + oneOf: + - nullable: true + type: string + - enum: + - asc + - desc + Security_Solution_Osquery_API_SortOrUndefined: + nullable: true + type: string + Security_Solution_Osquery_API_UpdatePacksRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + enabled: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_EnabledOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + policy_ids: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PolicyIdsOrUndefined + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Shards' + Security_Solution_Osquery_API_UpdateSavedQueryRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + interval: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_IntervalOrUndefined + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_Version: + type: string + Security_Solution_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Version' + nullable: true + Security_Solution_Timeline_API_BareNote: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + nullable: true + type: string + note: + nullable: true + type: string + timelineId: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + required: + - timelineId + Security_Solution_Timeline_API_ColumnHeaderResult: + type: object + properties: + aggregatable: + type: boolean + category: + type: string + columnHeaderType: + type: string + description: + type: string + example: + oneOf: + - type: string + - type: number + id: + type: string + indexes: + items: + type: string + type: array + name: + type: string + placeholder: + type: string + searchable: + type: boolean + type: + type: string + Security_Solution_Timeline_API_DataProviderQueryMatch: + type: object + properties: + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Solution_Timeline_API_QueryMatchResult' + Security_Solution_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_DataProviderQueryMatch + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Solution_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Solution_Timeline_API_DataProviderType' + nullable: true + Security_Solution_Timeline_API_DataProviderType: + description: >- + The type of data provider to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + Security_Solution_Timeline_API_DocumentIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Solution_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + code: + nullable: true + type: number + favorite: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResult + type: array + message: + nullable: true + type: string + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + version: + type: string + required: + - savedObjectId + - version + Security_Solution_Timeline_API_FavoriteTimelineResult: + type: object + properties: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Solution_Timeline_API_FilterTimelineResult: + type: object + properties: + exists: + type: boolean + match_all: + type: string + meta: + type: object + properties: + alias: + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + formattedValue: + type: string + index: + type: string + key: + type: string + negate: + type: boolean + params: + type: string + type: + type: string + value: + type: string + missing: + type: string + query: + type: string + range: + type: string + script: + type: string + Security_Solution_Timeline_API_ImportTimelineResult: + type: object + properties: + errors: + items: + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + type: number + id: + type: string + type: array + success: + type: boolean + success_count: + type: number + timelines_installed: + type: number + timelines_updated: + type: number + Security_Solution_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + Security_Solution_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + - type: object + properties: + noteId: + type: string + version: + type: string + Security_Solution_Timeline_API_PinnedEvent: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + type: string + pinnedEventId: + type: string + timelineId: + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + version: + type: string + required: + - eventId + - pinnedEventId + - timelineId + - version + Security_Solution_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + nullable: true + type: string + Security_Solution_Timeline_API_Readable: + type: object + properties: + _data: + additionalProperties: true + type: object + _encoding: + type: string + _events: + additionalProperties: true + type: object + _eventsCount: + type: number + _maxListeners: + additionalProperties: true + type: object + _position: + type: number + _read: + additionalProperties: true + type: object + _readableState: + additionalProperties: true + type: object + readable: + type: boolean + Security_Solution_Timeline_API_RowRendererId: + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Solution_Timeline_API_SavedTimeline: + type: object + properties: + columns: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ColumnHeaderResult + nullable: true + type: array + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + dataProviders: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_DataProviderResult + nullable: true + type: array + dataViewId: + nullable: true + type: string + dateRange: + nullable: true + type: object + properties: + end: + oneOf: + - type: string + - type: number + start: + oneOf: + - type: string + - type: number + description: + nullable: true + type: string + eqlOptions: + nullable: true + type: object + properties: + eventCategoryField: + nullable: true + type: string + query: + nullable: true + type: string + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + nullable: true + type: string + excludedRowRendererIds: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResult + nullable: true + type: array + filters: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FilterTimelineResult + nullable: true + type: array + indexNames: + items: + type: string + nullable: true + type: array + kqlMode: + nullable: true + type: string + kqlQuery: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SerializedFilterQueryResult + nullable: true + savedQueryId: + nullable: true + type: string + savedSearchId: + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Sort' + nullable: true + status: + enum: + - active + - draft + - immutable + nullable: true + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + nullable: true + title: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + Security_Solution_Timeline_API_SerializedFilterQueryResult: + type: object + properties: + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Solution_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_SortObject' + type: array + Security_Solution_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Solution_Timeline_API_SortObject: + type: object + properties: + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Solution_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Note' + type: array + noteIds: + items: + type: string + type: array + notes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Note' + type: array + pinnedEventIds: + items: + type: string + type: array + pinnedEventsSaveObject: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_PinnedEvent + type: array + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + Security_Solution_Timeline_API_TimelineStatus: + description: >- + The status of the timeline. Valid values are `active`, `draft`, and + `immutable`. + enum: + - active + - draft + - immutable + type: string + Security_Solution_Timeline_API_TimelineType: + description: >- + The type of timeline to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_create_slo_request: + description: > + The create SLO API request body varies depending on the type of + indicator, time window and budgeting method. + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: >- + A optional and unique identifier for the SLO. Must be between 8 and + 36 chars + example: my-super-slo-id + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + required: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response + type: object + properties: + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: > + The delete SLO instances request takes a list of SLO id and instance id, + then delete the rollup and summary data. This API can be used to remove + the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id + items: + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId + type: array + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + example: 0.8 + type: number + initial: + description: The initial error budget, as 1 - objective + example: 0.02 + type: number + isEstimated: + description: >- + Only for SLO defined with occurrences budgeting method and calendar + aligned time window. + example: true + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: + nullable: true + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: metrics-apm*,apm* + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom + type: string + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option + is "sum" + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option + is "sum" + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom + type: string + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom + type: string + required: + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: > + An object defining the metrics, equation, and threshold to + determine if it's a good slice or not + type: object + properties: + comparator: + description: >- + The comparator to use to compare the equation to the + threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + anyOf: + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric + type: array + threshold: + description: >- + The threshold used to determine if the metric is a good + slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice + type: string + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective + type: object + properties: + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: >- + the target objective for each slice when using a timeslices + budgeting method + example: 0.995 + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: >- + the duration of each slice when using a timeslices budgeting method, + as {duraton}{unit} + example: 5m + type: string + required: + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: Configure how often the transform runs, default 1m + example: 5m + type: string + preventInitialBackfill: + default: false + description: Prevents the transform from backfilling data when it starts. + example: true + type: boolean + syncDelay: + default: 1m + description: The synch delay to apply to the transform. Default 1m + example: 5m + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response + type: object + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' + type: string + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response + type: object + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' + type: string + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + example: host-abcde + type: string + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary + type: object + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window + type: object + properties: + duration: + description: >- + the duration formatted as {duration}{unit}. Accepted values for + rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w + (weekly) or 1M (monthly) + example: 30d + type: string + type: + description: >- + Indicates weither the time window is a rolling or a calendar aligned + time window. + enum: + - rolling + - calendarAligned + example: rolling + type: string + required: + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: + type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: + type: object + properties: + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option is + "percentile" + enum: + - percentile + example: percentile + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: ^[A-Z]$ + type: string + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: > + The update SLO API request body varies depending on the type of + indicator, time window and budgeting method. Partial update is handled. + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object + securitySchemes: + apiKeyAuth: + description: > + These APIs use key-based authentication. You must create an API key and + use the encoded value in the request header. For example: + `Authorization: ApiKey base64AccessApiKey` + in: header + name: Authorization + type: apiKey + basicAuth: + scheme: basic + type: http +security: + - apiKeyAuth: [] + - basicAuth: [] +tags: + - name: alerting + - description: > + Configure APM agent keys to authorize requests from APM agents to the APM + Server. + name: APM agent keys + - description: > + Annotate visualizations in the APM app with significant events. + Annotations enable you to easily see how events are impacting the + performance of your applications. + name: APM annotations + - description: Case APIs enable you to open and track issues. + name: cases + - name: connectors + - name: Data streams + - description: >- + Data view APIs enable you to manage data views, formerly known as Kibana + index patterns. + name: data views + - name: Elastic Agent actions + - name: Elastic Agent binary download sources + - name: Elastic Agent policies + - name: Elastic Agent status + - name: Elastic Agents + - name: Elastic Package Manager (EPM) + - name: Fleet enrollment API keys + - name: Fleet internals + - name: Fleet Kubernetes + - name: Fleet outputs + - name: Fleet package policies + - name: Fleet proxies + - name: Fleet Server hosts + - name: Fleet service tokens + - name: Fleet uninstall tokens + - description: Machine learning + name: ml + - description: > + Export sets of saved objects that you want to import into {kib}, resolve + import errors, and rotate an encryption key for encrypted saved objects + with the saved objects APIs. + + + To manage a specific type of saved object, use the corresponding APIs. + + For example, use: + + + * [Data views](../group/endpoint-data-views) + + * [Spaces](https://www.elastic.co/guide/en/kibana/current/spaces-api.html) + + * [Short + URLs](https://www.elastic.co/guide/en/kibana/current/short-urls-api.html) + + + Warning: Do not write documents directly to the `.kibana` index. When you + write directly to the `.kibana` index, the data becomes corrupted and + permanently breaks future Kibana versions. + name: saved objects + x-displayName: Saved objects + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + - description: >- + You can create rules that automatically turn events and external alerts + sent to Elastic Security into detection alerts. These alerts are displayed + on the Detections page. + name: Security Solution Detections API + - description: >- + Endpoint Exceptions API allows you to manage detection rule endpoint + exceptions to prevent a rule from generating an alert from incoming events + even when the rule's other criteria are met. + name: Security Solution Endpoint Exceptions API + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Solution Endpoint Management API + - description: '' + name: Security Solution Entity Analytics API + - description: >- + Exceptions API allows you to manage detection rule exceptions to prevent a + rule from generating an alert from incoming events even when the rule's + other criteria are met. + name: Security Solution Exceptions API + - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items. + name: Security Solution Lists API + - description: Run live queries, manage packs and saved queries. + name: Security Solution Osquery API + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Solution Timeline API + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + - name: system diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index e4e718c3f73c9..790e380ddd9b1 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -64,16 +64,16 @@ info: version: 1.0.2 x-doc-license: name: Attribution-NonCommercial-NoDerivatives 4.0 International - url: 'https://creativecommons.org/licenses/by-nc-nd/4.0/' + url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback url: >- https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - - url: 'https://{kibana_url}' + - url: https://{kibana_url} variables: kibana_url: - default: 'localhost:5601' + default: localhost:5601 paths: /api/actions: get: @@ -138,11 +138,53 @@ paths: - actionTypeId responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Create a connector tags: - connectors - '/api/actions/action/{id}': + /api/actions/action/{id}: delete: deprecated: true description: 'WARNING: When you delete a connector, it cannot be recovered.' @@ -195,6 +237,48 @@ paths: type: string responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Get connector information tags: @@ -245,11 +329,53 @@ paths: - name responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Update a connector tags: - connectors - '/api/actions/action/{id}/_execute': + /api/actions/action/{id}/_execute: post: deprecated: true operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D%2F_execute#0' @@ -289,6 +415,48 @@ paths: - params responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Run a connector tags: @@ -318,7 +486,7 @@ paths: summary: Get connector types tags: - connectors - '/api/actions/connector/{id}': + /api/actions/connector/{id}: delete: description: 'WARNING: When you delete a connector, it cannot be recovered.' operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#0' @@ -369,6 +537,48 @@ paths: type: string responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Get connector information tags: @@ -391,7 +601,8 @@ paths: schema: example: 'true' type: string - - in: path + - description: An identifier for the connector. + in: path name: id required: false schema: @@ -422,6 +633,48 @@ paths: - connector_type_id responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Create a connector tags: @@ -472,11 +725,53 @@ paths: - name responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Update a connector tags: - connectors - '/api/actions/connector/{id}/_execute': + /api/actions/connector/{id}/_execute: post: description: >- You can use this API to test an action that involves interaction with @@ -518,6 +813,48 @@ paths: - params responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: >- + Indicates whether the connector is preconfigured. If true, + the `config` and `is_missing_secrets` properties are + omitted from the response. + type: boolean + is_system_action: + description: >- + Indicates whether the connector is used for system + actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action description: Indicates a successful call. summary: Run a connector tags: @@ -631,7 +968,7 @@ paths: example: true type: boolean is_sufficiently_secure: - description: 'If `false`, security is enabled but TLS is not.' + description: If `false`, security is enabled but TLS is not. example: true type: boolean description: Indicates a successful call. @@ -943,7 +1280,7 @@ paths: summary: Get the rule types tags: - alerting - '/api/alerting/rule/{id}': + /api/alerting/rule/{id}: delete: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#2' parameters: @@ -971,6 +1308,12 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. summary: Delete a rule tags: - alerting @@ -1725,7 +2068,7 @@ paths: description: Recur the rule until this date. type: string wkst: - description: 'Indicates the start of week, defaults to Monday.' + description: Indicates the start of week, defaults to Monday. enum: - MO - TU @@ -1797,6 +2140,12 @@ paths: - execution_status - revision description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. summary: Get rule details tags: - alerting @@ -2860,7 +3209,7 @@ paths: description: Recur the rule until this date. type: string wkst: - description: 'Indicates the start of week, defaults to Monday.' + description: Indicates the start of week, defaults to Monday. enum: - MO - TU @@ -2932,6 +3281,12 @@ paths: - execution_status - revision description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '409': + description: Indicates that the rule id is already in use. summary: Create a rule tags: - alerting @@ -3966,7 +4321,7 @@ paths: description: Recur the rule until this date. type: string wkst: - description: 'Indicates the start of week, defaults to Monday.' + description: Indicates the start of week, defaults to Monday. enum: - MO - TU @@ -4038,10 +4393,18 @@ paths: - execution_status - revision description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. summary: Update a rule tags: - alerting - '/api/alerting/rule/{id}/_disable': + /api/alerting/rule/{id}/_disable: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_disable#0' parameters: @@ -4081,10 +4444,16 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. summary: Disable a rule tags: - alerting - '/api/alerting/rule/{id}/_enable': + /api/alerting/rule/{id}/_enable: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_enable#0' parameters: @@ -4112,10 +4481,16 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. summary: Enable a rule tags: - alerting - '/api/alerting/rule/{id}/_mute_all': + /api/alerting/rule/{id}/_mute_all: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_mute_all#0' parameters: @@ -4146,7 +4521,7 @@ paths: summary: Mute all alerts tags: - alerting - '/api/alerting/rule/{id}/_unmute_all': + /api/alerting/rule/{id}/_unmute_all: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_unmute_all#0' parameters: @@ -4177,7 +4552,7 @@ paths: summary: Unmute all alerts tags: - alerting - '/api/alerting/rule/{id}/_update_api_key': + /api/alerting/rule/{id}/_update_api_key: post: operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_update_api_key#0' parameters: @@ -4205,10 +4580,18 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule with the given ID does not exist. + '409': + description: Indicates that the rule has already been updated by another user. summary: Update the API key for a rule tags: - alerting - '/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute': + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: post: operationId: >- %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_mute#0 @@ -4243,10 +4626,16 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. summary: Mute an alert tags: - alerting - '/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute': + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: post: operationId: >- %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_unmute#0 @@ -4281,6 +4670,12 @@ paths: responses: '204': description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. + '404': + description: Indicates a rule or alert with the given ID does not exist. summary: Unmute an alert tags: - alerting @@ -5136,7 +5531,7 @@ paths: description: Recur the rule until this date. type: string wkst: - description: 'Indicates the start of week, defaults to Monday.' + description: Indicates the start of week, defaults to Monday. enum: - MO - TU @@ -5208,10 +5603,14 @@ paths: - execution_status - revision description: Indicates a successful call. + '400': + description: Indicates an invalid schema or parameters. + '403': + description: Indicates that this call is forbidden. summary: Get information about rules tags: - alerting - '/api/alerts/alert/{alertId}': + /api/alerts/alert/{alertId}: delete: deprecated: true description: > @@ -5513,7 +5912,7 @@ paths: summary: Update an alert tags: - alerting - '/api/alerts/alert/{alertId}/_disable': + /api/alerts/alert/{alertId}/_disable: post: deprecated: true description: Deprecated in 7.13.0. Use the disable rule API instead. @@ -5539,7 +5938,7 @@ paths: summary: Disable an alert tags: - alerting - '/api/alerts/alert/{alertId}/_enable': + /api/alerts/alert/{alertId}/_enable: post: deprecated: true description: Deprecated in 7.13.0. Use the enable rule API instead. @@ -5565,7 +5964,7 @@ paths: summary: Enable an alert tags: - alerting - '/api/alerts/alert/{alertId}/_mute_all': + /api/alerts/alert/{alertId}/_mute_all: post: deprecated: true description: Deprecated in 7.13.0. Use the mute all alerts API instead. @@ -5591,7 +5990,7 @@ paths: summary: Mute all alert instances tags: - alerting - '/api/alerts/alert/{alertId}/_unmute_all': + /api/alerts/alert/{alertId}/_unmute_all: post: deprecated: true description: Deprecated in 7.13.0. Use the unmute all alerts API instead. @@ -5617,7 +6016,7 @@ paths: summary: Unmute all alert instances tags: - alerting - '/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute': + /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute: post: deprecated: true description: Deprecated in 7.13.0. Use the mute alert API instead. @@ -5650,7 +6049,7 @@ paths: summary: Mute an alert instance tags: - alerting - '/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute': + /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute: post: deprecated: true description: Deprecated in 7.13.0. Use the unmute alert API instead. @@ -5877,7 +6276,7 @@ paths: example: true type: boolean isSufficientlySecure: - description: 'If `false`, security is enabled but TLS is not.' + description: If `false`, security is enabled but TLS is not. example: true type: boolean description: Indicates a successful call. @@ -6022,8 +6421,8 @@ paths: privileges: items: enum: - - 'event:write' - - 'config_agent:read' + - event:write + - config_agent:read type: string type: array required: true @@ -6049,7 +6448,7 @@ paths: summary: Create an APM agent key tags: - APM agent keys - '/api/apm/services/{serviceName}/annotation': + /api/apm/services/{serviceName}/annotation: post: description: Create a new annotation for a specific service. operationId: createAnnotation @@ -6124,7 +6523,7 @@ paths: summary: Create a service annotation tags: - APM annotations - '/api/apm/services/{serviceName}/annotation/search': + /api/apm/services/{serviceName}/annotation/search: get: description: Search for annotations related to a specific service. operationId: getAnnotation @@ -6338,7 +6737,7 @@ paths: summary: Search cases tags: - cases - '/api/cases/{caseId}': + /api/cases/{caseId}: get: description: > You must have `read` privileges for the **Cases** feature in the @@ -6369,7 +6768,7 @@ paths: summary: Get case information tags: - cases - '/api/cases/{caseId}/alerts': + /api/cases/{caseId}/alerts: get: description: > You must have `read` privileges for the **Cases** feature in the @@ -6400,7 +6799,7 @@ paths: tags: - cases x-technical-preview: true - '/api/cases/{caseId}/comments': + /api/cases/{caseId}/comments: delete: description: > Deletes all comments and alerts from a case. You must have `all` @@ -6527,7 +6926,7 @@ paths: summary: Add a case comment or alert tags: - cases - '/api/cases/{caseId}/comments/_find': + /api/cases/{caseId}/comments/_find: get: description: > Retrieves a paginated list of comments for a case. You must have `read` @@ -6557,7 +6956,7 @@ paths: summary: Find case comments and alerts tags: - cases - '/api/cases/{caseId}/comments/{commentId}': + /api/cases/{caseId}/comments/{commentId}: delete: description: > You must have `all` privileges for the **Cases** feature in the @@ -6613,7 +7012,7 @@ paths: summary: Get a case comment or alert tags: - cases - '/api/cases/{caseId}/connector/{connectorId}/_push': + /api/cases/{caseId}/connector/{connectorId}/_push: post: description: > You must have `all` privileges for the **Actions and Connectors** @@ -6651,7 +7050,7 @@ paths: summary: Push a case to an external service tags: - cases - '/api/cases/{caseId}/user_actions': + /api/cases/{caseId}/user_actions: get: deprecated: true description: > @@ -6682,7 +7081,7 @@ paths: summary: Get case activity tags: - cases - '/api/cases/{caseId}/user_actions/_find': + /api/cases/{caseId}/user_actions/_find: get: description: > Retrives a paginated list of user activity for a case. You must have @@ -6728,7 +7127,7 @@ paths: summary: Find case activity tags: - cases - '/api/cases/alerts/{alertId}': + /api/cases/alerts/{alertId}: get: description: > You must have `read` privileges for the **Cases** feature in the @@ -7149,7 +7548,7 @@ paths: summary: Add case settings tags: - cases - '/api/cases/configure/{configurationId}': + /api/cases/configure/{configurationId}: patch: description: > Updates setting details such as the closure type, custom fields, @@ -7591,7 +7990,7 @@ paths: summary: Create a data view tags: - data views - '/api/data_views/data_view/{viewId}': + /api/data_views/data_view/{viewId}: delete: description: | WARNING: When you delete a data view, it cannot be recovered. @@ -7664,7 +8063,7 @@ paths: summary: Update a data view tags: - data views - '/api/data_views/data_view/{viewId}/fields': + /api/data_views/data_view/{viewId}/fields: post: description: > Update fields presentation metadata such as count, customLabel, @@ -7707,7 +8106,7 @@ paths: summary: Update data view fields metadata tags: - data views - '/api/data_views/data_view/{viewId}/runtime_field': + /api/data_views/data_view/{viewId}/runtime_field: post: operationId: createRuntimeFieldDefault parameters: @@ -7799,7 +8198,7 @@ paths: summary: Create or update a runtime field tags: - data views - '/api/data_views/data_view/{viewId}/runtime_field/{fieldName}': + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: delete: operationId: deleteRuntimeFieldDefault parameters: @@ -8199,7 +8598,7 @@ paths: summary: Create agent binary download source tags: - Elastic Agent binary download sources - '/api/fleet/agent_download_sources/{sourceId}': + /api/fleet/agent_download_sources/{sourceId}: delete: operationId: delete-download-source parameters: @@ -8402,7 +8801,7 @@ paths: summary: Bulk get agent policies tags: - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}': + /api/fleet/agent_policies/{agentPolicyId}: get: description: Get one agent policy operationId: agent-policy-info @@ -8457,7 +8856,7 @@ paths: summary: Update agent policy by ID tags: - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}/copy': + /api/fleet/agent_policies/{agentPolicyId}/copy: parameters: - in: path name: agentPolicyId @@ -8499,7 +8898,7 @@ paths: summary: Copy agent policy by ID tags: - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}/download': + /api/fleet/agent_policies/{agentPolicyId}/download: get: operationId: agent-policy-download responses: @@ -8538,7 +8937,7 @@ paths: required: false schema: type: string - '/api/fleet/agent_policies/{agentPolicyId}/full': + /api/fleet/agent_policies/{agentPolicyId}/full: get: operationId: agent-policy-full responses: @@ -8821,7 +9220,7 @@ paths: summary: List agents by action ids tags: - Elastic Agents - '/api/fleet/agents/{agentId}': + /api/fleet/agents/{agentId}: delete: operationId: delete-agent parameters: @@ -8906,7 +9305,7 @@ paths: summary: Update agent by ID tags: - Elastic Agents - '/api/fleet/agents/{agentId}/actions': + /api/fleet/agents/{agentId}/actions: parameters: - in: path name: agentId @@ -8947,7 +9346,7 @@ paths: summary: Create agent action tags: - Elastic Agent actions - '/api/fleet/agents/{agentId}/reassign': + /api/fleet/agents/{agentId}/reassign: parameters: - in: path name: agentId @@ -9009,7 +9408,7 @@ paths: summary: Reassign agent tags: - Elastic Agents - '/api/fleet/agents/{agentId}/request_diagnostics': + /api/fleet/agents/{agentId}/request_diagnostics: parameters: - in: path name: agentId @@ -9048,7 +9447,7 @@ paths: summary: Request agent diagnostics tags: - Elastic Agents - '/api/fleet/agents/{agentId}/unenroll': + /api/fleet/agents/{agentId}/unenroll: parameters: - in: path name: agentId @@ -9094,7 +9493,7 @@ paths: summary: Unenroll agent tags: - Elastic Agents - '/api/fleet/agents/{agentId}/upgrade': + /api/fleet/agents/{agentId}/upgrade: parameters: - in: path name: agentId @@ -9123,7 +9522,7 @@ paths: summary: Upgrade agent tags: - Elastic Agents - '/api/fleet/agents/{agentId}/uploads': + /api/fleet/agents/{agentId}/uploads: get: operationId: list-agent-uploads responses: @@ -9267,7 +9666,7 @@ paths: summary: Get agent action status tags: - Elastic Agent actions - '/api/fleet/agents/actions/{actionId}/cancel': + /api/fleet/agents/actions/{actionId}/cancel: parameters: - in: path name: actionId @@ -9309,7 +9708,7 @@ paths: properties: agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: @@ -9358,7 +9757,7 @@ paths: type: array agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: @@ -9402,7 +9801,7 @@ paths: properties: agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: @@ -9457,7 +9856,7 @@ paths: properties: agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: @@ -9503,7 +9902,7 @@ paths: - agent1 - agent2 rollout_duration_seconds: 3600 - source_uri: 'https://artifacts.elastic.co/downloads/beats/elastic-agent' + source_uri: https://artifacts.elastic.co/downloads/beats/elastic-agent start_time: '2022-08-03T14:00:00.000Z' version: 8.4.0 schema: @@ -9524,7 +9923,7 @@ paths: summary: Bulk upgrade agents tags: - Elastic Agents - '/api/fleet/agents/files/{fileId}': + /api/fleet/agents/files/{fileId}: delete: operationId: delete-agent-upload-file responses: @@ -9553,7 +9952,7 @@ paths: required: true schema: type: string - '/api/fleet/agents/files/{fileId}/{fileName}': + /api/fleet/agents/files/{fileId}/{fileName}: get: operationId: get-agent-upload-file responses: @@ -9747,7 +10146,7 @@ paths: summary: Create enrollment API key tags: - Fleet enrollment API keys - '/api/fleet/enrollment_api_keys/{keyId}': + /api/fleet/enrollment_api_keys/{keyId}: delete: operationId: delete-enrollment-api-key parameters: @@ -9858,7 +10257,7 @@ paths: summary: Create enrollment API key tags: - Fleet enrollment API keys - '/api/fleet/enrollment-api-keys/{keyId}': + /api/fleet/enrollment-api-keys/{keyId}: delete: deprecated: true operationId: delete-enrollment-api-key-deprecated @@ -10143,7 +10542,7 @@ paths: summary: Bulk install packages tags: - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgkey}': + /api/fleet/epm/packages/{pkgkey}: delete: deprecated: true operationId: delete-package-deprecated @@ -10303,7 +10702,7 @@ paths: summary: Install package tags: - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}': + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: operationId: delete-package parameters: @@ -10535,7 +10934,7 @@ paths: summary: Update package settings tags: - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}': + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: operationId: packages-get-file responses: @@ -10573,7 +10972,7 @@ paths: required: true schema: type: string - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize': + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: post: description: '' operationId: reauthorize-transforms @@ -10639,7 +11038,7 @@ paths: summary: Authorize transforms tags: - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/stats': + /api/fleet/epm/packages/{pkgName}/stats: get: operationId: get-package-stats responses: @@ -10686,7 +11085,7 @@ paths: tags: - Elastic Package Manager (EPM) parameters: [] - '/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs': + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: operationId: get-inputs-template responses: @@ -10826,7 +11225,7 @@ paths: summary: Create Fleet Server host tags: - Fleet Server hosts - '/api/fleet/fleet_server_hosts/{itemId}': + /api/fleet/fleet_server_hosts/{itemId}: delete: operationId: delete-fleet-server-hosts parameters: @@ -11059,7 +11458,7 @@ paths: summary: Create output tags: - Fleet outputs - '/api/fleet/outputs/{outputId}': + /api/fleet/outputs/{outputId}: delete: operationId: delete-output parameters: @@ -11128,7 +11527,7 @@ paths: summary: Update output by ID tags: - Fleet outputs - '/api/fleet/outputs/{outputId}/health': + /api/fleet/outputs/{outputId}/health: get: operationId: get-output-health responses: @@ -11142,7 +11541,7 @@ paths: description: long message if unhealthy type: string state: - description: 'state of output, HEALTHY or DEGRADED' + description: state of output, HEALTHY or DEGRADED type: string timestamp: description: timestamp of reported state @@ -11264,7 +11663,7 @@ paths: summary: Bulk get package policies tags: - Fleet package policies - '/api/fleet/package_policies/{packagePolicyId}': + /api/fleet/package_policies/{packagePolicyId}: delete: operationId: delete-package-policy parameters: @@ -11536,7 +11935,7 @@ paths: summary: Create proxy tags: - Fleet proxies - '/api/fleet/proxies/{itemId}': + /api/fleet/proxies/{itemId}: delete: operationId: delete-fleet-proxies parameters: @@ -11795,7 +12194,7 @@ paths: summary: List metadata for latest uninstall tokens per agent policy tags: - Fleet uninstall tokens - '/api/fleet/uninstall_tokens/{uninstallTokenId}': + /api/fleet/uninstall_tokens/{uninstallTokenId}: get: operationId: get-uninstall-token parameters: @@ -11871,7 +12270,7 @@ paths: operationId: bulkCreateSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: 'When true, overwrites the document with the same identifier.' + - description: When true, overwrites the document with the same identifier. in: query name: overwrite schema: @@ -12555,7 +12954,7 @@ paths: summary: Resolve import errors tags: - saved objects - '/api/saved_objects/{type}': + /api/saved_objects/{type}: post: deprecated: true description: Create a Kibana saved object with a randomly generated identifier. @@ -12563,7 +12962,7 @@ paths: parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - description: 'If true, overwrites the document with the same identifier.' + - description: If true, overwrites the document with the same identifier. in: query name: overwrite schema: @@ -12599,7 +12998,7 @@ paths: summary: Create a saved object tags: - saved objects - '/api/saved_objects/{type}/{id}': + /api/saved_objects/{type}/{id}: get: deprecated: true description: Retrieve a single Kibana saved object by identifier. @@ -12633,7 +13032,7 @@ paths: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - description: 'If true, overwrites the document with the same identifier.' + - description: If true, overwrites the document with the same identifier. in: query name: overwrite schema: @@ -12705,7 +13104,7 @@ paths: summary: Update a saved object tags: - saved objects - '/api/saved_objects/resolve/{type}/{id}': + /api/saved_objects/resolve/{type}/{id}: get: deprecated: true description: > @@ -12790,7 +13189,7 @@ paths: summary: Get Kibana's current status tags: - system - '/s/{spaceId}/api/observability/slos': + /s/{spaceId}/api/observability/slos: get: description: > You must have the `read` privileges for the **SLOs** feature in the @@ -12805,7 +13204,7 @@ paths: name: kqlQuery schema: type: string - - description: 'The page to use for pagination, must be greater or equal than 1' + - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page @@ -12931,7 +13330,7 @@ paths: summary: Create an SLO tags: - slo - '/s/{spaceId}/api/observability/slos/_delete_instances': + /s/{spaceId}/api/observability/slos/_delete_instances: post: description: > The deletion occurs for the specified list of `sloId` and `instanceId`. @@ -12971,7 +13370,7 @@ paths: summary: Batch delete rollup and summary data tags: - slo - '/s/{spaceId}/api/observability/slos/{sloId}': + /s/{spaceId}/api/observability/slos/{sloId}: delete: description: > You must have the `write` privileges for the **SLOs** feature in the @@ -13109,7 +13508,7 @@ paths: summary: Update an SLO tags: - slo - '/s/{spaceId}/api/observability/slos/{sloId}/_reset': + /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: description: > You must have the `write` privileges for the **SLOs** feature in the @@ -13153,7 +13552,7 @@ paths: summary: Reset an SLO tags: - slo - '/s/{spaceId}/api/observability/slos/{sloId}/disable': + /s/{spaceId}/api/observability/slos/{sloId}/disable: post: description: > You must have the `write` privileges for the **SLOs** feature in the @@ -13193,7 +13592,7 @@ paths: summary: Disable an SLO tags: - slo - '/s/{spaceId}/api/observability/slos/{sloId}/enable': + /s/{spaceId}/api/observability/slos/{sloId}/enable: post: description: > You must have the `write` privileges for the **SLOs** feature in the @@ -13740,7 +14139,7 @@ components: value: - actionTypeId: .jira config: - apiUrl: 'https://elastic.atlassian.net/' + apiUrl: https://elastic.atlassian.net/ projectKey: ES id: 61787f53-4eee-4741-8df6-8fe84fa616f7 isDeprecated: false @@ -14013,7 +14412,7 @@ components: connector_name: My connector external_id: '71926' external_title: ES-554 - external_url: 'https://cases.jira.com' + external_url: https://cases.jira.com pushed_at: '2022-07-29T01:20:58.436Z' pushed_by: email: null @@ -14083,7 +14482,7 @@ components: type: .jira created_at: '2024-07-01T17:07:17.767Z' created_by: - email: 'null,' + email: null, full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic @@ -14200,7 +14599,7 @@ components: username: elastic version: WzI2LDNd Cases_update_case_request: - summary: 'Update the case description, tags, and connector.' + summary: Update the case description, tags, and connector. value: cases: - connector: @@ -14263,7 +14662,7 @@ components: connector_name: Jira external_id: '10003' external_title: IS-4 - external_url: 'https://hms.atlassian.net/browse/IS-4' + external_url: https://hms.atlassian.net/browse/IS-4 pushed_at: '2023-10-13T09:20:40.672Z' pushed_by: email: null @@ -14371,7 +14770,7 @@ components: runtimeFieldMap: runtime_shape_name: script: - source: 'emit(doc[''shape_name''].value)' + source: emit(doc['shape_name'].value) type: keyword title: logstash-* Data_views_create_runtime_field_request: @@ -14380,7 +14779,7 @@ components: name: runtimeFoo runtimeField: script: - source: 'emit(doc["foo"].value)' + source: emit(doc["foo"].value) type: long Data_views_get_data_view_response: summary: >- @@ -14402,35 +14801,35 @@ components: products.base_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.base_unit_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.min_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.taxful_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 products.taxless_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 taxful_total_price: id: number params: - pattern: '$0,0.[00]' + pattern: $0,0.[00] taxless_total_price: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 fields: _id: aggregatable: false @@ -14906,7 +15305,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.base_price readFromDocValues: true @@ -14922,7 +15321,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.base_unit_price readFromDocValues: true @@ -15042,7 +15441,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.min_price readFromDocValues: true @@ -15058,7 +15457,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.price readFromDocValues: true @@ -15161,7 +15560,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.taxful_price readFromDocValues: true @@ -15177,7 +15576,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: products.taxless_price readFromDocValues: true @@ -15221,7 +15620,7 @@ components: format: id: number params: - pattern: '$0,0.[00]' + pattern: $0,0.[00] isMapped: true name: taxful_total_price readFromDocValues: true @@ -15237,7 +15636,7 @@ components: format: id: number params: - pattern: '$0,0.00' + pattern: $0,0.00 isMapped: true name: taxless_total_price readFromDocValues: true @@ -15348,7 +15747,7 @@ components: AvgTicketPrice: id: number params: - pattern: '$0,0.[00]' + pattern: $0,0.[00] hour_of_day: id: number params: @@ -15416,7 +15815,7 @@ components: format: id: number params: - pattern: '$0,0.[00]' + pattern: $0,0.[00] isMapped: true name: AvgTicketPrice readFromDocValues: true @@ -15691,7 +16090,7 @@ components: readFromDocValues: false runtimeField: script: - source: 'emit(doc[''timestamp''].value.getHour());' + source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true @@ -15816,7 +16215,7 @@ components: runtimeFieldMap: hour_of_day: script: - source: 'emit(doc[''timestamp''].value.getHour());' + source: emit(doc['timestamp'].value.getHour()); type: long sourceFilters: [] timeFieldName: timestamp @@ -15831,7 +16230,7 @@ components: readFromDocValues: false runtimeField: script: - source: 'emit(doc[''timestamp''].value.getHour());' + source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true @@ -15879,7 +16278,7 @@ components: value: runtimeField: script: - source: 'emit(doc["bar"].value)' + source: emit(doc["bar"].value) Machine_learning_APIs_mlSyncExample: summary: Two anomaly detection jobs required synchronization in this example. value: @@ -16377,7 +16776,7 @@ components: - desc type: string Fleet_with_metrics: - description: 'Return agent metrics, false by default' + description: Return agent metrics, false by default in: query name: withMetrics required: false @@ -17235,7 +17634,7 @@ components: nullable: true type: string parent: - description: 'The key of the parent issue, when the issue type is sub-task.' + description: The key of the parent issue, when the issue type is sub-task. nullable: true type: string priority: @@ -18887,7 +19286,7 @@ components: - fromId - toId Data_views_timefieldname: - description: 'The timestamp field name, which you use for time-based data views.' + description: The timestamp field name, which you use for time-based data views. type: string Data_views_title: description: >- @@ -18895,7 +19294,7 @@ components: to search. Supports wildcards (`*`). type: string Data_views_type: - description: 'When set to `rollup`, identifies the rollup data views.' + description: When set to `rollup`, identifies the rollup data views. type: string Data_views_typemeta: description: >- @@ -19422,14 +19821,14 @@ components: properties: agents: oneOf: - - description: 'KQL query string, leave empty to action all agents' + - description: KQL query string, leave empty to action all agents type: string - description: list of agent IDs items: type: string type: array force: - description: 'Force upgrade, skipping validation (should be used with caution)' + description: Force upgrade, skipping validation (should be used with caution) type: boolean rollout_duration_seconds: description: rolling upgrade window duration in seconds @@ -20984,14 +21383,14 @@ components: type: object properties: enabled: - description: 'enable or disable that input, (default to true)' + description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: type: object properties: enabled: - description: 'enable or disable that stream, (default to true)' + description: enable or disable that stream, (default to true) type: boolean vars: description: >- @@ -21200,7 +21599,7 @@ components: type: object properties: force: - description: 'Force upgrade, skipping validation (should be used with caution)' + description: Force upgrade, skipping validation (should be used with caution) type: boolean skipRateLimitCheck: description: Skip rate limit check for upgrade @@ -21606,7 +22005,7 @@ components: additionalProperties: $ref: >- #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: 'If saved objects are missing for trained models, they are created.' + description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object @@ -21761,7 +22160,7 @@ components: example: Not Found type: string message: - example: 'SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found' + example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found type: string statusCode: example: 404 @@ -21778,7 +22177,7 @@ components: example: Conflict type: string message: - example: 'SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists' + example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists type: string statusCode: example: 409 @@ -21887,11 +22286,11 @@ components: type: object properties: consumed: - description: 'The error budget consummed, as a percentage of the initial value.' + description: The error budget consummed, as a percentage of the initial value. example: 0.8 type: number initial: - description: 'The initial error budget, as 1 - objective' + description: The initial error budget, as 1 - objective example: 0.02 type: number isEstimated: @@ -21901,7 +22300,7 @@ components: example: true type: boolean remaining: - description: 'The error budget remaining, as a percentage of the initial value.' + description: The error budget remaining, as a percentage of the initial value. example: 0.2 type: number required: @@ -21986,7 +22385,7 @@ components: type: string index: description: The index used by APM metrics - example: 'metrics-apm*,apm*' + example: metrics-apm*,apm* type: string service: description: The APM service name @@ -22033,7 +22432,7 @@ components: type: string index: description: The index used by APM metrics - example: 'metrics-apm*,apm*' + example: metrics-apm*,apm* type: string service: description: The APM service name @@ -22167,7 +22566,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string required: - name @@ -22221,7 +22620,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string required: - name @@ -22523,7 +22922,7 @@ components: properties: frequency: default: 1m - description: 'Configure how often the transform runs, default 1m' + description: Configure how often the transform runs, default 1m example: 5m type: string preventInitialBackfill: @@ -22668,7 +23067,7 @@ components: - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' instanceId: - description: 'the value derived from the groupBy field, if present, otherwise ''*''' + description: the value derived from the groupBy field, if present, otherwise '*' example: host-abcde type: string name: @@ -22793,7 +23192,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string required: - name @@ -22816,7 +23215,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string required: - name @@ -22844,7 +23243,7 @@ components: name: description: The name of the metric. Only valid options are A-Z example: A - pattern: '^[A-Z]$' + pattern: ^[A-Z]$ type: string percentile: description: The percentile value. @@ -22965,6 +23364,6 @@ tags: permanently breaks future Kibana versions. name: saved objects x-displayName: Saved objects - - description: 'SLO APIs enable you to define, manage and track service-level objectives' + - description: SLO APIs enable you to define, manage and track service-level objectives name: slo - name: system