-
Access
-
- - APIKey KeyParamName:ApiKey KeyInQuery:false KeyInHeader:true
- - HTTP Basic Authentication
-
-
-
- [ Jump to
Models ]
-
-
Table of Contents
-
-
-
-
-
-
-
-
Up
-
post /s/{spaceId}/api/cases/{caseId}/comments
-
Adds a comment or alert to a case. (addCaseComment)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /api/cases/{caseId}/comments
-
Adds a comment or alert to a case in the default space. (addCaseCommentDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/cases
-
Creates a case. (createCase)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Creates a case in the default space. (createCaseDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/cases
-
Deletes one or more cases. (deleteCase)
-
You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
Query parameters
-
-
ids (required)
-
-
Query Parameter — The cases that you want to removed. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/cases/{caseId}/comments/{commentId}
-
Deletes a comment or alert from a case. (deleteCaseComment)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
-
-
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /api/cases/{caseId}/comments/{commentId}
-
Deletes a comment or alert from a case in the default space. (deleteCaseCommentDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
-
-
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/cases/{caseId}/comments
-
Deletes all comments and alerts from a case. (deleteCaseComments)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /api/cases/{caseId}/comments
-
Deletes all comments and alerts from a case in the default space. (deleteCaseCommentsDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Deletes one or more cases in the default space. (deleteCaseDefaultSpace)
-
You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
Query parameters
-
-
ids (required)
-
-
Query Parameter — The cases that you want to removed. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/user_actions/_find
-
Finds user activity for a case. (findCaseActivity)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. Limited to 100 items. default: 20
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
types (optional)
-
-
Query Parameter — Determines the types of user actions to return. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "userActions" : [ {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- }, {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- } ],
- "total" : 1,
- "perPage" : 6,
- "page" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findCaseActivity_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/user_actions/_find
-
Finds user activity for a case in the default space. (findCaseActivityDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
Query parameters
-
-
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. Limited to 100 items. default: 20
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
types (optional)
-
-
Query Parameter — Determines the types of user actions to return. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "userActions" : [ {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- }, {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- }, {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- }, {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- }, {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- } ],
- "total" : 1,
- "perPage" : 6,
- "page" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findCaseActivityDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/comments/_find
-
Retrieves all the user comments from a case. (findCaseComments)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. Limited to 100 items. default: 20
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/configure/connectors/_find
-
Retrieves information about connectors. (findCaseConnectors)
-
In particular, only the connectors that are supported for use in cases are returned. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "isPreconfigured" : true,
- "isDeprecated" : true,
- "actionTypeId" : ".none",
- "referencedByCount" : 0,
- "name" : "name",
- "id" : "id",
- "config" : {
- "projectKey" : "projectKey",
- "apiUrl" : "apiUrl"
- },
- "isMissingSecrets" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/configure/connectors/_find
-
Retrieves information about connectors in the default space. (findCaseConnectorsDefaultSpace)
-
In particular, only the connectors that are supported for use in cases are returned. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "isPreconfigured" : true,
- "isDeprecated" : true,
- "actionTypeId" : ".none",
- "referencedByCount" : 0,
- "name" : "name",
- "id" : "id",
- "config" : {
- "projectKey" : "projectKey",
- "apiUrl" : "apiUrl"
- },
- "isMissingSecrets" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/_find
-
Retrieves a paginated subset of cases. (findCases)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
assignees (optional)
-
-
Query Parameter — Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. default: null
category (optional)
-
-
Query Parameter — Filters the returned cases by category. default: null
defaultSearchOperator (optional)
-
-
Query Parameter — he default operator to use for the simple_query_string. default: OR
from (optional)
-
-
Query Parameter — [preview] Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. Limited to 100 items. default: 20
reporters (optional)
-
-
Query Parameter — Filters the returned cases by the user name of the reporter. default: null
search (optional)
-
-
Query Parameter — An Elasticsearch simple_query_string query that filters the objects in the response. default: null
searchFields (optional)
-
-
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
severity (optional)
-
-
Query Parameter — The severity of the case. default: null
sortField (optional)
-
-
Query Parameter — Determines which field is used to sort the results. default: createdAt
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
status (optional)
-
-
Query Parameter — Filters the returned cases by state. default: null
tags (optional)
-
-
Query Parameter — Filters the returned cases by tags. default: null
to (optional)
-
-
Query Parameter — [preview] Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "count_in_progress_cases" : 6,
- "per_page" : 5,
- "total" : 2,
- "cases" : [ {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- }, {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- } ],
- "count_open_cases" : 1,
- "count_closed_cases" : 0,
- "page" : 5
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findCases_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/_find
-
Retrieves a paginated subset of cases in the default space. (findCasesDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
-
-
-
-
Query parameters
-
-
assignees (optional)
-
-
Query Parameter — Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. default: null
category (optional)
-
-
Query Parameter — Filters the returned cases by category. default: null
defaultSearchOperator (optional)
-
-
Query Parameter — he default operator to use for the simple_query_string. default: OR
from (optional)
-
-
Query Parameter — [preview] Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. Limited to 100 items. default: 20
reporters (optional)
-
-
Query Parameter — Filters the returned cases by the user name of the reporter. default: null
search (optional)
-
-
Query Parameter — An Elasticsearch simple_query_string query that filters the objects in the response. default: null
searchFields (optional)
-
-
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
severity (optional)
-
-
Query Parameter — The severity of the case. default: null
sortField (optional)
-
-
Query Parameter — Determines which field is used to sort the results. default: createdAt
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
status (optional)
-
-
Query Parameter — Filters the returned cases by state. default: null
tags (optional)
-
-
Query Parameter — Filters the returned cases by tags. default: null
to (optional)
-
-
Query Parameter — [preview] Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "count_in_progress_cases" : 6,
- "per_page" : 5,
- "total" : 2,
- "cases" : [ {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- }, {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- }, {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- }, {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- }, {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- } ],
- "count_open_cases" : 1,
- "count_closed_cases" : 0,
- "page" : 5
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findCasesDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/comments
-
Retrieves all the comments from a case. (getAllCaseComments)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; instead, use the get case comment API, which requires a comment identifier in the path. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/comments
-
Retrieves all the comments from a case in the default space. (getAllCaseCommentsDefaultSpace)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; instead, use the get case comment API, which requires a comment identifier in the path. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}
-
Retrieves information about a case. (getCase)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
includeComments (optional)
-
-
Query Parameter — Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned. default: true
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/user_actions
-
Returns all user activity for a case. (getCaseActivity)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "action_id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "case_id" : "22df07d0-03b1-11ed-920c-974bfa104448",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/user_actions
-
Returns all user activity for a case in the default space. (getCaseActivityDefaultSpace)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "action_id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "case_id" : "22df07d0-03b1-11ed-920c-974bfa104448",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/alerts
-
Gets all alerts attached to a case. (getCaseAlerts)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "index" : "index",
- "id" : "id",
- "attached_at" : "2000-01-23T04:56:07.000+00:00"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/alerts
-
Gets all alerts attached to a case in the default space. (getCaseAlertsDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "index" : "index",
- "id" : "id",
- "attached_at" : "2000-01-23T04:56:07.000+00:00"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/comments/{commentId}
-
Retrieves a comment from a case. (getCaseComment)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
-
-
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
null
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseCommentDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/comments/{commentId}
-
Retrieves a comment from a case in the default space. (getCaseCommentDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
-
-
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
null
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseCommentDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/configure
-
Retrieves external connection details, such as the closure type and default connector for cases. (getCaseConfiguration)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/configure
-
Retrieves external connection details, such as the closure type and default connector for cases in the default space. (getCaseConfigurationDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration.
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}
-
Retrieves information about a case in the default space. (getCaseDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
Query parameters
-
-
includeComments (optional)
-
-
Query Parameter — Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned. default: true
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/reporters
-
Returns information about the users who opened cases. (getCaseReporters)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/reporters
-
Returns information about the users who opened cases in the default space. (getCaseReportersDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/status
-
Returns the number of cases that are open, closed, and in progress. (getCaseStatus)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "count_in_progress_cases" : 6,
- "count_open_cases" : 1,
- "count_closed_cases" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseStatusDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/status
-
Returns the number of cases that are open, closed, and in progress in the default space. (getCaseStatusDefaultSpace)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "count_in_progress_cases" : 6,
- "count_open_cases" : 1,
- "count_closed_cases" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseStatusDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/tags
-
Aggregates and returns a list of case tags. (getCaseTags)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
- array[String]
-
-
-
-
-
Example data
-
Content-Type: application/json
-
""
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/tags
-
Aggregates and returns a list of case tags in the default space. (getCaseTagsDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
- array[String]
-
-
-
-
-
Example data
-
Content-Type: application/json
-
""
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/alerts/{alertId}
-
Returns the cases associated with a specific alert. (getCasesByAlert)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An identifier for the alert. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
[ {
- "id" : "06116b80-e1c3-11ec-be9b-9b1838238ee6",
- "title" : "security_case"
-} ]
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/alerts/{alertId}
-
Returns the cases associated with a specific alert in the default space. (getCasesByAlertDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An identifier for the alert. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
[ {
- "id" : "06116b80-e1c3-11ec-be9b-9b1838238ee6",
- "title" : "security_case"
-} ]
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/cases/{caseId}/connector/{connectorId}/_push
-
Pushes a case to an external service. (pushCase)
-
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
connectorId (required)
-
-
Path Parameter — An identifier for the connector. To retrieve connector IDs, use the find connectors API. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /api/cases/{caseId}/connector/{connectorId}/_push
-
Pushes a case in the default space to an external service. (pushCaseDefaultSpace)
-
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
connectorId (required)
-
-
Path Parameter — An identifier for the connector. To retrieve connector IDs, use the find connectors API. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/cases/configure
-
Sets external connection details, such as the closure type and default connector for cases. (setCaseConfiguration)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseConfigurationDefaultSpace_200_response_inner
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /api/cases/configure
-
Sets external connection details, such as the closure type and default connector for cases in the default space. (setCaseConfigurationDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details.
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseConfigurationDefaultSpace_200_response_inner
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /s/{spaceId}/api/cases
-
Updates one or more cases. (updateCase)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /s/{spaceId}/api/cases/{caseId}/comments
-
Updates a comment or alert in a case. (updateCaseComment)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /api/cases/{caseId}/comments
-
Updates a comment or alert in a case in the default space. (updateCaseCommentDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /s/{spaceId}/api/cases/configure/{configurationId}
-
Updates external connection details, such as the closure type and default connector for cases. (updateCaseConfiguration)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API.
-
-
Path parameters
-
-
configurationId (required)
-
-
Path Parameter — An identifier for the configuration. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /api/cases/configure/{configurationId}
-
Updates external connection details, such as the closure type and default connector for cases in the default space. (updateCaseConfigurationDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API.
-
-
Path parameters
-
-
configurationId (required)
-
-
Path Parameter — An identifier for the configuration. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Updates one or more cases in the default space. (updateCaseDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null, null, null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
- [ Jump to
Methods ]
-
-
Table of Contents
-
- 4xx_response - Unsuccessful cases API responseCase_response_properties_for_comments_inner - Case_response_properties_for_connectors - Case response properties for connectorsaction_types - actions - add_alert_comment_request_properties - Add case comment request properties for alertsadd_case_comment_request - Add case comment requestadd_user_comment_request_properties - Add case comment request properties for user commentsalert_comment_response_properties - Add case comment response properties for alertsalert_comment_response_properties_rule - alert_identifiers - Alert identifiersalert_indices - Alert indicesalert_response_properties - assignees_inner - case_response_closed_by_properties - Case response properties for closed_bycase_response_created_by_properties - Case response properties for created_bycase_response_properties - Case response propertiescase_response_pushed_by_properties - Case response properties for pushed_bycase_response_updated_by_properties - Case response properties for updated_byclosure_types - connector_properties_cases_webhook - Create or upate case request properties for Cases Webhook connectorconnector_properties_jira - Create or update case request properties for a Jira connectorconnector_properties_jira_fields - connector_properties_none - Create or update case request properties for no connectorconnector_properties_resilient - Create case request properties for a IBM Resilient connectorconnector_properties_resilient_fields - connector_properties_servicenow - Create case request properties for a ServiceNow ITSM connectorconnector_properties_servicenow_fields - connector_properties_servicenow_sir - Create case request properties for a ServiceNow SecOps connectorconnector_properties_servicenow_sir_fields - connector_properties_swimlane - Create case request properties for a Swimlane connectorconnector_properties_swimlane_fields - connector_types - create_case_request - Create case requestcreate_case_request_connector - external_service - findCaseActivityDefaultSpace_200_response - findCaseActivity_200_response - findCaseConnectorsDefaultSpace_200_response_inner - findCaseConnectorsDefaultSpace_200_response_inner_config - findCasesDefaultSpace_200_response - findCasesDefaultSpace_assignees_parameter - findCasesDefaultSpace_owner_parameter - findCasesDefaultSpace_searchFields_parameter - findCases_200_response - getCaseCommentDefaultSpace_200_response - getCaseConfigurationDefaultSpace_200_response_inner - getCaseConfigurationDefaultSpace_200_response_inner_connector - getCaseConfigurationDefaultSpace_200_response_inner_created_by - getCaseConfigurationDefaultSpace_200_response_inner_mappings_inner - getCaseConfigurationDefaultSpace_200_response_inner_updated_by - getCaseStatusDefaultSpace_200_response - getCasesByAlertDefaultSpace_200_response_inner - owners - payload_alert_comment - payload_alert_comment_comment - payload_alert_comment_comment_alertId - payload_alert_comment_comment_index - payload_assignees - payload_connector - payload_connector_connector - payload_connector_connector_fields - payload_create_case - payload_description - payload_pushed - payload_settings - payload_severity - payload_status - payload_tags - payload_title - payload_user_comment - payload_user_comment_comment - rule - Alerting rulesearchFieldsType - set_case_configuration_request - Set case configuration requestset_case_configuration_request_connector - set_case_configuration_request_settings - settings - severity_property - status - update_alert_comment_request_properties - Update case comment request properties for alertsupdate_case_comment_request - Update case comment requestupdate_case_configuration_request - Update case configuration requestupdate_case_request - Update case requestupdate_case_request_cases_inner - update_user_comment_request_properties - Update case comment request properties for user commentsuser_actions_find_response_properties - user_actions_response_properties - user_actions_response_properties_created_by - user_actions_response_properties_payload - user_comment_response_properties - Case response properties for user comments
-
-
-
-
-
-
error (optional)
-
message (optional)
-
statusCode (optional)
-
-
-
-
-
-
-
alertId (optional)
-
created_at (optional)
-
created_by (optional)
-
id (optional)
-
index (optional)
-
owner (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
rule (optional)
-
type
-
-
user
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
comment (optional)
-
-
-
-
-
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.swimlane
-
-
-
-
-
The type of action.
-
-
-
-
-
-
-
Defines properties for case comment requests when type is alert.
-
-
alertId
-
index
-
owner
-
rule
-
type
-
-
alert
-
-
-
-
-
The add comment to case API request body varies depending on whether you are adding an alert or a comment.
-
-
alertId
-
index
-
owner
-
rule
-
type
-
-
user
-
comment
String The new comment. It is required only when
type is
user.
-
-
-
-
-
Defines properties for case comment requests when type is user.
-
-
comment
String The new comment. It is required only when
type is
user.
-
owner
-
type
-
-
user
-
-
-
-
-
-
-
alertId (optional)
-
created_at (optional)
-
created_by (optional)
-
id (optional)
-
index (optional)
-
owner (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
rule (optional)
-
type
-
-
alert
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
-
-
-
-
-
-
id (optional)
-
name (optional)
-
-
-
-
-
The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
-
-
-
-
The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
-
-
-
-
-
-
attached_at (optional)
-
id (optional)
-
index (optional)
-
-
-
-
-
-
-
uid
String A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
-
-
assignees (optional)
-
closed_at
-
closed_by
-
comments
-
connector
-
created_at
-
created_by
-
description
-
duration
Integer The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
-
external_service
-
id
-
owner
-
settings
-
severity
-
status
-
tags
-
title
-
totalAlerts
-
totalComment
-
updated_at
-
updated_by
-
version
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).
-
-
-
-
-
-
Defines properties for connectors when type is .cases-webhook.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.cases-webhook
-
-
-
-
-
Defines properties for connectors when type is .jira.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.jira
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
issueType
-
parent
String The key of the parent issue, when the issue type is sub-task.
-
priority
String The priority of the issue.
-
-
-
-
-
Defines properties for connectors when type is .none.
-
-
fields
String An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
-
id
String The identifier for the connector. To create a case without a connector, use
none. To update a case to remove the connector, specify
none.
-
name
String The name of the connector. To create a case without a connector, use
none. To update a case to remove the connector, specify
none.
-
type
String The type of connector. To create a case without a connector, use
.none. To update a case to remove the connector, specify
.none.
-
-
.none
-
-
-
-
-
Defines properties for connectors when type is .resilient.
-
-
fields
-
id
String The identifier for the connector.
-
name
String The name of the connector.
-
type
-
-
.resilient
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
issueTypes
-
severityCode
String The severity code of the incident.
-
-
-
-
-
Defines properties for connectors when type is .servicenow.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.servicenow
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
category
String The category of the incident.
-
impact
String The effect an incident had on business.
-
severity
String The severity of the incident.
-
subcategory
String The subcategory of the incident.
-
urgency
String The extent to which the incident resolution can be delayed.
-
-
-
-
-
Defines properties for connectors when type is .servicenow-sir.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.servicenow-sir
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
category
String The category of the incident.
-
destIp
Boolean Indicates whether cases will send a comma-separated list of destination IPs.
-
malwareHash
Boolean Indicates whether cases will send a comma-separated list of malware hashes.
-
malwareUrl
Boolean Indicates whether cases will send a comma-separated list of malware URLs.
-
priority
String The priority of the issue.
-
sourceIp
Boolean Indicates whether cases will send a comma-separated list of source IPs.
-
subcategory
String The subcategory of the incident.
-
-
-
-
-
Defines properties for connectors when type is .swimlane.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.swimlane
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
caseId
String The case identifier for Swimlane connectors.
-
-
-
-
-
The type of connector.
-
-
-
-
-
-
The create case API request body varies depending on the type of connector.
-
-
assignees (optional)
-
connector
-
description
String The description for the case.
-
owner
-
settings
-
severity (optional)
-
tags
array[String] The words and phrases that help categorize cases. It can be an empty array.
-
category (optional)
String Category for the case. It could be a word or a phrase to categorize the case.
-
title
-
-
-
-
-
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.swimlane
-
-
-
-
-
-
-
connector_id (optional)
-
connector_name (optional)
-
external_id (optional)
-
external_title (optional)
-
external_url (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
-
-
-
-
-
-
page (optional)
-
perPage (optional)
-
total (optional)
-
userActions (optional)
-
-
-
-
-
-
-
page (optional)
-
perPage (optional)
-
total (optional)
-
userActions (optional)
-
-
-
-
-
-
-
actionTypeId (optional)
-
config (optional)
-
id (optional)
-
isDeprecated (optional)
-
isMissingSecrets (optional)
-
isPreconfigured (optional)
-
name (optional)
-
referencedByCount (optional)
-
-
-
-
-
-
-
apiUrl (optional)
-
projectKey (optional)
-
-
-
-
-
-
-
cases (optional)
-
count_closed_cases (optional)
-
count_in_progress_cases (optional)
-
count_open_cases (optional)
-
page (optional)
-
per_page (optional)
-
total (optional)
-
-
-
-
-
-
-
-
-
-
cases (optional)
-
count_closed_cases (optional)
-
count_in_progress_cases (optional)
-
count_open_cases (optional)
-
page (optional)
-
per_page (optional)
-
total (optional)
-
-
-
-
-
-
-
alertId (optional)
-
created_at (optional)
-
created_by (optional)
-
id (optional)
-
index (optional)
-
owner (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
rule (optional)
-
type
-
-
user
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
comment (optional)
-
-
-
-
-
-
-
closure_type (optional)
-
connector (optional)
-
created_at (optional)
-
created_by (optional)
-
error (optional)
-
id (optional)
-
mappings (optional)
-
owner (optional)
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
-
-
-
-
-
-
fields (optional)
Object The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to
null.
-
id (optional)
String The identifier for the connector. If you do not want a default connector, use
none. To retrieve connector IDs, use the find connectors API.
-
name (optional)
String The name of the connector. If you do not want a default connector, use
none. To retrieve connector names, use the find connectors API.
-
type (optional)
-
-
-
-
-
-
-
email (optional)
-
full_name (optional)
-
username (optional)
-
profile_uid (optional)
-
-
-
-
-
-
-
action_type (optional)
-
source (optional)
-
target (optional)
-
-
-
-
-
-
-
email (optional)
-
full_name (optional)
-
username (optional)
-
profile_uid (optional)
-
-
-
-
-
-
-
count_closed_cases (optional)
-
count_in_progress_cases (optional)
-
count_open_cases (optional)
-
-
-
-
-
-
-
id (optional)
-
title (optional)
-
-
-
-
-
The application that owns the cases: Stack Management, Observability, or Elastic Security.
-
-
-
-
-
-
-
-
-
alertId (optional)
-
index (optional)
-
owner (optional)
-
rule (optional)
-
type (optional)
-
-
alert
-
-
-
-
-
-
-
-
-
-
-
fields (optional)
-
id (optional)
String The identifier for the connector. To create a case without a connector, use
none.
-
name (optional)
String The name of the connector. To create a case without a connector, use
none.
-
type (optional)
-
-
-
-
-
An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
-
-
caseId (optional)
String The case identifier for Swimlane connectors.
-
category (optional)
String The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
-
destIp (optional)
Boolean Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
-
impact (optional)
String The effect an incident had on business for ServiceNow ITSM connectors.
-
issueType (optional)
String The type of issue for Jira connectors.
-
issueTypes (optional)
-
malwareHash (optional)
Boolean Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
-
malwareUrl (optional)
Boolean Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
-
parent (optional)
String The key of the parent issue, when the issue type is sub-task for Jira connectors.
-
priority (optional)
String The priority of the issue for Jira and ServiceNow SecOps connectors.
-
severity (optional)
String The severity of the incident for ServiceNow ITSM connectors.
-
severityCode (optional)
String The severity code of the incident for IBM Resilient connectors.
-
sourceIp (optional)
Boolean Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
-
subcategory (optional)
String The subcategory of the incident for ServiceNow ITSM connectors.
-
urgency (optional)
String The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
-
-
-
-
-
-
-
assignees (optional)
-
connector (optional)
-
description (optional)
-
owner (optional)
-
settings (optional)
-
severity (optional)
-
status (optional)
-
tags (optional)
-
title (optional)
-
-
-
-
-
-
-
description (optional)
-
-
-
-
-
-
-
externalService (optional)
-
-
-
-
-
-
-
-
-
-
-
-
-
comment (optional)
-
owner (optional)
-
type (optional)
-
-
user
-
-
-
-
-
The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
id (optional)
-
name (optional)
-
-
-
-
-
The fields to perform the simple_query_string parsed query against.
-
-
-
-
-
-
External connection details, such as the closure type and default connector for cases.
-
-
closure_type
-
connector
-
owner
-
settings (optional)
-
-
-
-
-
An object that contains the connector configuration.
-
-
fields
Object The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to
null.
-
id
String The identifier for the connector. If you do not want a default connector, use
none. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector. If you do not want a default connector, use
none. To retrieve connector names, use the find connectors API.
-
type
-
-
-
-
-
An object that contains the case settings.
-
-
syncAlerts
Boolean Turns alert syncing on or off.
-
-
-
-
-
An object that contains the case settings.
-
-
syncAlerts
Boolean Turns alert syncing on or off.
-
-
-
-
-
The severity of the case.
-
-
-
-
-
-
The status of the case.
-
-
-
-
-
-
Defines properties for case comment requests when type is alert.
-
-
alertId
-
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
-
index
-
owner
-
rule
-
type
-
-
alert
-
version
String The current comment version. To retrieve version values, use the get comments API.
-
-
-
-
-
The update case comment API request body varies depending on whether you are updating an alert or a comment.
-
-
alertId
-
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
-
index
-
owner
-
rule
-
type
-
-
user
-
version
String The current comment version. To retrieve version values, use the get comments API.
-
comment
String The new comment. It is required only when
type is
user.
-
-
-
-
-
External connection details, such as the closure type and default connector for cases.
-
-
closure_type (optional)
-
connector (optional)
-
version
String The version of the connector. To retrieve the version value, use the get configuration API.
-
-
-
-
-
The update case API request body varies depending on the type of connector.
-
-
-
-
-
-
-
assignees (optional)
-
connector (optional)
-
description (optional)
String An updated description for the case.
-
id
String The identifier for the case.
-
settings (optional)
-
severity (optional)
-
status (optional)
-
tags (optional)
-
category (optional)
String Category for the case. It could be a word or a phrase to categorize the case.
-
title (optional)
-
version
String The current version of the case. To determine this value, use the get case or find cases APIs.
-
-
-
-
-
Defines properties for case comment requests when type is user.
-
-
comment
String The new comment. It is required only when
type is
user.
-
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
-
owner
-
type
-
-
user
-
version
String The current comment version. To retrieve version values, use the get comments API.
-
-
-
-
-
-
-
action
-
comment_id
-
created_at
-
created_by
-
id
-
owner
-
payload
-
version
-
type
-
-
assignees
create_case
comment
connector
description
pushed
tags
title
status
settings
severity
-
-
-
-
-
-
-
action
-
action_id
-
case_id
-
comment_id
-
created_at
-
created_by
-
owner
-
payload
-
type
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
-
-
comment (optional)
-
assignees (optional)
-
connector (optional)
-
description (optional)
-
owner (optional)
-
settings (optional)
-
severity (optional)
-
status (optional)
-
tags (optional)
-
title (optional)
-
externalService (optional)
-
-
-
-
-
-
-
comment (optional)
-
created_at (optional)
-
created_by (optional)
-
id (optional)
-
owner (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
type
-
-
user
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
-
-
-
Access
-
- - APIKey KeyParamName:ApiKey KeyInQuery:false KeyInHeader:true
- - HTTP Basic Authentication
-
-
-
- [ Jump to
Models ]
-
-
Table of Contents
-
-
-
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule
-
Creates a rule with a randomly generated rule identifier. (createRule)
-
To create a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're creating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
rule_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}
-
Creates a rule with a specific rule identifier. (createRuleId)
-
To create a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're creating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
ruleId (required)
-
-
Path Parameter — An UUID v1 or v4 identifier for the rule. If you omit this parameter, an identifier is randomly generated. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
rule_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/alerting/rule/{ruleId}
-
Deletes a rule. (deleteRule)
-
To delete a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're deleting. For example, the Management > Stack Rules feature, Analytics > Discover or Machine Learning features, Observability, or Security features. WARNING: After you delete a rule, you cannot recover it. If the API key that is used by the rule was created automatically, it is deleted.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_disable
-
Disables a rule. (disableRule)
-
You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_enable
-
Enables a rule. (enableRule)
-
To enable a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerting/rules/_find
-
Retrieves information about rules. (findRules)
-
You must have read privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rules you're seeking. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. To find rules associated with the Stack Monitoring feature, use the monitoring_user built-in role.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
default_search_operator (optional)
-
-
Query Parameter — The default operator to use for the simple_query_string. default: OR
fields (optional)
-
-
Query Parameter — The fields to return in the attributes key of the response. default: null
filter (optional)
-
-
Query Parameter — A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22. default: null
has_reference (optional)
-
-
Query Parameter — Filters the rules that have a relation with the reference objects with a specific type and identifier. default: null
page (optional)
-
-
Query Parameter — The page number to return. default: 1
per_page (optional)
-
-
Query Parameter — The number of rules to return per page. default: 20
search (optional)
-
-
Query Parameter — An Elasticsearch simple_query_string query that filters the objects in the response. default: null
search_fields (optional)
-
-
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
sort_field (optional)
-
-
Query Parameter — Determines which field is used to sort the results. The field must exist in the attributes key of the response. default: null
sort_order (optional)
-
-
Query Parameter — Determines the sort order. default: desc
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "per_page" : 6,
- "total" : 1,
- "data" : [ {
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
- }, {
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
- } ],
- "page" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findRules_200_response
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerting/_health
-
Retrieves the health status of the alerting framework. (getAlertingHealth)
-
You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "alerting_framework_health" : {
- "execution_health" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- },
- "read_health" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- },
- "decryption_health" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- }
- },
- "has_permanent_encryption_key" : true,
- "is_sufficiently_secure" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getAlertingHealth_200_response
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerting/rule/{ruleId}
-
Retrieves a rule by its identifier. (getRule)
-
You must have read privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rules you're seeking. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. To get rules associated with the Stack Monitoring feature, use the monitoring_user built-in role.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
rule_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerting/rule_types
-
Retrieves a list of rule types. (getRuleTypes)
-
If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "recovery_action_group" : {
- "name" : "name",
- "id" : "id"
- },
- "does_set_recovery_context" : true,
- "is_exportable" : true,
- "authorized_consumers" : {
- "alerts" : {
- "all" : true,
- "read" : true
- },
- "discover" : {
- "all" : true,
- "read" : true
- },
- "stackAlerts" : {
- "all" : true,
- "read" : true
- },
- "infrastructure" : {
- "all" : true,
- "read" : true
- },
- "siem" : {
- "all" : true,
- "read" : true
- },
- "monitoring" : {
- "all" : true,
- "read" : true
- },
- "logs" : {
- "all" : true,
- "read" : true
- },
- "apm" : {
- "all" : true,
- "read" : true
- },
- "ml" : {
- "all" : true,
- "read" : true
- },
- "uptime" : {
- "all" : true,
- "read" : true
- }
- },
- "action_groups" : [ {
- "name" : "name",
- "id" : "id"
- }, {
- "name" : "name",
- "id" : "id"
- } ],
- "minimum_license_required" : "basic",
- "action_variables" : {
- "context" : [ {
- "name" : "name",
- "description" : "description",
- "useWithTripleBracesInTemplates" : true
- }, {
- "name" : "name",
- "description" : "description",
- "useWithTripleBracesInTemplates" : true
- } ],
- "state" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ],
- "params" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ]
- },
- "rule_task_timeout" : "5m",
- "name" : "name",
- "enabled_in_license" : true,
- "producer" : "stackAlerts",
- "id" : "id",
- "default_action_group_id" : "default_action_group_id"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}
-
Create an alert. (legacyCreateAlert)
-
Deprecated in 7.13.0. Use the create rule API instead.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An UUID v1 or v4 identifier for the alert. If this parameter is omitted, the identifier is randomly generated. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
alert_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/_disable
-
Disables an alert. (legacyDisableAlert)
-
Deprecated in 7.13.0. Use the disable rule API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/_enable
-
Enables an alert. (legacyEnableAlert)
-
Deprecated in 7.13.0. Use the enable rule API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerts/alerts/_find
-
Retrieves a paginated set of alerts. (legacyFindAlerts)
-
Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert params are stored as a flattened field type and analyzed as keywords. As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
default_search_operator (optional)
-
-
Query Parameter — The default operator to use for the simple_query_string. default: OR
fields (optional)
-
-
Query Parameter — The fields to return in the attributes key of the response. default: null
filter (optional)
-
-
Query Parameter — A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22. default: null
has_reference (optional)
-
-
Query Parameter — Filters the rules that have a relation with the reference objects with a specific type and identifier. default: null
page (optional)
-
-
Query Parameter — The page number to return. default: 1
per_page (optional)
-
-
Query Parameter — The number of alerts to return per page. default: 20
search (optional)
-
-
Query Parameter — An Elasticsearch simple_query_string query that filters the alerts in the response. default: null
search_fields (optional)
-
-
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
sort_field (optional)
-
-
Query Parameter — Determines which field is used to sort the results. The field must exist in the attributes key of the response. default: null
sort_order (optional)
-
-
Query Parameter — Determines the sort order. default: desc
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "total" : 1,
- "perPage" : 6,
- "data" : [ {
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
- }, {
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
- } ],
- "page" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
legacyFindAlerts_200_response
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerts/alert/{alertId}
-
Retrieves an alert by its identifier. (legacyGetAlert)
-
Deprecated in 7.13.0. Use the get rule API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
alert_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerts/alerts/list_alert_types
-
Retrieves a list of alert types. (legacyGetAlertTypes)
-
Deprecated in 7.13.0. Use the get rule types API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "defaultActionGroupId" : "defaultActionGroupId",
- "isExportable" : true,
- "actionVariables" : {
- "context" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ],
- "state" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ],
- "params" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ]
- },
- "actionGroups" : [ {
- "name" : "name",
- "id" : "id"
- }, {
- "name" : "name",
- "id" : "id"
- } ],
- "name" : "name",
- "producer" : "producer",
- "authorizedConsumers" : "{}",
- "recoveryActionGroup" : {
- "name" : "name",
- "id" : "id"
- },
- "enabledInLicense" : true,
- "id" : "id",
- "minimumLicenseRequired" : "minimumLicenseRequired"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerts/alerts/_health
-
Retrieves the health status of the alerting framework. (legacyGetAlertingHealth)
-
Deprecated in 7.13.0. Use the get alerting framework health API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "hasPermanentEncryptionKey" : true,
- "alertingFrameworkHealth" : {
- "executionHealth" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- },
- "decryptionHealth" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- },
- "readHealth" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- }
- },
- "isSufficientlySecure" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
legacyGetAlertingHealth_200_response
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute
-
Mutes an alert instance. (legacyMuteAlertInstance)
-
Deprecated in 7.13.0. Use the mute alert API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — An identifier for the alert. default: null
alertInstanceId (required)
-
-
Path Parameter — An identifier for the alert instance. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/_mute_all
-
Mutes all alert instances. (legacyMuteAllAlertInstances)
-
Deprecated in 7.13.0. Use the mute all alerts API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute
-
Unmutes an alert instance. (legacyUnmuteAlertInstance)
-
Deprecated in 7.13.0. Use the unmute alert API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — An identifier for the alert. default: null
alertInstanceId (required)
-
-
Path Parameter — An identifier for the alert instance. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/_unmute_all
-
Unmutes all alert instances. (legacyUnmuteAllAlertInstances)
-
Deprecated in 7.13.0. Use the unmute all alerts API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
put /s/{spaceId}/api/alerts/alert/{alertId}
-
Updates the attributes for an alert. (legacyUpdateAlert)
-
Deprecated in 7.13.0. Use the update rule API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
alert_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/alerts/alert/{alertId}
-
Permanently removes an alert. (legaryDeleteAlert)
-
Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After you delete an alert, you cannot recover it.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/alert/{alertId}/_mute
-
Mutes an alert. (muteAlert)
-
You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An identifier for the alert. The identifier is generated by the rule and might be any arbitrary string. default: null
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_mute_all
-
Mutes all alerts. (muteAllAlerts)
-
This API snoozes the notifications for the rule indefinitely. The rule checks continue to occur but alerts will not trigger any actions. You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/alert/{alertId}/_unmute
-
Unmutes an alert. (unmuteAlert)
-
You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An identifier for the alert. The identifier is generated by the rule and might be any arbitrary string. default: null
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_unmute_all
-
Unmutes all alerts. (unmuteAllAlerts)
-
If the rule has its notifications snoozed indefinitely, this API cancels the snooze. You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
put /s/{spaceId}/api/alerting/rule/{ruleId}
-
Updates the attributes for a rule. (updateRule)
-
To update a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're updating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs. NOTE: If the API key has different privileges than the key that created or most recently updated the rule, the rule behavior might change. Though some properties are optional, when you update the rule the existing property values are overwritten with default values. Therefore, it is recommended to explicitly set all property values.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
rule_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_update_api_key
-
Updates the API key for a rule. (updateRuleAPIKey)
-
The new API key has the credentials of the user that submits the request.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
400
- Bad request
-
400_response
-
-
-
-
- [ Jump to
Methods ]
-
-
Table of Contents
-
- 400_response - Bad request401_response - Unsuccessful rule API response404_response - Count - CountCount_count - Count_criteria - Count_logView - Legacy_create_alert_request_properties - Legacy create alert request propertiesLegacy_create_alert_request_properties_schedule - Legacy_update_alert_request_properties - Legacy update alert request propertiesLegacy_update_alert_request_properties_actions_inner - Legacy_update_alert_request_properties_schedule - Ratio - Ratioactions_inner - actions_inner_alerts_filter - actions_inner_alerts_filter_query - actions_inner_alerts_filter_timeframe - actions_inner_alerts_filter_timeframe_hours - actions_inner_frequency - aggtype - alert_response_properties - Legacy alert response propertiesalert_response_properties_executionStatus - alert_response_properties_schedule - count_criterion - count criterioncreate_anomaly_detection_alert_rule_request - Create anomaly detection rule requestcreate_anomaly_detection_jobs_health_rule_request - Create anomaly detection jobs health rule requestcreate_apm_anomaly_rule_request - Create APM anomaly rule rule requestcreate_apm_error_count_rule_request - Create APM error count rule requestcreate_apm_transaction_duration_rule_request - Create latency threshold rule requestcreate_apm_transaction_error_rate_rule_request - Create APM transaction error rate rule requestcreate_es_query_rule_request - Create Elasticsearch query rule requestcreate_geo_containment_rule_request - Create traacking containment rule requestcreate_index_threshold_rule_request - Create index threshold rule requestcreate_infra_inventory_rule_request - Create infra inventory rule requestcreate_infra_metric_anomaly_rule_request - Create infrastructure anomaly rule requestcreate_infra_metric_threshold_rule_request - Create infra metric threshold rule requestcreate_log_threshold_rule_request - Create log threshold rule requestcreate_monitoring_ccr_exceptions_rule_request - Create CCR read exceptions rule requestcreate_monitoring_cluster_health_rule_request - Create cluster health rule requestcreate_monitoring_cpu_usage_rule_request - Create CPU usage rule requestcreate_monitoring_disk_usage_rule_request - Create disk usage rule requestcreate_monitoring_elasticsearch_version_mismatch_rule_request - Create Elasticsearch version mismatch rule requestcreate_monitoring_jvm_memory_usage_rule_request - Create JVM memory usage rule requestcreate_monitoring_kibana_version_mismatch_rule_request - Create Kibana version mismatch rule requestcreate_monitoring_license_expiration_rule_request - Create license expiration rule requestcreate_monitoring_logstash_version_mismatch_rule_request - Create Logstash version mismatch rule requestcreate_monitoring_missing_data_rule_request - Create missing monitoring data rule requestcreate_monitoring_nodes_changed_rule_request - Create nodes changed rule requestcreate_monitoring_shard_size_rule_request - Create shard size rule requestcreate_monitoring_thread_pool_search_rejections_rule_request - Create thread pool search rejections rule requestcreate_monitoring_thread_pool_write_rejections_rule_request - Create thread pool write rejections rule requestcreate_rule_request - Create rule request body propertiescreate_siem_eql_rule_request - Create event correlation rule requestcreate_siem_indicator_rule_request - Create indicator match rule requestcreate_siem_ml_rule_request - Create machine learning rule requestcreate_siem_new_terms_rule_request - Create new terms rule requestcreate_siem_notifications_rule_request - Create security solution notification (legacy) rule requestcreate_siem_query_rule_request - Create custom query rule requestcreate_siem_saved_query_rule_request - Create saved query rule requestcreate_siem_threshold_rule_request - Create threshold rule requestcreate_slo_burn_rate_rule_request - Create slo burn rate rule requestcreate_synthetics_monitor_status_rule_request - Create synthetics monitor status rule requestcreate_synthetics_uptime_duration_anomaly_rule_request - Create synthetics uptime duration anomaly rule requestcreate_synthetics_uptime_tls_certificate_rule_request - Create TLS certificate rule requestcreate_synthetics_uptime_tls_rule_request - Create synthetics uptime TLS rule requestcreate_transform_health_rule_request - Create transform health rule requestcreate_uptime_monitor_status_rule_request - Create uptime monitor status rule requestcustom_criterion - custom criterioncustom_criterion_customMetric_inner - custom_criterion_customMetric_inner_oneOf - custom_criterion_customMetric_inner_oneOf_1 - filter - filter_meta - findRules_200_response - findRules_has_reference_parameter - findRules_search_fields_parameter - getAlertingHealth_200_response - getAlertingHealth_200_response_alerting_framework_health - getAlertingHealth_200_response_alerting_framework_health_decryption_health - getAlertingHealth_200_response_alerting_framework_health_execution_health - getAlertingHealth_200_response_alerting_framework_health_read_health - getRuleTypes_200_response_inner - getRuleTypes_200_response_inner_action_groups_inner - getRuleTypes_200_response_inner_action_variables - getRuleTypes_200_response_inner_action_variables_context_inner - getRuleTypes_200_response_inner_action_variables_params_inner - getRuleTypes_200_response_inner_authorized_consumers - getRuleTypes_200_response_inner_authorized_consumers_alerts - getRuleTypes_200_response_inner_recovery_action_group - groupby - legacyFindAlerts_200_response - legacyGetAlertTypes_200_response_inner - legacyGetAlertTypes_200_response_inner_actionVariables - legacyGetAlertTypes_200_response_inner_actionVariables_context_inner - legacyGetAlertTypes_200_response_inner_recoveryActionGroup - legacyGetAlertingHealth_200_response - legacyGetAlertingHealth_200_response_alertingFrameworkHealth - legacyGetAlertingHealth_200_response_alertingFrameworkHealth_decryptionHealth - legacyGetAlertingHealth_200_response_alertingFrameworkHealth_executionHealth - legacyGetAlertingHealth_200_response_alertingFrameworkHealth_readHealth - non_count_criterion - non count criterionnotify_when - params_es_query_rule - params_es_query_rule_oneOf - params_es_query_rule_oneOf_1 - params_es_query_rule_oneOf_searchConfiguration - params_es_query_rule_oneOf_searchConfiguration_query - params_index_threshold_rule - params_property_apm_anomaly - params_property_apm_error_count - params_property_apm_transaction_duration - params_property_apm_transaction_error_rate - params_property_infra_inventory - params_property_infra_inventory_criteria_inner - params_property_infra_inventory_criteria_inner_customMetric - params_property_infra_metric_threshold - params_property_infra_metric_threshold_criteria_inner - params_property_log_threshold - params_property_slo_burn_rate - params_property_slo_burn_rate_longWindow - params_property_slo_burn_rate_shortWindow - params_property_synthetics_monitor_status - params_property_synthetics_monitor_status_availability - params_property_synthetics_monitor_status_filters - params_property_synthetics_monitor_status_filters_oneOf - params_property_synthetics_monitor_status_timerange - params_property_synthetics_uptime_tls - rule_response_properties - Rule response propertiesrule_response_properties_execution_status - rule_response_properties_last_run - rule_response_properties_last_run_alerts_count - schedule - thresholdcomparator - timewindowunit - update_rule_request - Update rule request
-
-
-
-
-
-
error
-
-
Bad Request
-
message
-
statusCode
-
-
400
-
-
-
-
-
-
-
error (optional)
-
-
Unauthorized
-
message (optional)
-
statusCode (optional)
-
-
401
-
-
-
-
-
-
-
error (optional)
-
-
Not Found
-
message (optional)
-
statusCode (optional)
-
-
404
-
-
-
-
-
-
-
criteria (optional)
-
count
-
timeSize
-
timeUnit
-
-
s
m
h
d
-
logView
-
groupBy (optional)
-
-
-
-
-
-
-
comparator (optional)
-
-
more than
more than or equals
less than
less than or equals
equals
does not equal
matches
does not match
matches phrase
does not match phrase
-
value (optional)
-
-
-
-
-
-
-
field (optional)
-
comparator (optional)
-
-
more than
more than or equals
less than
less than or equals
equals
does not equal
matches
does not match
matches phrase
does not match phrase
-
value (optional)
-
-
-
-
-
-
-
logViewId (optional)
-
type (optional)
-
-
log-view-reference
-
-
-
-
-
-
-
actions (optional)
-
alertTypeId
String The ID of the alert type that you want to call when the alert is scheduled to run.
-
consumer
String The name of the application that owns the alert. This name has to match the Kibana feature name, as that dictates the required role-based access control privileges.
-
enabled (optional)
Boolean Indicates if you want to run the alert on an interval basis after it is created.
-
name
String A name to reference and search.
-
notifyWhen
String The condition for throttling the notification.
-
-
onActionGroupChange
onActiveAlert
onThrottleInterval
-
params
Object The parameters to pass to the alert type executor
params value. This will also validate against the alert type params validator, if defined.
-
schedule
-
tags (optional)
-
throttle (optional)
String How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of
10m or
1h will prevent it from sending 90 notifications during this period.
-
-
-
-
-
The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
-
-
interval (optional)
String The interval format specifies the interval in seconds, minutes, hours or days at which the alert should execute.
-
-
-
-
-
-
-
actions (optional)
-
name
String A name to reference and search.
-
notifyWhen
String The condition for throttling the notification.
-
-
onActionGroupChange
onActiveAlert
onThrottleInterval
-
params
Object The parameters to pass to the alert type executor
params value. This will also validate against the alert type params validator, if defined.
-
schedule
-
tags (optional)
-
throttle (optional)
String How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of
10m or
1h will prevent it from sending 90 notifications during this period.
-
-
-
-
-
-
-
actionTypeId
String The identifier for the action type.
-
group
String Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to
default.
-
id
String The ID of the action saved object to execute.
-
params
Object The map to the
params that the action type will receive.
params are handled as Mustache templates and passed a default set of context.
-
-
-
-
-
The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
-
-
interval (optional)
String The interval format specifies the interval in seconds, minutes, hours or days at which the alert should execute.
-
-
-
-
-
-
-
criteria (optional)
-
count
-
timeSize
-
timeUnit
-
-
s
m
h
d
-
logView
-
groupBy (optional)
-
-
-
-
-
An action that runs under defined conditions.
-
-
alerts_filter (optional)
-
connector_type_id (optional)
String The type of connector. This property appears in responses but cannot be set in requests.
-
frequency (optional)
-
group
String The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default.
-
id
String The identifier for the connector saved object.
-
params
map[String, oas_any_type_not_mapped] The parameters for the action, which are sent to the connector. The
params are handled as Mustache templates and passed a default set of context.
-
uuid (optional)
String A universally unique identifier (UUID) for the action.
-
-
-
-
-
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
-
-
query (optional)
-
timeframe (optional)
-
-
-
-
-
Defines a query filter that determines whether the action runs.
-
-
kql (optional)
String A filter written in Kibana Query Language (KQL).
-
filters (optional)
-
-
-
-
-
Defines a period that limits whether the action runs.
-
-
days (optional)
array[Integer] Defines the days of the week that the action can run, represented as an array of numbers. For example,
1 represents Monday. An empty array is equivalent to specifying all the days of the week.
-
hours (optional)
-
timezone (optional)
String The ISO time zone for the
hours values. Values such as
UTC and
UTC+1 also work but lack built-in daylight savings time support and are not recommended.
-
-
-
-
-
Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
-
-
end (optional)
String The end of the time frame in 24-hour notation (
hh:mm).
-
start (optional)
String The start of the time frame in 24-hour notation (
hh:mm).
-
-
-
-
-
The properties that affect how often actions are generated. If the rule type supports setting summary to true, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters when notify_when or throttle are defined at the rule level.
-
-
notify_when
-
summary
Boolean Indicates whether the action is a summary.
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
The type of aggregation to perform.
-
-
-
-
-
-
-
-
actions (optional)
-
alertTypeId (optional)
-
apiKeyOwner (optional)
-
createdAt (optional)
Date The date and time that the alert was created. format: date-time
-
createdBy (optional)
String The identifier for the user that created the alert.
-
enabled (optional)
Boolean Indicates whether the alert is currently enabled.
-
executionStatus (optional)
-
id (optional)
String The identifier for the alert.
-
muteAll (optional)
-
mutedInstanceIds (optional)
-
name (optional)
-
notifyWhen (optional)
-
params (optional)
-
schedule (optional)
-
scheduledTaskId (optional)
-
tags (optional)
-
throttle (optional)
-
updatedAt (optional)
-
updatedBy (optional)
String The identifier for the user that updated this alert most recently.
-
-
-
-
-
-
-
lastExecutionDate (optional)
-
status (optional)
-
-
-
-
-
-
-
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
timeUnit (optional)
-
timeSize (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
aggType (optional)
-
-
count
-
-
-
-
-
A rule that checks if the anomaly detection job results contain anomalies that match the rule conditions.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.ml.anomaly_detection_alert
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
An rule that monitors job health and alerts if an operational issue occurred that may prevent the job from detecting anomalies.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.ml.anomaly_detection_jobs_health
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when either the latency, throughput, or failed transaction rate of a service is anomalous.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
apm.anomaly
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the number of errors in a service exceeds a defined threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
apm.error_rate
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the latency of a specific transaction type in a service exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
apm.transaction_duration
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that sends notifications when the rate of transaction errors in a service exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
apm.transaction_error_rate
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that runs a user-configured query, compares the number of matches to a configured threshold, and schedules actions to run when the threshold condition is met.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
.es-query
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that runs an Elasticsearch query over indices to determine whether any documents are currently contained within any boundaries from the specified boundary index. In the event that an entity is contained within a boundary, an alert may be generated.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
.geo-containment
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
.index-threshold
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that sends notifications when a metric has reached or exceeded a value for a specific resource or a group of resources within your infrastructure.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
metrics.alert.inventory.threshold
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
metrics.alert.anomaly
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that sends notifications when a metric has reached or exceeded a value for a specific time period.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
metrics.alert.threshold
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a log aggregation exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
logs.alert.document.count
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects cross-cluster replication (CCR) read exceptions.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_ccr_read_exceptions
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the health of the cluster changes.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_cluster_health
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the CPU load for a node is consistently high.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_cpu_usage
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the disk usage for a node is consistently high.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_disk_usage
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the cluster has multipe versions of Elasticsearch.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_elasticsearch_version_mismatch
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a node reports high memory usage.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_jvm_memory_usage
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the cluster has multiple versions of Kibana.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_kibana_version_mismatch
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the cluster license is about to expire.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_license_expiration
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the cluster has multiple versions of Logstash.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_logstash_version_mismatch
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when monitoring data is missing.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_missing_monitoring_data
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when nodes are added, removed, or restarted.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_nodes_changed
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the average shard size is larger than a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_shard_size
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the number of rejections in the thread pool exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_thread_pool_search_rejections
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the number of rejections in the write thread pool exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_thread_pool_write_rejections
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
The properties vary depending on the rule type.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.monitorStatus
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that uses Event Query Language (EQL) to match events, generate sequences, and stack data.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.eqlRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that uses indicators from intelligence sources to detect matching events and alerts.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.indicatorRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a machine learning job discovers an anomaly above the defined threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.mlRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that finds documents with values that appear for the first time.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.newTermsRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.notifications
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that uses KQL or Lucene to detect issues across indices.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.queryRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that searches the defined indices and creates an alert when a document matches the saved search.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.savedQueryRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that aggregates query results to detect when the number of matches exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.thresholdRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the burn rate is above a defined threshold for two different lookback periods. The two periods are a long period and a short period that is 1/12th of the long period. For each lookback period, the burn rate is computed as the error rate divided by the error budget. When the burn rates for both periods surpass the threshold, an alert occurs.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
slo.rules.burnRate
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a monitor is down or an availability threshold is breached.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.synthetics.alerts.monitorStatus
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects response durations for all of the geographic locations of each monitor. When a monitor runs for an unusual amount of time, at a particular time, an anomaly is recorded.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.durationAnomaly
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a monitor has a TLS certificate expiring or when it exceeds an age limit.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.tlsCertificate
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.tls
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that monitors transforms health and alerts if an operational issue occurred.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
transform_health
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects monitor errors and outages.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.monitorStatus
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
timeUnit (optional)
-
timeSize (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
aggType (optional)
-
-
custom
-
customMetric (optional)
-
equation (optional)
-
label (optional)
-
-
-
-
-
-
-
name (optional)
-
aggType (optional)
-
-
count
-
field (optional)
-
filter (optional)
-
-
-
-
-
-
-
name (optional)
-
aggType (optional)
-
-
avg
sum
max
min
cardinality
-
field (optional)
-
-
-
-
-
-
-
name (optional)
-
aggType (optional)
-
-
count
-
filter (optional)
-
-
-
-
-
A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
-
-
meta (optional)
-
query (optional)
-
Dollarstate (optional)
-
-
-
-
-
-
-
alias (optional)
-
controlledBy (optional)
-
disabled (optional)
-
field (optional)
-
group (optional)
-
index (optional)
-
isMultiIndex (optional)
-
key (optional)
-
negate (optional)
-
params (optional)
-
type (optional)
-
value (optional)
-
-
-
-
-
-
-
data (optional)
-
page (optional)
-
per_page (optional)
-
total (optional)
-
-
-
-
-
-
-
id (optional)
-
type (optional)
-
-
-
-
-
-
-
-
alerting_framework_health (optional)
-
has_permanent_encryption_key (optional)
Boolean If
false, the encrypted saved object plugin does not have a permanent encryption key.
-
is_sufficiently_secure (optional)
Boolean If
false, security is enabled but TLS is not.
-
-
-
-
-
Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.
-
-
decryption_health (optional)
-
execution_health (optional)
-
read_health (optional)
-
-
-
-
-
The timestamp and status of the rule decryption.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
The timestamp and status of the rule run.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
The timestamp and status of the rule reading events.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
-
-
action_groups (optional)
-
action_variables (optional)
-
authorized_consumers (optional)
-
default_action_group_id (optional)
String The default identifier for the rule type group.
-
does_set_recovery_context (optional)
Boolean Indicates whether the rule passes context variables to its recovery action.
-
enabled_in_license (optional)
Boolean Indicates whether the rule type is enabled or disabled based on the subscription.
-
id (optional)
String The unique identifier for the rule type.
-
is_exportable (optional)
Boolean Indicates whether the rule type is exportable in
Stack Management > Saved Objects.
-
minimum_license_required (optional)
String The subscriptions required to use the rule type.
-
name (optional)
String The descriptive name of the rule type.
-
producer (optional)
String An identifier for the application that produces this rule type.
-
recovery_action_group (optional)
-
rule_task_timeout (optional)
-
-
-
-
-
-
-
id (optional)
-
name (optional)
-
-
-
-
-
A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.
-
-
context (optional)
-
params (optional)
-
state (optional)
-
-
-
-
-
-
-
name (optional)
-
description (optional)
-
useWithTripleBracesInTemplates (optional)
-
-
-
-
-
-
-
description (optional)
-
name (optional)
-
-
-
-
-
The list of the plugins IDs that have access to the rule type.
-
-
alerts (optional)
-
apm (optional)
-
discover (optional)
-
infrastructure (optional)
-
logs (optional)
-
ml (optional)
-
monitoring (optional)
-
siem (optional)
-
stackAlerts (optional)
-
uptime (optional)
-
-
-
-
-
-
-
all (optional)
-
read (optional)
-
-
-
-
-
An action group to use when an alert goes from an active state to an inactive one.
-
-
id (optional)
-
name (optional)
-
-
-
-
-
Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.
-
-
-
-
-
-
-
-
data (optional)
-
page (optional)
-
perPage (optional)
-
total (optional)
-
-
-
-
-
-
-
actionGroups (optional)
-
actionVariables (optional)
-
authorizedConsumers (optional)
Object The list of the plugins IDs that have access to the alert type.
-
defaultActionGroupId (optional)
String The default identifier for the alert type group.
-
enabledInLicense (optional)
Boolean Indicates whether the rule type is enabled based on the subscription.
-
id (optional)
String The unique identifier for the alert type.
-
isExportable (optional)
Boolean Indicates whether the alert type is exportable in Saved Objects Management UI.
-
minimumLicenseRequired (optional)
String The subscriptions required to use the alert type.
-
name (optional)
String The descriptive name of the alert type.
-
producer (optional)
String An identifier for the application that produces this alert type.
-
recoveryActionGroup (optional)
-
-
-
-
-
A list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors.
-
-
context (optional)
-
params (optional)
-
state (optional)
-
-
-
-
-
-
-
name (optional)
-
description (optional)
-
-
-
-
-
An action group to use when an alert instance goes from an active state to an inactive one. If it is not specified, the default recovered action group is used.
-
-
id (optional)
-
name (optional)
-
-
-
-
-
-
-
alertingFrameworkHealth (optional)
-
hasPermanentEncryptionKey (optional)
Boolean If
false, the encrypted saved object plugin does not have a permanent encryption key.
-
isSufficientlySecure (optional)
Boolean If
false, security is enabled but TLS is not.
-
-
-
-
-
Three substates identify the health of the alerting framework: decryptionHealth, executionHealth, and readHealth.
-
-
decryptionHealth (optional)
-
executionHealth (optional)
-
readHealth (optional)
-
-
-
-
-
The timestamp and status of the alert decryption.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
The timestamp and status of the alert execution.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
The timestamp and status of the alert reading events.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
-
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
timeUnit (optional)
-
timeSize (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
metric (optional)
-
aggType (optional)
-
-
avg
max
min
cardinality
rate
count
sum
p95
p99
custom
-
-
-
-
-
Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
-
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is
avg,
max,
min or
sum.
-
aggType (optional)
-
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
-
groupBy (optional)
-
searchConfiguration (optional)
-
searchType
String The type of query, in this case a query that uses Elasticsearch Query DSL.
-
-
esQuery
-
size
Integer The number of documents to pass to the configured actions when the threshold condition is met.
-
termField (optional)
String This property is required when
groupBy is
top. The name of the field that is used for grouping the aggregation.
-
termSize (optional)
Integer This property is required when
groupBy is
top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
-
threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the
thresholdComparator is
between or
notBetween, you must specify the boundary values.
-
thresholdComparator
-
timeField
String The field that is used to calculate the time window.
-
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
-
timeWindowUnit
-
esQuery
String The query definition, which uses Elasticsearch Query DSL.
-
index
oneOf The indices to query.
-
-
-
-
-
The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.
-
-
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is
avg,
max,
min or
sum.
-
aggType (optional)
-
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
-
groupBy (optional)
-
searchConfiguration (optional)
-
searchType
String The type of query, in this case a text-based query that uses KQL or Lucene.
-
-
searchSource
-
size
Integer The number of documents to pass to the configured actions when the threshold condition is met.
-
termField (optional)
String This property is required when
groupBy is
top. The name of the field that is used for grouping the aggregation.
-
termSize (optional)
Integer This property is required when
groupBy is
top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
-
threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the
thresholdComparator is
between or
notBetween, you must specify the boundary values.
-
thresholdComparator
-
timeField (optional)
String The field that is used to calculate the time window.
-
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
-
timeWindowUnit
-
-
-
-
-
The parameters for an Elasticsearch query rule that uses Elasticsearch Query DSL to define the query.
-
-
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is
avg,
max,
min or
sum.
-
aggType (optional)
-
esQuery
String The query definition, which uses Elasticsearch Query DSL.
-
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
-
groupBy (optional)
-
index
oneOf The indices to query.
-
searchType (optional)
String The type of query, in this case a query that uses Elasticsearch Query DSL.
-
-
esQuery
-
size (optional)
Integer The number of documents to pass to the configured actions when the threshold condition is met.
-
termField (optional)
String This property is required when
groupBy is
top. The name of the field that is used for grouping the aggregation.
-
termSize (optional)
Integer This property is required when
groupBy is
top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
-
threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the
thresholdComparator is
between or
notBetween, you must specify the boundary values.
-
thresholdComparator
-
timeField
String The field that is used to calculate the time window.
-
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
-
timeWindowUnit
-
-
-
-
-
The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.
-
-
filter (optional)
-
index (optional)
oneOf The indices to query.
-
query (optional)
-
-
-
-
-
-
-
language (optional)
-
query (optional)
-
-
-
-
-
The parameters for an index threshold rule.
-
-
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is
avg,
max,
min or
sum.
-
aggType (optional)
-
filterKuery (optional)
String A KQL expression thats limits the scope of alerts.
-
groupBy (optional)
-
index
-
termField (optional)
String This property is required when
groupBy is
top. The name of the field that is used for grouping the aggregation.
-
termSize (optional)
Integer This property is required when
groupBy is
top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
-
threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the
thresholdComparator is
between or
notBetween, you must specify the boundary values.
-
thresholdComparator
-
timeField
String The field that is used to calculate the time window.
-
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
-
timeWindowUnit
-
-
-
-
-
-
-
serviceName (optional)
String The service name from APM
-
transactionType (optional)
String The transaction type from APM
-
windowSize
-
windowUnit
-
-
m
h
d
-
environment
String The environment from APM
-
anomalySeverityType
String The anomaly threshold value
-
-
critical
major
minor
warning
-
-
-
-
-
-
-
serviceName (optional)
String The service name from APM
-
windowSize
-
windowUnit
-
-
m
h
d
-
environment
String The environment from APM
-
threshold
-
groupBy (optional)
-
-
-
errorGroupingKey (optional)
-
-
-
-
-
-
-
serviceName (optional)
String The service name from APM
-
transactionType (optional)
String The transaction type from APM
-
transactionName (optional)
String The transaction name from APM
-
windowSize
-
windowUnit
-
-
m
h
d
-
environment
-
threshold
-
groupBy (optional)
-
-
-
aggregationType
-
-
avg
95th
99th
-
-
-
-
-
-
-
serviceName (optional)
String The service name from APM
-
transactionType (optional)
String The transaction type from APM
-
transactionName (optional)
String The transaction name from APM
-
windowSize
-
windowUnit
-
-
m
h
d
-
environment
String The environment from APM
-
threshold
-
groupBy (optional)
-
-
-
-
-
-
-
-
-
criteria (optional)
-
filterQuery (optional)
-
filterQueryText (optional)
-
nodeType (optional)
-
-
host
pod
container
awsEC2
awsS3
awsSQS
awsRDS
-
sourceId (optional)
-
alertOnNoData (optional)
-
-
-
-
-
-
-
metric (optional)
-
-
count
cpu
diskLatency
load
memory
memoryTotal
tx
rx
logRate
diskIOReadBytes
diskIOWriteBytes
s3TotalRequests
s3NumberOfObjects
s3BucketSize
s3DownloadBytes
s3UploadBytes
rdsConnections
rdsQueriesExecuted
rdsActiveTransactions
rdsLatency
sqsMessagesVisible
sqsMessagesDelayed
sqsMessagesSent
sqsMessagesEmpty
sqsOldestMessage
custom
-
timeSize (optional)
-
timeUnit (optional)
-
-
s
m
h
d
-
sourceId (optional)
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
customMetric (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
-
-
-
-
-
-
type (optional)
-
-
custom
-
field (optional)
-
aggregation (optional)
-
-
avg
max
min
rate
-
id (optional)
-
label (optional)
-
-
-
-
-
-
-
criteria (optional)
-
groupBy (optional)
-
filterQuery (optional)
-
sourceId (optional)
-
alertOnNoData (optional)
-
alertOnGroupDisappear (optional)
-
-
-
-
-
-
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
timeUnit (optional)
-
timeSize (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
metric (optional)
-
aggType (optional)
-
-
custom
-
customMetric (optional)
-
equation (optional)
-
label (optional)
-
-
-
-
-
-
-
criteria (optional)
-
count
-
timeSize
-
timeUnit
-
-
s
m
h
d
-
logView
-
groupBy (optional)
-
-
-
-
-
-
-
sloId (optional)
String The SLO identifier used by the rule
-
burnRateThreshold (optional)
BigDecimal The burn rate threshold used to trigger the alert
-
maxBurnRateThreshold (optional)
BigDecimal The maximum burn rate threshold value defined by the SLO error budget
-
longWindow (optional)
-
shortWindow (optional)
-
-
-
-
-
The duration of the long window used to compute the burn rate
-
-
value (optional)
-
unit (optional)
-
-
-
-
-
The duration of the short window used to compute the burn rate
-
-
value (optional)
-
unit (optional)
-
-
-
-
-
-
-
availability (optional)
-
filters (optional)
-
locations (optional)
-
numTimes
-
search (optional)
-
shouldCheckStatus
-
shouldCheckAvailability
-
timerangeCount (optional)
-
timerangeUnit (optional)
-
timerange (optional)
-
version (optional)
-
isAutoGenerated (optional)
-
-
-
-
-
-
-
range (optional)
-
rangeUnit (optional)
-
threshold (optional)
-
-
-
-
-
-
-
monitorPeriodtype (optional)
-
observerPeriodgeoPeriodname (optional)
-
tags (optional)
-
urlPeriodport (optional)
-
-
-
-
-
-
-
monitorPeriodtype (optional)
-
observerPeriodgeoPeriodname (optional)
-
tags (optional)
-
urlPeriodport (optional)
-
-
-
-
-
-
-
from (optional)
-
to (optional)
-
-
-
-
-
-
-
search (optional)
-
certExpirationThreshold (optional)
-
certAgeThreshold (optional)
-
-
-
-
-
-
-
actions
-
api_key_created_by_user (optional)
Boolean Indicates whether the API key that is associated with the rule was created by the user.
-
api_key_owner
String The owner of the API key that is associated with the rule and used to run background tasks.
-
consumer
String The application or feature that owns the rule. For example,
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
created_at
Date The date and time that the rule was created. format: date-time
-
created_by
String The identifier for the user that created the rule.
-
enabled
Boolean Indicates whether the rule is currently enabled.
-
execution_status
-
id
String The identifier for the rule.
-
last_run (optional)
-
muted_alert_ids
-
mute_all
-
name
-
next_run (optional)
-
notify_when (optional)
String Indicates how often alerts generate actions.
-
params
-
revision (optional)
-
rule_type_id
String The identifier for the type of rule. For example,
.es-query,
.index-threshold,
logs.alert.document.count,
monitoring_alert_cluster_health,
siem.thresholdRule, or
xpack.ml.anomaly_detection_alert.
-
running (optional)
Boolean Indicates whether the rule is running.
-
schedule
-
scheduled_task_id (optional)
-
tags
-
throttle
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
updated_at
String The date and time that the rule was updated most recently.
-
updated_by
String The identifier for the user that updated this rule most recently.
-
-
-
-
-
-
-
last_duration (optional)
-
last_execution_date (optional)
-
status (optional)
-
-
-
-
-
-
-
alerts_count (optional)
-
outcome (optional)
-
outcome_msg (optional)
-
outcome_order (optional)
-
warning (optional)
-
-
-
-
-
-
-
active (optional)
-
ignored (optional)
-
new (optional)
-
recovered (optional)
-
-
-
-
-
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
-
-
-
-
-
The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
-
-
-
-
-
-
The type of units for the time window: seconds, minutes, hours, or days.
-
-
-
-
-
-
The update rule API request body varies depending on the type of rule and actions.
-
-
actions (optional)
-
name
-
notify_when (optional)
-
params
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-