-
Access
-
- - APIKey KeyParamName:ApiKey KeyInQuery:false KeyInHeader:true
- - HTTP Basic Authentication
-
-
-
- [ Jump to
Models ]
-
-
Table of Contents
-
-
-
-
-
-
-
-
Up
-
post /s/{spaceId}/api/cases/{caseId}/comments
-
Adds a comment or alert to a case. (addCaseComment)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /api/cases/{caseId}/comments
-
Adds a comment or alert to a case in the default space. (addCaseCommentDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/cases
-
Creates a case. (createCase)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Creates a case in the default space. (createCaseDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/cases
-
Deletes one or more cases. (deleteCase)
-
You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
Query parameters
-
-
ids (required)
-
-
Query Parameter — The cases that you want to removed. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/cases/{caseId}/comments/{commentId}
-
Deletes a comment or alert from a case. (deleteCaseComment)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
-
-
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /api/cases/{caseId}/comments/{commentId}
-
Deletes a comment or alert from a case in the default space. (deleteCaseCommentDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
-
-
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/cases/{caseId}/comments
-
Deletes all comments and alerts from a case. (deleteCaseComments)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
delete /api/cases/{caseId}/comments
-
Deletes all comments and alerts from a case in the default space. (deleteCaseCommentsDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Deletes one or more cases in the default space. (deleteCaseDefaultSpace)
-
You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
Query parameters
-
-
ids (required)
-
-
Query Parameter — The cases that you want to removed. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/user_actions/_find
-
Finds user activity for a case. (findCaseActivity)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. default: 20
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
types (optional)
-
-
Query Parameter — Determines the types of user actions to return. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "userActions" : [ {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- }, {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- } ],
- "total" : 1,
- "perPage" : 6,
- "page" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findCaseActivityDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/user_actions/_find
-
Finds user activity for a case in the default space. (findCaseActivityDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
Query parameters
-
-
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. default: 20
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
types (optional)
-
-
Query Parameter — Determines the types of user actions to return. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "userActions" : [ {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- }, {
- "owner" : "cases",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzM1ODg4LDFd"
- } ],
- "total" : 1,
- "perPage" : 6,
- "page" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findCaseActivityDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/comments/_find
-
Retrieves all the user comments from a case. (findCaseComments)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. Limited to 100 items. default: 20
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/configure/connectors/_find
-
Retrieves information about connectors. (findCaseConnectors)
-
In particular, only the connectors that are supported for use in cases are returned. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "isPreconfigured" : true,
- "isDeprecated" : true,
- "actionTypeId" : ".none",
- "referencedByCount" : 0,
- "name" : "name",
- "id" : "id",
- "config" : {
- "projectKey" : "projectKey",
- "apiUrl" : "apiUrl"
- },
- "isMissingSecrets" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/configure/connectors/_find
-
Retrieves information about connectors in the default space. (findCaseConnectorsDefaultSpace)
-
In particular, only the connectors that are supported for use in cases are returned. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "isPreconfigured" : true,
- "isDeprecated" : true,
- "actionTypeId" : ".none",
- "referencedByCount" : 0,
- "name" : "name",
- "id" : "id",
- "config" : {
- "projectKey" : "projectKey",
- "apiUrl" : "apiUrl"
- },
- "isMissingSecrets" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/_find
-
Retrieves a paginated subset of cases. (findCases)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
assignees (optional)
-
-
Query Parameter — Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. default: null
category (optional)
-
-
Query Parameter — Filters the returned cases by category. default: null
defaultSearchOperator (optional)
-
-
Query Parameter — he default operator to use for the simple_query_string. default: OR
from (optional)
-
-
Query Parameter — [preview] Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. default: 20
reporters (optional)
-
-
Query Parameter — Filters the returned cases by the user name of the reporter. default: null
search (optional)
-
-
Query Parameter — An Elasticsearch simple_query_string query that filters the objects in the response. default: null
searchFields (optional)
-
-
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
severity (optional)
-
-
Query Parameter — The severity of the case. default: null
sortField (optional)
-
-
Query Parameter — Determines which field is used to sort the results. default: createdAt
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
status (optional)
-
-
Query Parameter — Filters the returned cases by state. default: null
tags (optional)
-
-
Query Parameter — Filters the returned cases by tags. default: null
to (optional)
-
-
Query Parameter — [preview] Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "count_in_progress_cases" : 6,
- "per_page" : 5,
- "total" : 2,
- "cases" : [ {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- }, {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- } ],
- "count_open_cases" : 1,
- "count_closed_cases" : 0,
- "page" : 5
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findCasesDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/_find
-
Retrieves a paginated subset of cases in the default space. (findCasesDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
-
-
-
-
Query parameters
-
-
assignees (optional)
-
-
Query Parameter — Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. default: null
category (optional)
-
-
Query Parameter — Filters the returned cases by category. default: null
defaultSearchOperator (optional)
-
-
Query Parameter — he default operator to use for the simple_query_string. default: OR
from (optional)
-
-
Query Parameter — [preview] Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
page (optional)
-
-
Query Parameter — The page number to return. default: 1
perPage (optional)
-
-
Query Parameter — The number of items to return. default: 20
reporters (optional)
-
-
Query Parameter — Filters the returned cases by the user name of the reporter. default: null
search (optional)
-
-
Query Parameter — An Elasticsearch simple_query_string query that filters the objects in the response. default: null
searchFields (optional)
-
-
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
severity (optional)
-
-
Query Parameter — The severity of the case. default: null
sortField (optional)
-
-
Query Parameter — Determines which field is used to sort the results. default: createdAt
sortOrder (optional)
-
-
Query Parameter — Determines the sort order. default: desc
status (optional)
-
-
Query Parameter — Filters the returned cases by state. default: null
tags (optional)
-
-
Query Parameter — Filters the returned cases by tags. default: null
to (optional)
-
-
Query Parameter — [preview] Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "count_in_progress_cases" : 6,
- "per_page" : 5,
- "total" : 2,
- "cases" : [ {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- }, {
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
- } ],
- "count_open_cases" : 1,
- "count_closed_cases" : 0,
- "page" : 5
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findCasesDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/comments
-
Retrieves all the comments from a case. (getAllCaseComments)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; instead, use the get case comment API, which requires a comment identifier in the path. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/comments
-
Retrieves all the comments from a case in the default space. (getAllCaseCommentsDefaultSpace)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; instead, use the get case comment API, which requires a comment identifier in the path. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}
-
Retrieves information about a case. (getCase)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
includeComments (optional)
-
-
Query Parameter — Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned. default: true
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/user_actions
-
Returns all user activity for a case. (getCaseActivity)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "action_id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "case_id" : "22df07d0-03b1-11ed-920c-974bfa104448",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/user_actions
-
Returns all user activity for a case in the default space. (getCaseActivityDefaultSpace)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "action_id" : "22fd3e30-03b1-11ed-920c-974bfa104448",
- "case_id" : "22df07d0-03b1-11ed-920c-974bfa104448",
- "action" : "create",
- "created_at" : "2022-05-13T09:16:17.416Z",
- "comment_id" : "578608d0-03b1-11ed-920c-974bfa104448",
- "type" : "create_case",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/alerts
-
Gets all alerts attached to a case. (getCaseAlerts)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "index" : "index",
- "id" : "id",
- "attached_at" : "2000-01-23T04:56:07.000+00:00"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/alerts
-
Gets all alerts attached to a case in the default space. (getCaseAlertsDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "index" : "index",
- "id" : "id",
- "attached_at" : "2000-01-23T04:56:07.000+00:00"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/{caseId}/comments/{commentId}
-
Retrieves a comment from a case. (getCaseComment)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
-
-
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
null
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseCommentDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}/comments/{commentId}
-
Retrieves a comment from a case in the default space. (getCaseCommentDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
commentId (required)
-
-
Path Parameter — The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
null
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseCommentDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/configure
-
Retrieves external connection details, such as the closure type and default connector for cases. (getCaseConfiguration)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/configure
-
Retrieves external connection details, such as the closure type and default connector for cases in the default space. (getCaseConfigurationDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration.
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/{caseId}
-
Retrieves information about a case in the default space. (getCaseDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
-
-
-
Query parameters
-
-
includeComments (optional)
-
-
Query Parameter — Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned. default: true
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/reporters
-
Returns information about the users who opened cases. (getCaseReporters)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/reporters
-
Returns information about the users who opened cases in the default space. (getCaseReportersDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/status
-
Returns the number of cases that are open, closed, and in progress. (getCaseStatus)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "count_in_progress_cases" : 6,
- "count_open_cases" : 1,
- "count_closed_cases" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseStatusDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/status
-
Returns the number of cases that are open, closed, and in progress in the default space. (getCaseStatusDefaultSpace)
-
Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "count_in_progress_cases" : 6,
- "count_open_cases" : 1,
- "count_closed_cases" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseStatusDefaultSpace_200_response
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/tags
-
Aggregates and returns a list of case tags. (getCaseTags)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
- array[String]
-
-
-
-
-
Example data
-
Content-Type: application/json
-
""
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/tags
-
Aggregates and returns a list of case tags in the default space. (getCaseTagsDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
- array[String]
-
-
-
-
-
Example data
-
Content-Type: application/json
-
""
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/cases/alerts/{alertId}
-
Returns the cases associated with a specific alert. (getCasesByAlert)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An identifier for the alert. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
[ {
- "id" : "06116b80-e1c3-11ec-be9b-9b1838238ee6",
- "title" : "security_case"
-} ]
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
get /api/cases/alerts/{alertId}
-
Returns the cases associated with a specific alert in the default space. (getCasesByAlertDefaultSpace)
-
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An identifier for the alert. default: null
-
-
-
-
-
-
Query parameters
-
-
owner (optional)
-
-
Query Parameter — A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
[ {
- "id" : "06116b80-e1c3-11ec-be9b-9b1838238ee6",
- "title" : "security_case"
-} ]
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/cases/{caseId}/connector/{connectorId}/_push
-
Pushes a case to an external service. (pushCase)
-
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
connectorId (required)
-
-
Path Parameter — An identifier for the connector. To retrieve connector IDs, use the find connectors API. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /api/cases/{caseId}/connector/{connectorId}/_push
-
Pushes a case in the default space to an external service. (pushCaseDefaultSpace)
-
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
connectorId (required)
-
-
Path Parameter — An identifier for the connector. To retrieve connector IDs, use the find connectors API. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/cases/configure
-
Sets external connection details, such as the closure type and default connector for cases. (setCaseConfiguration)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseConfigurationDefaultSpace_200_response_inner
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
post /api/cases/configure
-
Sets external connection details, such as the closure type and default connector for cases in the default space. (setCaseConfigurationDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details.
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getCaseConfigurationDefaultSpace_200_response_inner
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /s/{spaceId}/api/cases
-
Updates one or more cases. (updateCase)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /s/{spaceId}/api/cases/{caseId}/comments
-
Updates a comment or alert in a case. (updateCaseComment)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /api/cases/{caseId}/comments
-
Updates a comment or alert in a case in the default space. (updateCaseCommentDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.
-
-
Path parameters
-
-
caseId (required)
-
-
Path Parameter — The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
case_response_properties
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /s/{spaceId}/api/cases/configure/{configurationId}
-
Updates external connection details, such as the closure type and default connector for cases. (updateCaseConfiguration)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API.
-
-
Path parameters
-
-
configurationId (required)
-
-
Path Parameter — An identifier for the configuration. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Up
-
patch /api/cases/configure/{configurationId}
-
Updates external connection details, such as the closure type and default connector for cases in the default space. (updateCaseConfigurationDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case configuration. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. Refer to the add connectors API.
-
-
Path parameters
-
-
configurationId (required)
-
-
Path Parameter — An identifier for the configuration. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "closure_type" : "close-by-user",
- "owner" : "cases",
- "mappings" : [ {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- }, {
- "action_type" : "overwrite",
- "source" : "title",
- "target" : "summary"
- } ],
- "connector" : {
- "name" : "none",
- "id" : "none",
- "fields" : "{}",
- "type" : ".none"
- },
- "updated_at" : "2022-06-01T19:58:48.169Z",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "created_at" : "2022-06-01T17:07:17.767Z",
- "id" : "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
- "error" : "error",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzIwNzMsMV0="
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
-
Updates one or more cases in the default space. (updateCaseDefaultSpace)
-
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "owner" : "cases",
- "totalComment" : 0,
- "settings" : {
- "syncAlerts" : true
- },
- "totalAlerts" : 0,
- "closed_at" : "2000-01-23T04:56:07.000+00:00",
- "comments" : [ null, null ],
- "assignees" : [ {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- }, {
- "uid" : "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
- } ],
- "created_at" : "2022-05-13T09:16:17.416Z",
- "description" : "A case description.",
- "title" : "Case title 1",
- "created_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "version" : "WzUzMiwxXQ==",
- "closed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "tags" : [ "tag-1" ],
- "duration" : 120,
- "updated_at" : "2000-01-23T04:56:07.000+00:00",
- "updated_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "id" : "66b9aa00-94fa-11ea-9f74-e7e108796192",
- "external_service" : {
- "external_title" : "external_title",
- "pushed_by" : {
- "full_name" : "full_name",
- "profile_uid" : "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
- "email" : "email",
- "username" : "elastic"
- },
- "external_url" : "external_url",
- "pushed_at" : "2000-01-23T04:56:07.000+00:00",
- "connector_id" : "connector_id",
- "external_id" : "external_id",
- "connector_name" : "connector_name"
- }
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
4xx_response
-
-
-
-
- [ Jump to
Methods ]
-
-
Table of Contents
-
- 4xx_response - Unsuccessful cases API responseCase_response_properties_for_comments_inner - Case_response_properties_for_connectors - Case response properties for connectorsaction_types - actions - add_alert_comment_request_properties - Add case comment request properties for alertsadd_case_comment_request - Add case comment requestadd_user_comment_request_properties - Add case comment request properties for user commentsalert_comment_response_properties - Add case comment response properties for alertsalert_comment_response_properties_rule - alert_identifiers - Alert identifiersalert_indices - Alert indicesalert_response_properties - assignees_inner - case_response_closed_by_properties - Case response properties for closed_bycase_response_created_by_properties - Case response properties for created_bycase_response_properties - Case response propertiescase_response_pushed_by_properties - Case response properties for pushed_bycase_response_updated_by_properties - Case response properties for updated_byclosure_types - connector_properties_cases_webhook - Create or upate case request properties for Cases Webhook connectorconnector_properties_jira - Create or update case request properties for a Jira connectorconnector_properties_jira_fields - connector_properties_none - Create or update case request properties for no connectorconnector_properties_resilient - Create case request properties for a IBM Resilient connectorconnector_properties_resilient_fields - connector_properties_servicenow - Create case request properties for a ServiceNow ITSM connectorconnector_properties_servicenow_fields - connector_properties_servicenow_sir - Create case request properties for a ServiceNow SecOps connectorconnector_properties_servicenow_sir_fields - connector_properties_swimlane - Create case request properties for a Swimlane connectorconnector_properties_swimlane_fields - connector_types - create_case_request - Create case requestcreate_case_request_connector - external_service - findCaseActivityDefaultSpace_200_response - findCaseConnectorsDefaultSpace_200_response_inner - findCaseConnectorsDefaultSpace_200_response_inner_config - findCasesDefaultSpace_200_response - findCasesDefaultSpace_assignees_parameter - findCasesDefaultSpace_category_parameter - findCasesDefaultSpace_owner_parameter - findCasesDefaultSpace_searchFields_parameter - getCaseCommentDefaultSpace_200_response - getCaseConfigurationDefaultSpace_200_response_inner - getCaseConfigurationDefaultSpace_200_response_inner_connector - getCaseConfigurationDefaultSpace_200_response_inner_created_by - getCaseConfigurationDefaultSpace_200_response_inner_mappings_inner - getCaseConfigurationDefaultSpace_200_response_inner_updated_by - getCaseStatusDefaultSpace_200_response - getCasesByAlertDefaultSpace_200_response_inner - owners - payload_alert_comment - payload_alert_comment_comment - payload_alert_comment_comment_alertId - payload_alert_comment_comment_index - payload_assignees - payload_connector - payload_connector_connector - payload_connector_connector_fields - payload_create_case - payload_description - payload_pushed - payload_settings - payload_severity - payload_status - payload_tags - payload_title - payload_user_comment - payload_user_comment_comment - rule - Alerting rulesearchFieldsType - set_case_configuration_request - Set case configuration requestset_case_configuration_request_connector - set_case_configuration_request_settings - settings - severity_property - status - update_alert_comment_request_properties - Update case comment request properties for alertsupdate_case_comment_request - Update case comment requestupdate_case_configuration_request - Update case configuration requestupdate_case_request - Update case requestupdate_case_request_cases_inner - update_user_comment_request_properties - Update case comment request properties for user commentsuser_actions_find_response_properties - user_actions_response_properties - user_actions_response_properties_created_by - user_actions_response_properties_payload - user_comment_response_properties - Case response properties for user comments
-
-
-
-
-
-
error (optional)
-
message (optional)
-
statusCode (optional)
-
-
-
-
-
-
-
alertId (optional)
-
created_at (optional)
-
created_by (optional)
-
id (optional)
-
index (optional)
-
owner (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
rule (optional)
-
type
-
-
user
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
comment (optional)
-
-
-
-
-
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.swimlane
-
-
-
-
-
The type of action.
-
-
-
-
-
-
-
Defines properties for case comment requests when type is alert.
-
-
alertId
-
index
-
owner
-
rule
-
type
-
-
alert
-
-
-
-
-
The add comment to case API request body varies depending on whether you are adding an alert or a comment.
-
-
alertId
-
index
-
owner
-
rule
-
type
-
-
user
-
comment
String The new comment. It is required only when
type is
user.
-
-
-
-
-
Defines properties for case comment requests when type is user.
-
-
comment
String The new comment. It is required only when
type is
user.
-
owner
-
type
-
-
user
-
-
-
-
-
-
-
alertId (optional)
-
created_at (optional)
-
created_by (optional)
-
id (optional)
-
index (optional)
-
owner (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
rule (optional)
-
type
-
-
alert
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
-
-
-
-
-
-
id (optional)
-
name (optional)
-
-
-
-
-
The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
-
-
-
-
The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
-
-
-
-
-
-
attached_at (optional)
-
id (optional)
-
index (optional)
-
-
-
-
-
-
-
uid
String A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
-
-
assignees (optional)
-
closed_at
-
closed_by
-
comments
-
connector
-
created_at
-
created_by
-
description
-
duration
Integer The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
-
external_service
-
id
-
owner
-
settings
-
severity
-
status
-
tags
-
title
-
totalAlerts
-
totalComment
-
updated_at
-
updated_by
-
version
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).
-
-
-
-
-
-
Defines properties for connectors when type is .cases-webhook.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.cases-webhook
-
-
-
-
-
Defines properties for connectors when type is .jira.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.jira
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
issueType
-
parent
String The key of the parent issue, when the issue type is sub-task.
-
priority
String The priority of the issue.
-
-
-
-
-
Defines properties for connectors when type is .none.
-
-
fields
String An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
-
id
String The identifier for the connector. To create a case without a connector, use
none. To update a case to remove the connector, specify
none.
-
name
String The name of the connector. To create a case without a connector, use
none. To update a case to remove the connector, specify
none.
-
type
String The type of connector. To create a case without a connector, use
.none. To update a case to remove the connector, specify
.none.
-
-
.none
-
-
-
-
-
Defines properties for connectors when type is .resilient.
-
-
fields
-
id
String The identifier for the connector.
-
name
String The name of the connector.
-
type
-
-
.resilient
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
issueTypes
-
severityCode
String The severity code of the incident.
-
-
-
-
-
Defines properties for connectors when type is .servicenow.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.servicenow
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
category
String The category of the incident.
-
impact
String The effect an incident had on business.
-
severity
String The severity of the incident.
-
subcategory
String The subcategory of the incident.
-
urgency
String The extent to which the incident resolution can be delayed.
-
-
-
-
-
Defines properties for connectors when type is .servicenow-sir.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.servicenow-sir
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
category
String The category of the incident.
-
destIp
Boolean Indicates whether cases will send a comma-separated list of destination IPs.
-
malwareHash
Boolean Indicates whether cases will send a comma-separated list of malware hashes.
-
malwareUrl
Boolean Indicates whether cases will send a comma-separated list of malware URLs.
-
priority
String The priority of the issue.
-
sourceIp
Boolean Indicates whether cases will send a comma-separated list of source IPs.
-
subcategory
String The subcategory of the incident.
-
-
-
-
-
Defines properties for connectors when type is .swimlane.
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.swimlane
-
-
-
-
-
An object containing the connector fields. If you want to omit any individual field, specify null as its value.
-
-
caseId
String The case identifier for Swimlane connectors.
-
-
-
-
-
The type of connector.
-
-
-
-
-
-
The create case API request body varies depending on the type of connector.
-
-
assignees (optional)
-
connector
-
description
String The description for the case.
-
owner
-
settings
-
severity (optional)
-
tags
array[String] The words and phrases that help categorize cases. It can be an empty array.
-
title
-
-
-
-
-
-
-
fields
-
id
String The identifier for the connector. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector.
-
type
-
-
.swimlane
-
-
-
-
-
-
-
connector_id (optional)
-
connector_name (optional)
-
external_id (optional)
-
external_title (optional)
-
external_url (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
-
-
-
-
-
-
page (optional)
-
perPage (optional)
-
total (optional)
-
userActions (optional)
-
-
-
-
-
-
-
actionTypeId (optional)
-
config (optional)
-
id (optional)
-
isDeprecated (optional)
-
isMissingSecrets (optional)
-
isPreconfigured (optional)
-
name (optional)
-
referencedByCount (optional)
-
-
-
-
-
-
-
apiUrl (optional)
-
projectKey (optional)
-
-
-
-
-
-
-
cases (optional)
-
count_closed_cases (optional)
-
count_in_progress_cases (optional)
-
count_open_cases (optional)
-
page (optional)
-
per_page (optional)
-
total (optional)
-
-
-
-
-
-
-
-
-
-
-
alertId (optional)
-
created_at (optional)
-
created_by (optional)
-
id (optional)
-
index (optional)
-
owner (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
rule (optional)
-
type
-
-
user
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
comment (optional)
-
-
-
-
-
-
-
closure_type (optional)
-
connector (optional)
-
created_at (optional)
-
created_by (optional)
-
error (optional)
-
id (optional)
-
mappings (optional)
-
owner (optional)
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
-
-
-
-
-
-
fields (optional)
Object The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to
null.
-
id (optional)
String The identifier for the connector. If you do not want a default connector, use
none. To retrieve connector IDs, use the find connectors API.
-
name (optional)
String The name of the connector. If you do not want a default connector, use
none. To retrieve connector names, use the find connectors API.
-
type (optional)
-
-
-
-
-
-
-
email (optional)
-
full_name (optional)
-
username (optional)
-
profile_uid (optional)
-
-
-
-
-
-
-
action_type (optional)
-
source (optional)
-
target (optional)
-
-
-
-
-
-
-
email (optional)
-
full_name (optional)
-
username (optional)
-
profile_uid (optional)
-
-
-
-
-
-
-
count_closed_cases (optional)
-
count_in_progress_cases (optional)
-
count_open_cases (optional)
-
-
-
-
-
-
-
id (optional)
-
title (optional)
-
-
-
-
-
The application that owns the cases: Stack Management, Observability, or Elastic Security.
-
-
-
-
-
-
-
-
-
alertId (optional)
-
index (optional)
-
owner (optional)
-
rule (optional)
-
type (optional)
-
-
alert
-
-
-
-
-
-
-
-
-
-
-
fields (optional)
-
id (optional)
String The identifier for the connector. To create a case without a connector, use
none.
-
name (optional)
String The name of the connector. To create a case without a connector, use
none.
-
type (optional)
-
-
-
-
-
An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
-
-
caseId (optional)
String The case identifier for Swimlane connectors.
-
category (optional)
String The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
-
destIp (optional)
Boolean Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
-
impact (optional)
String The effect an incident had on business for ServiceNow ITSM connectors.
-
issueType (optional)
String The type of issue for Jira connectors.
-
issueTypes (optional)
-
malwareHash (optional)
Boolean Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
-
malwareUrl (optional)
Boolean Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
-
parent (optional)
String The key of the parent issue, when the issue type is sub-task for Jira connectors.
-
priority (optional)
String The priority of the issue for Jira and ServiceNow SecOps connectors.
-
severity (optional)
String The severity of the incident for ServiceNow ITSM connectors.
-
severityCode (optional)
String The severity code of the incident for IBM Resilient connectors.
-
sourceIp (optional)
Boolean Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
-
subcategory (optional)
String The subcategory of the incident for ServiceNow ITSM connectors.
-
urgency (optional)
String The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
-
-
-
-
-
-
-
assignees (optional)
-
connector (optional)
-
description (optional)
-
owner (optional)
-
settings (optional)
-
severity (optional)
-
status (optional)
-
tags (optional)
-
title (optional)
-
-
-
-
-
-
-
description (optional)
-
-
-
-
-
-
-
externalService (optional)
-
-
-
-
-
-
-
-
-
-
-
-
-
comment (optional)
-
owner (optional)
-
type (optional)
-
-
user
-
-
-
-
-
The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will apply best effort to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-
-
id (optional)
-
name (optional)
-
-
-
-
-
The fields to perform the simple_query_string parsed query against.
-
-
-
-
-
-
External connection details, such as the closure type and default connector for cases.
-
-
closure_type
-
connector
-
owner
-
settings (optional)
-
-
-
-
-
An object that contains the connector configuration.
-
-
fields
Object The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to
null.
-
id
String The identifier for the connector. If you do not want a default connector, use
none. To retrieve connector IDs, use the find connectors API.
-
name
String The name of the connector. If you do not want a default connector, use
none. To retrieve connector names, use the find connectors API.
-
type
-
-
-
-
-
An object that contains the case settings.
-
-
syncAlerts
Boolean Turns alert syncing on or off.
-
-
-
-
-
An object that contains the case settings.
-
-
syncAlerts
Boolean Turns alert syncing on or off.
-
-
-
-
-
The severity of the case.
-
-
-
-
-
-
The status of the case.
-
-
-
-
-
-
Defines properties for case comment requests when type is alert.
-
-
alertId
-
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
-
index
-
owner
-
rule
-
type
-
-
alert
-
version
String The current comment version. To retrieve version values, use the get comments API.
-
-
-
-
-
The update case comment API request body varies depending on whether you are updating an alert or a comment.
-
-
alertId
-
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
-
index
-
owner
-
rule
-
type
-
-
user
-
version
String The current comment version. To retrieve version values, use the get comments API.
-
comment
String The new comment. It is required only when
type is
user.
-
-
-
-
-
External connection details, such as the closure type and default connector for cases.
-
-
closure_type (optional)
-
connector (optional)
-
version
String The version of the connector. To retrieve the version value, use the get configuration API.
-
-
-
-
-
The update case API request body varies depending on the type of connector.
-
-
-
-
-
-
-
assignees (optional)
-
connector (optional)
-
description (optional)
String An updated description for the case.
-
id
String The identifier for the case.
-
settings (optional)
-
severity (optional)
-
status (optional)
-
tags (optional)
-
title (optional)
-
version
String The current version of the case. To determine this value, use the get case or find cases APIs.
-
-
-
-
-
Defines properties for case comment requests when type is user.
-
-
comment
String The new comment. It is required only when
type is
user.
-
id
String The identifier for the comment. To retrieve comment IDs, use the get comments API.
-
owner
-
type
-
-
user
-
version
String The current comment version. To retrieve version values, use the get comments API.
-
-
-
-
-
-
-
action
-
comment_id
-
created_at
-
created_by
-
id
-
owner
-
payload
-
version
-
type
-
-
assignees
create_case
comment
connector
description
pushed
tags
title
status
settings
severity
-
-
-
-
-
-
-
action
-
action_id
-
case_id
-
comment_id
-
created_at
-
created_by
-
owner
-
payload
-
type
-
-
-
-
-
-
-
email
-
full_name
-
username
-
profile_uid (optional)
-
-
-
-
-
-
-
comment (optional)
-
assignees (optional)
-
connector (optional)
-
description (optional)
-
owner (optional)
-
settings (optional)
-
severity (optional)
-
status (optional)
-
tags (optional)
-
title (optional)
-
externalService (optional)
-
-
-
-
-
-
-
comment (optional)
-
created_at (optional)
-
created_by (optional)
-
id (optional)
-
owner (optional)
-
pushed_at (optional)
-
pushed_by (optional)
-
type
-
-
user
-
updated_at (optional)
-
updated_by (optional)
-
version (optional)
-
-
-
-
Access
-
- - APIKey KeyParamName:ApiKey KeyInQuery:false KeyInHeader:true
- - HTTP Basic Authentication
-
-
-
- [ Jump to
Models ]
-
-
Table of Contents
-
-
-
-
-
-
-
-
Up
-
post /s/{spaceId}/api/actions/connector
-
Creates a connector. (createConnector)
-
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
null
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
connector_response_properties
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/actions/connector/{connectorId}
-
Creates a connector. (createConnectorId)
-
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
connectorId (required)
-
-
Path Parameter — A UUID v1 or v4 identifier for the connector. If you omit this parameter, an identifier is randomly generated. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
null
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
connector_response_properties
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/actions/connector/{connectorId}
-
Deletes a connector. (deleteConnector)
-
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. WARNING: When you delete a connector, it cannot be recovered.
-
-
Path parameters
-
-
connectorId (required)
-
-
Path Parameter — An identifier for the connector. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
404
- Object is not found.
-
getConnector_404_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/actions/connector/{connectorId}
-
Retrieves a connector by ID. (getConnector)
-
You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
Path parameters
-
-
connectorId (required)
-
-
Path Parameter — An identifier for the connector. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
null
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
connector_response_properties
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
404
- Object is not found.
-
getConnector_404_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/actions/connector_types
-
Retrieves a list of all connector types. (getConnectorTypes)
-
You do not need any Kibana feature privileges to run this API.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
feature_id (optional)
-
-
Query Parameter — A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). default: null
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "supported_feature_ids" : [ "alerting", "uptime", "siem" ],
- "name" : "Index",
- "enabled_in_license" : true,
- "id" : ".server-log",
- "enabled_in_config" : true,
- "minimum_license_required" : "basic",
- "enabled" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/actions/connectors
-
Retrieves all connectors. (getConnectors)
-
You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "is_missing_secrets" : false,
- "is_deprecated" : false,
- "is_preconfigured" : false,
- "name" : "my-connector",
- "referenced_by_count" : 2,
- "id" : "b0766e10-d190-11ec-b04c-776c77d14fca",
- "config" : {
- "key" : ""
- },
- "connector_type_id" : ".server-log"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/actions
-
Creates a connector. (legacyCreateConnector)
-
Deprecated in 7.13.0. Use the create connector API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "isPreconfigured" : true,
- "isDeprecated" : true,
- "actionTypeId" : "actionTypeId",
- "name" : "name",
- "id" : "id",
- "config" : "{}",
- "isMissingSecrets" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
action_response_properties
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/actions/action/{actionId}
-
Deletes a connector. (legacyDeleteConnector)
-
Deprecated in 7.13.0. Use the delete connector API instead. WARNING: When you delete a connector, it cannot be recovered.
-
-
Path parameters
-
-
actionId (required)
-
-
Path Parameter — An identifier for the action. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/actions/action/{actionId}
-
Retrieves a connector by ID. (legacyGetConnector)
-
Deprecated in 7.13.0. Use the get connector API instead.
-
-
Path parameters
-
-
actionId (required)
-
-
Path Parameter — An identifier for the action. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "isPreconfigured" : true,
- "isDeprecated" : true,
- "actionTypeId" : "actionTypeId",
- "name" : "name",
- "id" : "id",
- "config" : "{}",
- "isMissingSecrets" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
action_response_properties
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/actions/list_action_types
-
Retrieves a list of all connector types. (legacyGetConnectorTypes)
-
Deprecated in 7.13.0. Use the get all connector types API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "enabledInConfig" : true,
- "name" : "name",
- "enabledInLicense" : true,
- "id" : "id",
- "minimumLicenseRequired" : "minimumLicenseRequired",
- "enabled" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/actions
-
Retrieves all connectors. (legacyGetConnectors)
-
Deprecated in 7.13.0. Use the get all connectors API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "isPreconfigured" : true,
- "isDeprecated" : true,
- "actionTypeId" : "actionTypeId",
- "name" : "name",
- "id" : "id",
- "config" : "{}",
- "isMissingSecrets" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/actions/action/{actionId}/_execute
-
Runs a connector. (legacyRunConnector)
-
Deprecated in 7.13.0. Use the run connector API instead.
-
-
Path parameters
-
-
actionId (required)
-
-
Path Parameter — An identifier for the action. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "actionId" : "actionId",
- "status" : "status"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
legacyRunConnector_200_response
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
put /s/{spaceId}/api/actions/action/{actionId}
-
Updates the attributes for a connector. (legacyUpdateConnector)
-
Deprecated in 7.13.0. Use the update connector API instead.
-
-
Path parameters
-
-
actionId (required)
-
-
Path Parameter — An identifier for the action. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "isPreconfigured" : true,
- "isDeprecated" : true,
- "actionTypeId" : "actionTypeId",
- "name" : "name",
- "id" : "id",
- "config" : "{}",
- "isMissingSecrets" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
action_response_properties
-
404
- Object is not found.
-
Not_found_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/actions/connector/{connectorId}/_execute
-
Runs a connector. (runConnector)
-
You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. If you use an index connector, you must also have all, create, index, or write indices privileges.
-
-
Path parameters
-
-
connectorId (required)
-
-
Path Parameter — An identifier for the connector. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "connector_id" : "connector_id",
- "status" : "error"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
runConnector_200_response
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
-
-
-
-
Up
-
put /s/{spaceId}/api/actions/connector/{connectorId}
-
Updates the attributes for a connector. (updateConnector)
-
You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
-
-
Path parameters
-
-
connectorId (required)
-
-
Path Parameter — An identifier for the connector. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
null
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
connector_response_properties
-
400
- Indicates a bad request.
-
updateConnector_400_response
-
401
- Authorization information is missing or invalid.
-
Unauthorized_response
-
404
- Object is not found.
-
Not_found_response
-
-
-
-
- [ Jump to
Methods ]
-
-
Table of Contents
-
- Alert_identifier_mapping - Alert identifier mappingCase_comment_mapping - Case comment mappingCase_description_mapping - Case description mappingCase_identifier_mapping - Case identifier mappingCase_name_mapping - Case name mappingConnector_mappings_properties_for_a_Swimlane_connector - Connector mappings properties for a Swimlane connectorCreate_connector_request_body_properties - Create connector request body propertiesGet_connector_types_response_body_properties_inner - Get_connectors_response_body_properties - Get connectors response body propertiesLegacy_create_connector_request_properties - Legacy create connector request propertiesLegacy_get_connector_types_response_body_properties_inner - Legacy_run_connector_request_body_properties - Legacy run connector request body propertiesLegacy_update_connector_request_body_properties - Legacy update connector request body propertiesNot_found_response - Not found responseRule_name_mapping - Rule name mappingRun_connector_request_body_properties - Run connector request body propertiesRun_connector_request_body_properties_params - Severity_mapping - Severity mappingSubaction_parameters - Subaction parametersUnauthorized_response - Unauthorized responseUpdate_connector_request_body_properties - Update connector request body propertiesaction_response_properties - Action response propertiesconfig_properties_cases_webhook - Connector request properties for Webhook - Case Management connectorconfig_properties_genai - Connector request properties for a generative AI connectorconfig_properties_index - Connector request properties for an index connectorconfig_properties_jira - Connector request properties for a Jira connectorconfig_properties_opsgenie - Connector request properties for an Opsgenie connectorconfig_properties_resilient - Connector request properties for a IBM Resilient connectorconfig_properties_servicenow - Connector request properties for a ServiceNow ITSM connectorconfig_properties_servicenow_itom - Connector request properties for a ServiceNow ITSM connectorconfig_properties_swimlane - Connector request properties for a Swimlane connectorconnector_response_properties - Connector response propertiesconnector_response_properties_cases_webhook - Connector request properties for a Webhook - Case Management connectorconnector_response_properties_email - Connector response properties for an email connectorconnector_response_properties_index - Connector response properties for an index connectorconnector_response_properties_jira - Connector response properties for a Jira connectorconnector_response_properties_opsgenie - Connector response properties for an Opsgenie connectorconnector_response_properties_pagerduty - Connector response properties for a PagerDuty connectorconnector_response_properties_resilient - Connector response properties for a IBM Resilient connectorconnector_response_properties_serverlog - Connector response properties for a server log connectorconnector_response_properties_servicenow - Connector response properties for a ServiceNow ITSM connectorconnector_response_properties_servicenow_itom - Connector response properties for a ServiceNow ITOM connectorconnector_response_properties_servicenow_sir - Connector response properties for a ServiceNow SecOps connectorconnector_response_properties_slack_api - Connector response properties for a Slack connectorconnector_response_properties_slack_webhook - Connector response properties for a Slack connectorconnector_response_properties_swimlane - Connector response properties for a Swimlane connectorconnector_response_properties_teams - Connector response properties for a Microsoft Teams connectorconnector_response_properties_tines - Connector response properties for a Tines connectorconnector_response_properties_webhook - Connector response properties for a Webhook connectorconnector_response_properties_xmatters - Connector response properties for an xMatters connectorconnector_types - Connector typescreate_connector_request_cases_webhook - Create Webhook - Case Managment connector requestcreate_connector_request_email - Create email connector requestcreate_connector_request_genai - Create generative AI connector requestcreate_connector_request_index - Create index connector requestcreate_connector_request_jira - Create Jira connector requestcreate_connector_request_opsgenie - Create Opsgenie connector requestcreate_connector_request_pagerduty - Create PagerDuty connector requestcreate_connector_request_resilient - Create IBM Resilient connector requestcreate_connector_request_serverlog - Create server log connector requestcreate_connector_request_servicenow - Create ServiceNow ITSM connector requestcreate_connector_request_servicenow_itom - Create ServiceNow ITOM connector requestcreate_connector_request_servicenow_sir - Create ServiceNow SecOps connector requestcreate_connector_request_slack_api - Create Slack connector requestcreate_connector_request_slack_webhook - Create Slack connector requestcreate_connector_request_swimlane - Create Swimlane connector requestcreate_connector_request_teams - Create Microsoft Teams connector requestcreate_connector_request_tines - Create Tines connector requestcreate_connector_request_webhook - Create Webhook connector requestcreate_connector_request_xmatters - Create xMatters connector requestfeatures - getConnector_404_response - legacyRunConnector_200_response - runConnector_200_response - runConnector_200_response_data - run_connector_params_documents - Index connector parametersrun_connector_params_level_message - Server log connector parametersrun_connector_subaction_addevent - The addEvent subactionrun_connector_subaction_addevent_subActionParams - run_connector_subaction_closealert - The closeAlert subactionrun_connector_subaction_closealert_subActionParams - run_connector_subaction_createalert - The createAlert subactionrun_connector_subaction_createalert_subActionParams - run_connector_subaction_createalert_subActionParams_responders_inner - run_connector_subaction_createalert_subActionParams_visibleTo_inner - run_connector_subaction_fieldsbyissuetype - The fieldsByIssueType subactionrun_connector_subaction_fieldsbyissuetype_subActionParams - run_connector_subaction_getchoices - The getChoices subactionrun_connector_subaction_getchoices_subActionParams - run_connector_subaction_getfields - The getFields subactionrun_connector_subaction_getincident - The getIncident subactionrun_connector_subaction_getincident_subActionParams - run_connector_subaction_issue - The issue subactionrun_connector_subaction_issue_subActionParams - run_connector_subaction_issues - The issues subactionrun_connector_subaction_issues_subActionParams - run_connector_subaction_issuetypes - The issueTypes subactionrun_connector_subaction_pushtoservice - The pushToService subactionrun_connector_subaction_pushtoservice_subActionParams - run_connector_subaction_pushtoservice_subActionParams_comments_inner - run_connector_subaction_pushtoservice_subActionParams_incident - run_connector_subaction_pushtoservice_subActionParams_incident_dest_ip - run_connector_subaction_pushtoservice_subActionParams_incident_malware_hash - run_connector_subaction_pushtoservice_subActionParams_incident_malware_url - run_connector_subaction_pushtoservice_subActionParams_incident_source_ip - secrets_properties_cases_webhook - Connector secrets properties for Webhook - Case Management connectorsecrets_properties_genai - Connector secrets properties for a generative AI connectorsecrets_properties_jira - Connector secrets properties for a Jira connectorsecrets_properties_opsgenie - Connector secrets properties for an Opsgenie connectorsecrets_properties_resilient - Connector secrets properties for IBM Resilient connectorsecrets_properties_servicenow - Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectorssecrets_properties_slack_api - Connector secrets properties for a Web API Slack connectorsecrets_properties_slack_webhook - Connector secrets properties for a Webhook Slack connectorsecrets_properties_swimlane - Connector secrets properties for a Swimlane connectorupdateConnector_400_response - update_connector_request_cases_webhook - Update Webhook - Case Managment connector requestupdate_connector_request_index - Update index connector requestupdate_connector_request_jira - Update Jira connector requestupdate_connector_request_opsgenie - Update Opsgenie connector requestupdate_connector_request_resilient - Update IBM Resilient connector requestupdate_connector_request_serverlog - Update server log connector requestupdate_connector_request_servicenow - Update ServiceNow ITSM connector or ServiceNow SecOps requestupdate_connector_request_servicenow_itom - Create ServiceNow ITOM connector requestupdate_connector_request_slack_api - Update Slack connector requestupdate_connector_request_slack_webhook - Update Slack connector requestupdate_connector_request_swimlane - Update Swimlane connector request
-
-
-
-
Mapping for the alert ID.
-
-
fieldType
String The type of field in Swimlane.
-
id
String The identifier for the field in Swimlane.
-
key
String The key for the field in Swimlane.
-
name
String The name of the field in Swimlane.
-
-
-
-
-
Mapping for the case comments.
-
-
fieldType
String The type of field in Swimlane.
-
id
String The identifier for the field in Swimlane.
-
key
String The key for the field in Swimlane.
-
name
String The name of the field in Swimlane.
-
-
-
-
-
Mapping for the case description.
-
-
fieldType
String The type of field in Swimlane.
-
id
String The identifier for the field in Swimlane.
-
key
String The key for the field in Swimlane.
-
name
String The name of the field in Swimlane.
-
-
-
-
-
Mapping for the case ID.
-
-
fieldType
String The type of field in Swimlane.
-
id
String The identifier for the field in Swimlane.
-
key
String The key for the field in Swimlane.
-
name
String The name of the field in Swimlane.
-
-
-
-
-
Mapping for the case name.
-
-
fieldType
String The type of field in Swimlane.
-
id
String The identifier for the field in Swimlane.
-
key
String The key for the field in Swimlane.
-
name
String The name of the field in Swimlane.
-
-
-
-
-
The field mapping.
-
-
alertIdConfig (optional)
-
caseIdConfig (optional)
-
caseNameConfig (optional)
-
commentsConfig (optional)
-
descriptionConfig (optional)
-
ruleNameConfig (optional)
-
severityConfig (optional)
-
-
-
-
-
The properties vary depending on the connector type.
-
-
config
-
connector_type_id
-
-
.xmatters
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
-
-
enabled (optional)
Boolean Indicates whether the connector type is enabled in Kibana.
-
enabled_in_config (optional)
Boolean Indicates whether the connector type is enabled in the Kibana
.yml file.
-
enabled_in_license (optional)
Boolean Indicates whether the connector is enabled in the license.
-
id (optional)
-
minimum_license_required (optional)
String The license that is required to use the connector type.
-
name (optional)
String The name of the connector type.
-
supported_feature_ids (optional)
array[features] The Kibana features that are supported by the connector type.
-
-
-
-
-
The properties vary for each connector type.
-
-
connector_type_id
-
config (optional)
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
referenced_by_count
Integer Indicates the number of saved objects that reference the connector. If
is_preconfigured is true, this value is not calculated.
-
-
-
-
-
-
-
actionTypeId (optional)
String The connector type identifier.
-
config (optional)
Object The configuration for the connector. Configuration properties vary depending on the connector type.
-
name (optional)
String The display name for the connector.
-
secrets (optional)
Object The secrets configuration for the connector. Secrets configuration properties vary depending on the connector type. NOTE: Remember these values. You must provide them each time you update the connector.
-
-
-
-
-
-
-
enabled (optional)
Boolean Indicates whether the connector type is enabled in Kibana.
-
enabledInConfig (optional)
Boolean Indicates whether the connector type is enabled in the Kibana
.yml file.
-
enabledInLicense (optional)
Boolean Indicates whether the connector is enabled in the license.
-
id (optional)
String The unique identifier for the connector type.
-
minimumLicenseRequired (optional)
String The license that is required to use the connector type.
-
name (optional)
String The name of the connector type.
-
-
-
-
-
The properties vary depending on the connector type.
-
-
params
Object The parameters of the connector. Parameter properties vary depending on the connector type.
-
-
-
-
-
The properties vary depending on the connector type.
-
-
config (optional)
Object The new connector configuration. Configuration properties vary depending on the connector type.
-
name (optional)
String The new name for the connector.
-
secrets (optional)
Object The updated secrets configuration for the connector. Secrets properties vary depending on the connector type.
-
-
-
-
-
-
-
error (optional)
-
-
Not Found
-
message (optional)
-
statusCode (optional)
-
-
404
-
-
-
-
-
Mapping for the name of the alert's rule.
-
-
fieldType
String The type of field in Swimlane.
-
id
String The identifier for the field in Swimlane.
-
key
String The key for the field in Swimlane.
-
name
String The name of the field in Swimlane.
-
-
-
-
-
The properties vary depending on the connector type.
-
-
-
-
-
-
-
documents
-
level (optional)
String The log level of the message for server log connectors.
-
-
debug
error
fatal
info
trace
warn
-
message
String The message for server log connectors.
-
subAction
-
-
pushToService
-
subActionParams
-
-
-
-
-
Mapping for the severity.
-
-
fieldType
String The type of field in Swimlane.
-
id
String The identifier for the field in Swimlane.
-
key
String The key for the field in Swimlane.
-
name
String The name of the field in Swimlane.
-
-
-
-
-
Test an action that involves a subaction.
-
-
subAction
-
-
pushToService
-
subActionParams
-
-
-
-
-
-
-
error (optional)
-
-
Unauthorized
-
message (optional)
-
statusCode (optional)
-
-
401
-
-
-
-
-
The properties vary depending on the connector type.
-
-
config
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The properties vary depending on the action type.
-
-
actionTypeId (optional)
-
config (optional)
-
id (optional)
-
isDeprecated (optional)
Boolean Indicates whether the action type is deprecated.
-
isMissingSecrets (optional)
Boolean Indicates whether secrets are missing for the action.
-
isPreconfigured (optional)
Boolean Indicates whether it is a preconfigured action.
-
name (optional)
-
-
-
-
-
Defines properties for connectors when type is .cases-webhook.
-
-
createCommentJson (optional)
String A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is
case.comment. Due to Mustache template variables (the text enclosed in triple braces, for example,
{{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
-
createCommentMethod (optional)
String The REST API HTTP request method to create a case comment in the third-party system. Valid values are
patch,
post, and
put.
-
-
patch
post
put
-
createCommentUrl (optional)
String The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the
xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
-
createIncidentJson
String A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are
case.title and
case.description. Due to Mustache template variables (which is the text enclosed in triple braces, for example,
{{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.
-
createIncidentMethod (optional)
String The REST API HTTP request method to create a case in the third-party system. Valid values are
patch,
post, and
put.
-
-
patch
post
put
-
createIncidentResponseKey
String The JSON key in the create case response that contains the external case ID.
-
createIncidentUrl
String The REST API URL to create a case in the third-party system. If you are using the
xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
-
getIncidentResponseExternalTitleKey
String The JSON key in get case response that contains the external case title.
-
getIncidentUrl
String The REST API URL to get the case by ID from the third-party system. If you are using the
xpack.actions.allowedHosts setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example,
{{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
-
hasAuth (optional)
Boolean If true, a username and password for login type authentication must be provided.
-
headers (optional)
String A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods.
-
updateIncidentJson
String The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are
case.title and
case.description. Due to Mustache template variables (which is the text enclosed in triple braces, for example,
{{{case.title}}}), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.
-
updateIncidentMethod (optional)
String The REST API HTTP request method to update the case in the third-party system. Valid values are
patch,
post, and
put.
-
-
patch
post
put
-
updateIncidentUrl
String The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the
xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
-
viewIncidentUrl
String The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL.
-
-
-
-
-
Defines properties for connectors when type is .gen-ai.
-
-
apiProvider (optional)
String The OpenAI API provider.
-
apiUrl (optional)
String The OpenAI API endpoint.
-
-
-
-
-
Defines properties for connectors when type is .index.
-
-
executionTimeField (optional)
String Specifies a field that will contain the time the alert condition was detected.
-
index
String The Elasticsearch index to be written to.
-
refresh (optional)
Boolean The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs.
-
-
-
-
-
Defines properties for connectors when type is .jira.
-
-
-
-
-
Defines properties for connectors when type is .opsgenie.
-
-
apiUrl
String The Opsgenie URL. For example,
https://api.opsgenie.com or
https://api.eu.opsgenie.com. If you are using the
xpack.actions.allowedHosts setting, add the hostname to the allowed hosts.
-
-
-
-
-
Defines properties for connectors when type is .resilient.
-
-
apiUrl
String The IBM Resilient instance URL.
-
orgId
String The IBM Resilient organization ID.
-
-
-
-
-
Defines properties for connectors when type is .servicenow.
-
-
apiUrl
String The ServiceNow instance URL.
-
clientId (optional)
String The client ID assigned to your OAuth application. This property is required when
isOAuth is
true.
-
isOAuth (optional)
Boolean The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).
-
jwtKeyId (optional)
String The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when
isOAuth is
true.
-
userIdentifierValue (optional)
String The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is
Email, the user identifier should be the user's email address. This property is required when
isOAuth is
true.
-
usesTableApi (optional)
Boolean Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to
false, the Elastic application should be installed in ServiceNow.
-
-
-
-
-
Defines properties for connectors when type is .servicenow.
-
-
apiUrl
String The ServiceNow instance URL.
-
clientId (optional)
String The client ID assigned to your OAuth application. This property is required when
isOAuth is
true.
-
isOAuth (optional)
Boolean The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).
-
jwtKeyId (optional)
String The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when
isOAuth is
true.
-
userIdentifierValue (optional)
String The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is
Email, the user identifier should be the user's email address. This property is required when
isOAuth is
true.
-
-
-
-
-
Defines properties for connectors when type is .swimlane.
-
-
apiUrl
String The Swimlane instance URL.
-
appId
String The Swimlane application ID.
-
connectorType
String The type of connector. Valid values are
all,
alerts, and
cases.
-
-
all
alerts
cases
-
mappings (optional)
-
-
-
-
-
The properties vary depending on the connector type.
-
-
config
-
connector_type_id
-
-
.xmatters
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.cases-webhook
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.email
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.index
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.jira
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.opsgenie
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.pagerduty
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.resilient
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.server-log
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.servicenow
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.servicenow-itom
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.servicenow-sir
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
connector_type_id
-
-
.slack_api
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
connector_type_id
-
-
.slack
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.swimlane
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
connector_type_id
-
-
.teams
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.tines
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.webhook
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
connector_type_id
-
-
.xmatters
-
id
String The identifier for the connector.
-
is_deprecated
Boolean Indicates whether the connector type is deprecated.
-
is_missing_secrets (optional)
Boolean Indicates whether secrets are missing for the connector. Secrets configuration properties vary depending on the connector type.
-
is_preconfigured
Boolean Indicates whether it is a preconfigured connector. If true, the
config and
is_missing_secrets properties are omitted from the response.
-
name
String The display name for the connector.
-
-
-
-
-
The type of connector. For example, .email, .index, .jira, .opsgenie, or .server-log.
-
-
-
-
-
-
The Webhook - Case Management connector uses axios to send POST, PUT, and GET requests to a case management RESTful API web service.
-
-
config
-
connector_type_id
-
-
.cases-webhook
-
name
String The display name for the connector.
-
secrets (optional)
-
-
-
-
-
The email connector uses the SMTP protocol to send mail messages, using an integration of Nodemailer. An exception is Microsoft Exchange, which uses HTTP protocol for sending emails, Send mail. Email message text is sent as both plain text and html text.
-
-
config
-
connector_type_id
-
-
.email
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The generative AI connector uses axios to send a POST request to either OpenAI or Azure OpenAPI.
-
-
config
-
connector_type_id
-
-
.gen-ai
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The index connector indexes a document into Elasticsearch.
-
-
config
-
connector_type_id
-
-
.index
-
name
String The display name for the connector.
-
-
-
-
-
The Jira connector uses the REST API v2 to create Jira issues.
-
-
config
-
connector_type_id
-
-
.jira
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The Opsgenie connector uses the Opsgenie alert API.
-
-
config
-
connector_type_id
-
-
.opsgenie
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The PagerDuty connector uses the v2 Events API to trigger, acknowledge, and resolve PagerDuty alerts.
-
-
config
-
connector_type_id
-
-
.pagerduty
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The IBM Resilient connector uses the RESILIENT REST v2 to create IBM Resilient incidents.
-
-
config
-
connector_type_id
-
-
.resilient
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
This connector writes an entry to the Kibana server log.
-
-
connector_type_id
-
-
.server-log
-
name
String The display name for the connector.
-
-
-
-
-
The ServiceNow ITSM connector uses the import set API to create ServiceNow incidents. You can use the connector for rule actions and cases.
-
-
config
-
connector_type_id
-
-
.servicenow
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The ServiceNow ITOM connector uses the event API to create ServiceNow events. You can use the connector for rule actions.
-
-
config
-
connector_type_id
-
-
.servicenow-itom
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The ServiceNow SecOps connector uses the import set API to create ServiceNow security incidents. You can use the connector for rule actions and cases.
-
-
config
-
connector_type_id
-
-
.servicenow-sir
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The Slack connector uses Slack Incoming Webhooks.
-
-
connector_type_id
-
-
.slack_api
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The Slack connector uses Slack Incoming Webhooks.
-
-
connector_type_id
-
-
.slack
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The Swimlane connector uses the Swimlane REST API to create Swimlane records.
-
-
config
-
connector_type_id
-
-
.swimlane
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The Microsoft Teams connector uses Incoming Webhooks.
-
-
connector_type_id
-
-
.teams
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The Tines connector uses Tines Webhook actions to send events via POST request.
-
-
config
-
connector_type_id
-
-
.tines
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The Webhook connector uses axios to send a POST or PUT request to a web service.
-
-
config
-
connector_type_id
-
-
.webhook
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The xMatters connector uses the xMatters Workflow for Elastic to send actionable alerts to on-call xMatters resources.
-
-
config
-
connector_type_id
-
-
.xmatters
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
The feature that uses the connector. Valid values are alerting, cases, uptime, and siem.
-
-
-
-
-
-
-
-
error (optional)
-
message (optional)
-
statusCode (optional)
-
-
-
-
-
-
-
actionId (optional)
-
data (optional)
-
status (optional)
String The status of the action.
-
-
-
-
-
-
-
connector_id
String The identifier for the connector.
-
data (optional)
-
status
String The status of the action.
-
-
error
ok
-
-
-
-
-
-
Test an action that indexes a document into Elasticsearch.
-
-
-
-
-
Test an action that writes an entry to the Kibana server log.
-
-
level (optional)
String The log level of the message for server log connectors.
-
-
debug
error
fatal
info
trace
warn
-
message
String The message for server log connectors.
-
-
-
-
-
The addEvent subaction for ServiceNow ITOM connectors.
-
-
subAction
-
-
addEvent
-
subActionParams (optional)
-
-
-
-
-
The set of configuration properties for the action.
-
-
additional_info (optional)
String Additional information about the event.
-
description (optional)
String The details about the event.
-
event_class (optional)
String A specific instance of the source.
-
message_key (optional)
String All actions sharing this key are associated with the same ServiceNow alert. The default value is
<rule ID>:<alert instance ID>.
-
metric_name (optional)
String The name of the metric.
-
node (optional)
String The host that the event was triggered for.
-
resource (optional)
String The name of the resource.
-
severity (optional)
String The severity of the event.
-
source (optional)
String The name of the event source type.
-
time_of_event (optional)
-
type (optional)
-
-
-
-
-
The closeAlert subaction for Opsgenie connectors.
-
-
subAction
-
-
closeAlert
-
subActionParams
-
-
-
-
-
-
-
alias
String The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert.
-
note (optional)
String Additional information for the alert.
-
source (optional)
String The display name for the source of the alert.
-
user (optional)
String The display name for the owner.
-
-
-
-
-
The createAlert subaction for Opsgenie connectors.
-
-
subAction
-
-
createAlert
-
subActionParams
-
-
-
-
-
-
-
actions (optional)
-
alias (optional)
String The unique identifier used for alert deduplication in Opsgenie.
-
description (optional)
String A description that provides detailed information about the alert.
-
details (optional)
-
entity (optional)
String The domain of the alert. For example, the application or server name.
-
message
-
note (optional)
String Additional information for the alert.
-
priority (optional)
String The priority level for the alert.
-
-
P1
P2
P3
P4
P5
-
responders (optional)
-
source (optional)
String The display name for the source of the alert.
-
tags (optional)
-
user (optional)
String The display name for the owner.
-
visibleTo (optional)
-
-
-
-
-
-
-
id (optional)
String The identifier for the entity.
-
name (optional)
String The name of the entity.
-
type (optional)
String The type of responders, in this case
escalation.
-
-
escalation
schedule
team
user
-
username (optional)
String A valid email address for the user.
-
-
-
-
-
-
-
id (optional)
String The identifier for the entity.
-
name (optional)
String The name of the entity.
-
type
String Valid values are
team and
user.
-
-
team
user
-
username (optional)
String The user name. This property is required only when the
type is
user.
-
-
-
-
-
The fieldsByIssueType subaction for Jira connectors.
-
-
subAction
-
-
fieldsByIssueType
-
subActionParams
-
-
-
-
-
-
-
id
String The Jira issue type identifier.
-
-
-
-
-
The getChoices subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors.
-
-
subAction
-
-
getChoices
-
subActionParams
-
-
-
-
-
The set of configuration properties for the action.
-
-
-
-
-
The getFields subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
-
-
subAction
-
-
getFields
-
-
-
-
-
The getIncident subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
-
-
subAction
-
-
getIncident
-
subActionParams
-
-
-
-
-
-
-
externalId
String The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier.
-
-
-
-
-
The issue subaction for Jira connectors.
-
-
subAction
-
-
issue
-
subActionParams (optional)
-
-
-
-
-
-
-
id
String The Jira issue identifier.
-
-
-
-
-
The issues subaction for Jira connectors.
-
-
subAction
-
-
issues
-
subActionParams
-
-
-
-
-
-
-
title
String The title of the Jira issue.
-
-
-
-
-
The issueTypes subaction for Jira connectors.
-
-
subAction
-
-
issueTypes
-
-
-
-
-
The pushToService subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, and Swimlane connectors.
-
-
subAction
-
-
pushToService
-
subActionParams
-
-
-
-
-
The set of configuration properties for the action.
-
-
comments (optional)
-
incident (optional)
-
-
-
-
-
-
-
comment (optional)
String A comment related to the incident. For example, describe how to troubleshoot the issue.
-
commentId (optional)
Integer A unique identifier for the comment.
-
-
-
-
-
Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, or Swimlane incident.
-
-
alertId (optional)
String The alert identifier for Swimlane connectors.
-
caseId (optional)
String The case identifier for the incident for Swimlane connectors.
-
caseName (optional)
String The case name for the incident for Swimlane connectors.
-
category (optional)
String The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
-
correlation_display (optional)
String A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors.
-
correlation_id (optional)
String The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as
{{ruleID}}:{{alert ID}} to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of
{{ruleID}}:{{alert ID}} ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.
-
description (optional)
String The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, and Swimlane connectors.
-
dest_ip (optional)
-
externalId (optional)
String The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
-
impact (optional)
String The impact of the incident for ServiceNow ITSM connectors.
-
issueType (optional)
Integer The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set
subAction to
issueTypes.
-
labels (optional)
array[String] The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces.
-
malware_hash (optional)
-
malware_url (optional)
-
parent (optional)
String The ID or key of the parent issue for Jira connectors. Applies only to
Sub-task types of issues.
-
priority (optional)
String The priority of the incident in Jira and ServiceNow SecOps connectors.
-
ruleName (optional)
String The rule name for Swimlane connectors.
-
severity (optional)
String The severity of the incident for ServiceNow ITSM and Swimlane connectors.
-
short_description (optional)
String A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base.
-
source_ip (optional)
-
subcategory (optional)
String The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
-
summary (optional)
String A summary of the incident for Jira connectors.
-
title (optional)
String A title for the incident for Jira connectors. It is used for searching the contents of the knowledge base.
-
urgency (optional)
String The urgency of the incident for ServiceNow ITSM connectors.
-
-
-
-
-
A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.
-
-
-
-
-
-
A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident.
-
-
-
-
-
-
A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident.
-
-
-
-
-
-
A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.
-
-
-
-
-
-
-
-
password (optional)
String The password for HTTP basic authentication. If
hasAuth is set to
true, this property is required.
-
user (optional)
String The username for HTTP basic authentication. If
hasAuth is set to
true, this property is required.
-
-
-
-
-
Defines secrets for connectors when type is .gen-ai.
-
-
-
-
-
Defines secrets for connectors when type is .jira.
-
-
apiToken
String The Jira API authentication token for HTTP basic authentication.
-
email
String The account email for HTTP Basic authentication.
-
-
-
-
-
Defines secrets for connectors when type is .opsgenie.
-
-
apiKey
String The Opsgenie API authentication key for HTTP Basic authentication.
-
-
-
-
-
Defines secrets for connectors when type is .resilient.
-
-
apiKeyId
String The authentication key ID for HTTP Basic authentication.
-
apiKeySecret
String The authentication key secret for HTTP Basic authentication.
-
-
-
-
-
Defines secrets for connectors when type is .servicenow, .servicenow-sir, or .servicenow-itom.
-
-
clientSecret (optional)
String The client secret assigned to your OAuth application. This property is required when
isOAuth is
true.
-
password (optional)
String The password for HTTP basic authentication. This property is required when
isOAuth is
false.
-
privateKey (optional)
String The RSA private key that you created for use in ServiceNow. This property is required when
isOAuth is
true.
-
privateKeyPassword (optional)
String The password for the RSA private key. This property is required when
isOAuth is
true and you set a password on your private key.
-
username (optional)
String The username for HTTP basic authentication. This property is required when
isOAuth is
false.
-
-
-
-
-
Defines secrets for connectors when type is .slack.
-
-
token
String Slack bot user OAuth token.
-
-
-
-
-
Defines secrets for connectors when type is .slack.
-
-
-
-
-
Defines secrets for connectors when type is .swimlane.
-
-
apiToken (optional)
String Swimlane API authentication token.
-
-
-
-
-
-
-
error (optional)
-
message (optional)
-
statusCode (optional)
-
-
-
-
-
-
-
config
-
name
String The display name for the connector.
-
secrets (optional)
-
-
-
-
-
-
-
config
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
-
-
config
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
-
-
config
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
-
-
name
String The display name for the connector.
-
-
-
-
-
-
-
config
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
-
-
config
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
-
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
-
-
name
String The display name for the connector.
-
secrets
-
-
-
-
-
-
-
config
-
name
String The display name for the connector.
-
secrets
-
-
-
-
Access
-
- - APIKey KeyParamName:ApiKey KeyInQuery:false KeyInHeader:true
- - HTTP Basic Authentication
-
-
-
- [ Jump to
Models ]
-
-
Table of Contents
-
-
-
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule
-
Creates a rule with a randomly generated rule identifier. (createRule)
-
To create a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're creating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
rule_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}
-
Creates a rule with a specific rule identifier. (createRuleId)
-
To create a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're creating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
ruleId (required)
-
-
Path Parameter — An UUID v1 or v4 identifier for the rule. If you omit this parameter, an identifier is randomly generated. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
rule_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/alerting/rule/{ruleId}
-
Deletes a rule. (deleteRule)
-
To delete a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're deleting. For example, the Management > Stack Rules feature, Analytics > Discover or Machine Learning features, Observability, or Security features. WARNING: After you delete a rule, you cannot recover it. If the API key that is used by the rule was created automatically, it is deleted.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_disable
-
Disables a rule. (disableRule)
-
You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_enable
-
Enables a rule. (enableRule)
-
To enable a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerting/rules/_find
-
Retrieves information about rules. (findRules)
-
You must have read privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rules you're seeking. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. To find rules associated with the Stack Monitoring feature, use the monitoring_user built-in role.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
default_search_operator (optional)
-
-
Query Parameter — The default operator to use for the simple_query_string. default: OR
fields (optional)
-
-
Query Parameter — The fields to return in the attributes key of the response. default: null
filter (optional)
-
-
Query Parameter — A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22. default: null
has_reference (optional)
-
-
Query Parameter — Filters the rules that have a relation with the reference objects with a specific type and identifier. default: null
page (optional)
-
-
Query Parameter — The page number to return. default: 1
per_page (optional)
-
-
Query Parameter — The number of rules to return per page. default: 20
search (optional)
-
-
Query Parameter — An Elasticsearch simple_query_string query that filters the objects in the response. default: null
search_fields (optional)
-
-
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
sort_field (optional)
-
-
Query Parameter — Determines which field is used to sort the results. The field must exist in the attributes key of the response. default: null
sort_order (optional)
-
-
Query Parameter — Determines the sort order. default: desc
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "per_page" : 6,
- "total" : 1,
- "data" : [ {
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
- }, {
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
- } ],
- "page" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
findRules_200_response
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerting/_health
-
Retrieves the health status of the alerting framework. (getAlertingHealth)
-
You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "alerting_framework_health" : {
- "execution_health" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- },
- "read_health" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- },
- "decryption_health" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- }
- },
- "has_permanent_encryption_key" : true,
- "is_sufficiently_secure" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
getAlertingHealth_200_response
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerting/rule/{ruleId}
-
Retrieves a rule by its identifier. (getRule)
-
You must have read privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rules you're seeking. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. To get rules associated with the Stack Monitoring feature, use the monitoring_user built-in role.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
rule_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerting/rule_types
-
Retrieves a list of rule types. (getRuleTypes)
-
If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "recovery_action_group" : {
- "name" : "name",
- "id" : "id"
- },
- "does_set_recovery_context" : true,
- "is_exportable" : true,
- "authorized_consumers" : {
- "alerts" : {
- "all" : true,
- "read" : true
- },
- "discover" : {
- "all" : true,
- "read" : true
- },
- "stackAlerts" : {
- "all" : true,
- "read" : true
- },
- "infrastructure" : {
- "all" : true,
- "read" : true
- },
- "siem" : {
- "all" : true,
- "read" : true
- },
- "monitoring" : {
- "all" : true,
- "read" : true
- },
- "logs" : {
- "all" : true,
- "read" : true
- },
- "apm" : {
- "all" : true,
- "read" : true
- },
- "ml" : {
- "all" : true,
- "read" : true
- },
- "uptime" : {
- "all" : true,
- "read" : true
- }
- },
- "action_groups" : [ {
- "name" : "name",
- "id" : "id"
- }, {
- "name" : "name",
- "id" : "id"
- } ],
- "minimum_license_required" : "basic",
- "action_variables" : {
- "context" : [ {
- "name" : "name",
- "description" : "description",
- "useWithTripleBracesInTemplates" : true
- }, {
- "name" : "name",
- "description" : "description",
- "useWithTripleBracesInTemplates" : true
- } ],
- "state" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ],
- "params" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ]
- },
- "rule_task_timeout" : "5m",
- "name" : "name",
- "enabled_in_license" : true,
- "producer" : "stackAlerts",
- "id" : "id",
- "default_action_group_id" : "default_action_group_id"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}
-
Create an alert. (legacyCreateAlert)
-
Deprecated in 7.13.0. Use the create rule API instead.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An UUID v1 or v4 identifier for the alert. If this parameter is omitted, the identifier is randomly generated. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
alert_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/_disable
-
Disables an alert. (legacyDisableAlert)
-
Deprecated in 7.13.0. Use the disable rule API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/_enable
-
Enables an alert. (legacyEnableAlert)
-
Deprecated in 7.13.0. Use the enable rule API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerts/alerts/_find
-
Retrieves a paginated set of alerts. (legacyFindAlerts)
-
Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert params are stored as a flattened field type and analyzed as keywords. As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
Query parameters
-
-
default_search_operator (optional)
-
-
Query Parameter — The default operator to use for the simple_query_string. default: OR
fields (optional)
-
-
Query Parameter — The fields to return in the attributes key of the response. default: null
filter (optional)
-
-
Query Parameter — A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22. default: null
has_reference (optional)
-
-
Query Parameter — Filters the rules that have a relation with the reference objects with a specific type and identifier. default: null
page (optional)
-
-
Query Parameter — The page number to return. default: 1
per_page (optional)
-
-
Query Parameter — The number of alerts to return per page. default: 20
search (optional)
-
-
Query Parameter — An Elasticsearch simple_query_string query that filters the alerts in the response. default: null
search_fields (optional)
-
-
Query Parameter — The fields to perform the simple_query_string parsed query against. default: null
sort_field (optional)
-
-
Query Parameter — Determines which field is used to sort the results. The field must exist in the attributes key of the response. default: null
sort_order (optional)
-
-
Query Parameter — Determines the sort order. default: desc
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "total" : 1,
- "perPage" : 6,
- "data" : [ {
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
- }, {
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
- } ],
- "page" : 0
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
legacyFindAlerts_200_response
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerts/alert/{alertId}
-
Retrieves an alert by its identifier. (legacyGetAlert)
-
Deprecated in 7.13.0. Use the get rule API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
alert_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerts/alerts/list_alert_types
-
Retrieves a list of alert types. (legacyGetAlertTypes)
-
Deprecated in 7.13.0. Use the get rule types API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "defaultActionGroupId" : "defaultActionGroupId",
- "isExportable" : true,
- "actionVariables" : {
- "context" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ],
- "state" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ],
- "params" : [ {
- "name" : "name",
- "description" : "description"
- }, {
- "name" : "name",
- "description" : "description"
- } ]
- },
- "actionGroups" : [ {
- "name" : "name",
- "id" : "id"
- }, {
- "name" : "name",
- "id" : "id"
- } ],
- "name" : "name",
- "producer" : "producer",
- "authorizedConsumers" : "{}",
- "recoveryActionGroup" : {
- "name" : "name",
- "id" : "id"
- },
- "enabledInLicense" : true,
- "id" : "id",
- "minimumLicenseRequired" : "minimumLicenseRequired"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
get /s/{spaceId}/api/alerts/alerts/_health
-
Retrieves the health status of the alerting framework. (legacyGetAlertingHealth)
-
Deprecated in 7.13.0. Use the get alerting framework health API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "hasPermanentEncryptionKey" : true,
- "alertingFrameworkHealth" : {
- "executionHealth" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- },
- "decryptionHealth" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- },
- "readHealth" : {
- "status" : "ok",
- "timestamp" : "2023-01-13T01:28:00.28Z"
- }
- },
- "isSufficientlySecure" : true
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
legacyGetAlertingHealth_200_response
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute
-
Mutes an alert instance. (legacyMuteAlertInstance)
-
Deprecated in 7.13.0. Use the mute alert API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — An identifier for the alert. default: null
alertInstanceId (required)
-
-
Path Parameter — An identifier for the alert instance. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/_mute_all
-
Mutes all alert instances. (legacyMuteAllAlertInstances)
-
Deprecated in 7.13.0. Use the mute all alerts API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute
-
Unmutes an alert instance. (legacyUnmuteAlertInstance)
-
Deprecated in 7.13.0. Use the unmute alert API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — An identifier for the alert. default: null
alertInstanceId (required)
-
-
Path Parameter — An identifier for the alert instance. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerts/alert/{alertId}/_unmute_all
-
Unmutes all alert instances. (legacyUnmuteAllAlertInstances)
-
Deprecated in 7.13.0. Use the unmute all alerts API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
put /s/{spaceId}/api/alerts/alert/{alertId}
-
Updates the attributes for an alert. (legacyUpdateAlert)
-
Deprecated in 7.13.0. Use the update rule API instead.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "alertTypeId" : ".index-threshold",
- "throttle" : "throttle",
- "updatedBy" : "elastic",
- "executionStatus" : {
- "lastExecutionDate" : "2022-12-06T00:13:43.89Z",
- "status" : "ok"
- },
- "params" : {
- "key" : ""
- },
- "enabled" : true,
- "mutedInstanceIds" : [ "mutedInstanceIds", "mutedInstanceIds" ],
- "tags" : [ "tags", "tags" ],
- "createdAt" : "2022-12-05T23:36:58.284Z",
- "schedule" : {
- "interval" : "interval"
- },
- "notifyWhen" : "onActionGroupChange",
- "createdBy" : "elastic",
- "muteAll" : false,
- "name" : "my alert",
- "scheduledTaskId" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "actions" : [ "{}", "{}" ],
- "apiKeyOwner" : "elastic",
- "updatedAt" : "2022-12-05T23:36:58.284Z"
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
alert_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
delete /s/{spaceId}/api/alerts/alert/{alertId}
-
Permanently removes an alert. (legaryDeleteAlert)
-
Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After you delete an alert, you cannot recover it.
-
-
Path parameters
-
-
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
alertId (required)
-
-
Path Parameter — The identifier for the alert. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/alert/{alertId}/_mute
-
Mutes an alert. (muteAlert)
-
You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An identifier for the alert. The identifier is generated by the rule and might be any arbitrary string. default: null
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_mute_all
-
Mutes all alerts. (muteAllAlerts)
-
This API snoozes the notifications for the rule indefinitely. The rule checks continue to occur but alerts will not trigger any actions. You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/alert/{alertId}/_unmute
-
Unmutes an alert. (unmuteAlert)
-
You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.
-
-
Path parameters
-
-
alertId (required)
-
-
Path Parameter — An identifier for the alert. The identifier is generated by the rule and might be any arbitrary string. default: null
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
post /s/{spaceId}/api/alerting/rule/{ruleId}/_unmute_all
-
Unmutes all alerts. (unmuteAllAlerts)
-
If the rule has its notifications snoozed indefinitely, this API cancels the snooze. You must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
-
-
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
204
- Indicates a successful call.
-
-
401
- Authorization information is missing or invalid.
-
401_response
-
-
-
-
-
Up
-
put /s/{spaceId}/api/alerting/rule/{ruleId}
-
Updates the attributes for a rule. (updateRule)
-
To update a rule, you must have all privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rule you're updating. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. If the rule has actions, you must also have read privileges for the Management > Actions and Connectors feature. This API supports both key- and token-based authentication. To use key-based authentication, create an API key in Kibana and use it in the header of the API call. To use token-based authentication, provide a username and password; an API key that matches the current privileges of the user is created automatically. In both cases, the API key is subsequently used for authorization when the rule runs. NOTE: If the API key has different privileges than the key that created or most recently updated the rule, the rule behavior might change. Though some properties are optional, when you update the rule the existing property values are overwritten with default values. Therefore, it is recommended to explicitly set all property values.
-
-
Path parameters
-
-
ruleId (required)
-
-
Path Parameter — An identifier for the rule. default: null
spaceId (required)
-
-
Path Parameter — An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used. default: null
-
-
-
Consumes
- This API call consumes the following media types via the request header:
-
-
-
Request body
-
-
-
-
Body Parameter —
-
-
-
-
Request headers
-
-
kbn-xsrf (required)
-
-
Header Parameter — Cross-site request forgery protection default: null
-
-
-
-
-
-
Return type
-
-
-
-
-
Example data
-
Content-Type: application/json
-
{
- "throttle" : "10m",
- "created_at" : "2022-12-05T23:36:58.284Z",
- "api_key_created_by_user" : false,
- "enabled" : true,
- "running" : true,
- "notify_when" : "notify_when",
- "next_run" : "2022-12-06T00:14:43.818Z",
- "updated_at" : "2022-12-05T23:36:58.284Z",
- "execution_status" : {
- "last_execution_date" : "2022-12-06T00:13:43.89Z",
- "last_duration" : 55,
- "status" : "ok"
- },
- "scheduled_task_id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "id" : "b530fed0-74f5-11ed-9801-35303b735aef",
- "consumer" : "alerts",
- "last_run" : {
- "alerts_count" : {
- "ignored" : 6,
- "new" : 1,
- "recovered" : 5,
- "active" : 0
- },
- "outcome_msg" : [ "outcome_msg", "outcome_msg" ],
- "outcome_order" : 5,
- "warning" : "warning",
- "outcome" : "succeeded"
- },
- "params" : {
- "key" : ""
- },
- "created_by" : "elastic",
- "muted_alert_ids" : [ "muted_alert_ids", "muted_alert_ids" ],
- "rule_type_id" : "monitoring_alert_cluster_health",
- "revision" : 2,
- "tags" : [ "tags", "tags" ],
- "api_key_owner" : "elastic",
- "schedule" : {
- "interval" : "1m"
- },
- "name" : "cluster_health_rule",
- "updated_by" : "elastic",
- "mute_all" : false,
- "actions" : [ {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- }, {
- "alerts_filter" : {
- "timeframe" : {
- "hours" : {
- "start" : "08:00",
- "end" : "17:00"
- },
- "timezone" : "Europe/Madrid",
- "days" : [ 1, 2, 3, 4, 5 ]
- },
- "query" : {
- "kql" : "kql",
- "filters" : [ {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- }, {
- "$state" : "{}",
- "meta" : {
- "field" : "field",
- "controlledBy" : "controlledBy",
- "negate" : true,
- "alias" : "alias",
- "index" : "index",
- "disabled" : true,
- "params" : "{}",
- "type" : "type",
- "value" : "value",
- "isMultiIndex" : true,
- "key" : "key",
- "group" : "group"
- },
- "query" : "{}"
- } ]
- }
- },
- "id" : "9dca3e00-74f5-11ed-9801-35303b735aef",
- "params" : {
- "key" : ""
- },
- "uuid" : "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
- "connector_type_id" : ".server-log",
- "frequency" : {
- "summary" : true,
- "throttle" : "10m",
- "notify_when" : "onActiveAlert"
- },
- "group" : "default"
- } ]
-}
-
-
Produces
- This API call produces the following media types according to the request header;
- the media type will be conveyed by the response header.
-
-
-
Responses
-
200
- Indicates a successful call.
-
rule_response_properties
-
401
- Authorization information is missing or invalid.
-
401_response
-
404
- Object is not found.
-
404_response
-
-
-
-
- [ Jump to
Methods ]
-
-
Table of Contents
-
- 401_response - Unsuccessful rule API response404_response - Count - CountCount_count - Count_criteria - Count_logView - Legacy_create_alert_request_properties - Legacy create alert request propertiesLegacy_create_alert_request_properties_schedule - Legacy_update_alert_request_properties - Legacy update alert request propertiesLegacy_update_alert_request_properties_actions_inner - Legacy_update_alert_request_properties_schedule - Ratio - Ratioactions_inner - actions_inner_alerts_filter - actions_inner_alerts_filter_query - actions_inner_alerts_filter_timeframe - actions_inner_alerts_filter_timeframe_hours - actions_inner_frequency - aggtype - alert_response_properties - Legacy alert response propertiesalert_response_properties_executionStatus - alert_response_properties_schedule - count_criterion - count criterioncreate_anomaly_detection_alert_rule_request - Create anomaly detection rule requestcreate_anomaly_detection_jobs_health_rule_request - Create anomaly detection jobs health rule requestcreate_apm_anomaly_rule_request - Create APM anomaly rule rule requestcreate_apm_error_count_rule_request - Create APM error count rule requestcreate_apm_transaction_duration_rule_request - Create latency threshold rule requestcreate_apm_transaction_error_rate_rule_request - Create APM transaction error rate rule requestcreate_es_query_rule_request - Create Elasticsearch query rule requestcreate_geo_containment_rule_request - Create traacking containment rule requestcreate_index_threshold_rule_request - Create index threshold rule requestcreate_infra_inventory_rule_request - Create infra inventory rule requestcreate_infra_metric_anomaly_rule_request - Create infrastructure anomaly rule requestcreate_infra_metric_threshold_rule_request - Create infra metric threshold rule requestcreate_log_threshold_rule_request - Create log threshold rule requestcreate_monitoring_ccr_exceptions_rule_request - Create CCR read exceptions rule requestcreate_monitoring_cluster_health_rule_request - Create cluster health rule requestcreate_monitoring_cpu_usage_rule_request - Create CPU usage rule requestcreate_monitoring_disk_usage_rule_request - Create disk usage rule requestcreate_monitoring_elasticsearch_version_mismatch_rule_request - Create Elasticsearch version mismatch rule requestcreate_monitoring_jvm_memory_usage_rule_request - Create JVM memory usage rule requestcreate_monitoring_kibana_version_mismatch_rule_request - Create Kibana version mismatch rule requestcreate_monitoring_license_expiration_rule_request - Create license expiration rule requestcreate_monitoring_logstash_version_mismatch_rule_request - Create Logstash version mismatch rule requestcreate_monitoring_missing_data_rule_request - Create missing monitoring data rule requestcreate_monitoring_nodes_changed_rule_request - Create nodes changed rule requestcreate_monitoring_shard_size_rule_request - Create shard size rule requestcreate_monitoring_thread_pool_search_rejections_rule_request - Create thread pool search rejections rule requestcreate_monitoring_thread_pool_write_rejections_rule_request - Create thread pool write rejections rule requestcreate_rule_request - Create rule request body propertiescreate_siem_eql_rule_request - Create event correlation rule requestcreate_siem_indicator_rule_request - Create indicator match rule requestcreate_siem_ml_rule_request - Create machine learning rule requestcreate_siem_new_terms_rule_request - Create new terms rule requestcreate_siem_notifications_rule_request - Create security solution notification (legacy) rule requestcreate_siem_query_rule_request - Create custom query rule requestcreate_siem_saved_query_rule_request - Create saved query rule requestcreate_siem_threshold_rule_request - Create threshold rule requestcreate_slo_burn_rate_rule_request - Create slo burn rate rule requestcreate_synthetics_monitor_status_rule_request - Create synthetics monitor status rule requestcreate_synthetics_uptime_duration_anomaly_rule_request - Create synthetics uptime duration anomaly rule requestcreate_synthetics_uptime_tls_certificate_rule_request - Create TLS certificate rule requestcreate_synthetics_uptime_tls_rule_request - Create synthetics uptime TLS rule requestcreate_transform_health_rule_request - Create transform health rule requestcreate_uptime_monitor_status_rule_request - Create uptime monitor status rule requestcustom_criterion - custom criterioncustom_criterion_customMetric_inner - custom_criterion_customMetric_inner_oneOf - custom_criterion_customMetric_inner_oneOf_1 - filter - filter_meta - findRules_200_response - findRules_has_reference_parameter - findRules_search_fields_parameter - getAlertingHealth_200_response - getAlertingHealth_200_response_alerting_framework_health - getAlertingHealth_200_response_alerting_framework_health_decryption_health - getAlertingHealth_200_response_alerting_framework_health_execution_health - getAlertingHealth_200_response_alerting_framework_health_read_health - getRuleTypes_200_response_inner - getRuleTypes_200_response_inner_action_groups_inner - getRuleTypes_200_response_inner_action_variables - getRuleTypes_200_response_inner_action_variables_context_inner - getRuleTypes_200_response_inner_action_variables_params_inner - getRuleTypes_200_response_inner_authorized_consumers - getRuleTypes_200_response_inner_authorized_consumers_alerts - getRuleTypes_200_response_inner_recovery_action_group - groupby - legacyFindAlerts_200_response - legacyGetAlertTypes_200_response_inner - legacyGetAlertTypes_200_response_inner_actionVariables - legacyGetAlertTypes_200_response_inner_actionVariables_context_inner - legacyGetAlertTypes_200_response_inner_recoveryActionGroup - legacyGetAlertingHealth_200_response - legacyGetAlertingHealth_200_response_alertingFrameworkHealth - legacyGetAlertingHealth_200_response_alertingFrameworkHealth_decryptionHealth - legacyGetAlertingHealth_200_response_alertingFrameworkHealth_executionHealth - legacyGetAlertingHealth_200_response_alertingFrameworkHealth_readHealth - non_count_criterion - non count criterionnotify_when - params_es_query_rule - params_es_query_rule_oneOf - params_es_query_rule_oneOf_1 - params_es_query_rule_oneOf_searchConfiguration - params_es_query_rule_oneOf_searchConfiguration_query - params_index_threshold_rule - params_property_apm_anomaly - params_property_apm_error_count - params_property_apm_transaction_duration - params_property_apm_transaction_error_rate - params_property_infra_inventory - params_property_infra_inventory_criteria_inner - params_property_infra_inventory_criteria_inner_customMetric - params_property_infra_metric_threshold - params_property_infra_metric_threshold_criteria_inner - params_property_log_threshold - params_property_slo_burn_rate - params_property_slo_burn_rate_longWindow - params_property_slo_burn_rate_shortWindow - params_property_synthetics_monitor_status - params_property_synthetics_monitor_status_availability - params_property_synthetics_monitor_status_filters - params_property_synthetics_monitor_status_filters_oneOf - params_property_synthetics_monitor_status_timerange - params_property_synthetics_uptime_tls - rule_response_properties - Rule response propertiesrule_response_properties_execution_status - rule_response_properties_last_run - rule_response_properties_last_run_alerts_count - schedule - thresholdcomparator - timewindowunit - update_rule_request - Update rule request
-
-
-
-
-
-
error (optional)
-
-
Unauthorized
-
message (optional)
-
statusCode (optional)
-
-
401
-
-
-
-
-
-
-
error (optional)
-
-
Not Found
-
message (optional)
-
statusCode (optional)
-
-
404
-
-
-
-
-
-
-
criteria (optional)
-
count
-
timeSize
-
timeUnit
-
-
s
m
h
d
-
logView
-
groupBy (optional)
-
-
-
-
-
-
-
comparator (optional)
-
-
more than
more than or equals
less than
less than or equals
equals
does not equal
matches
does not match
matches phrase
does not match phrase
-
value (optional)
-
-
-
-
-
-
-
field (optional)
-
comparator (optional)
-
-
more than
more than or equals
less than
less than or equals
equals
does not equal
matches
does not match
matches phrase
does not match phrase
-
value (optional)
-
-
-
-
-
-
-
logViewId (optional)
-
type (optional)
-
-
log-view-reference
-
-
-
-
-
-
-
actions (optional)
-
alertTypeId
String The ID of the alert type that you want to call when the alert is scheduled to run.
-
consumer
String The name of the application that owns the alert. This name has to match the Kibana feature name, as that dictates the required role-based access control privileges.
-
enabled (optional)
Boolean Indicates if you want to run the alert on an interval basis after it is created.
-
name
String A name to reference and search.
-
notifyWhen
String The condition for throttling the notification.
-
-
onActionGroupChange
onActiveAlert
onThrottleInterval
-
params
Object The parameters to pass to the alert type executor
params value. This will also validate against the alert type params validator, if defined.
-
schedule
-
tags (optional)
-
throttle (optional)
String How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of
10m or
1h will prevent it from sending 90 notifications during this period.
-
-
-
-
-
The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
-
-
interval (optional)
String The interval format specifies the interval in seconds, minutes, hours or days at which the alert should execute.
-
-
-
-
-
-
-
actions (optional)
-
name
String A name to reference and search.
-
notifyWhen
String The condition for throttling the notification.
-
-
onActionGroupChange
onActiveAlert
onThrottleInterval
-
params
Object The parameters to pass to the alert type executor
params value. This will also validate against the alert type params validator, if defined.
-
schedule
-
tags (optional)
-
throttle (optional)
String How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of
10m or
1h will prevent it from sending 90 notifications during this period.
-
-
-
-
-
-
-
actionTypeId
String The identifier for the action type.
-
group
String Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to
default.
-
id
String The ID of the action saved object to execute.
-
params
Object The map to the
params that the action type will receive.
params are handled as Mustache templates and passed a default set of context.
-
-
-
-
-
The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
-
-
interval (optional)
String The interval format specifies the interval in seconds, minutes, hours or days at which the alert should execute.
-
-
-
-
-
-
-
criteria (optional)
-
count
-
timeSize
-
timeUnit
-
-
s
m
h
d
-
logView
-
groupBy (optional)
-
-
-
-
-
An action that runs under defined conditions.
-
-
alerts_filter (optional)
-
connector_type_id (optional)
String The type of connector. This property appears in responses but cannot be set in requests.
-
frequency (optional)
-
group
String The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to
default.
-
id
String The identifier for the connector saved object.
-
params
map[String, oas_any_type_not_mapped] The parameters for the action, which are sent to the connector. The
params are handled as Mustache templates and passed a default set of context.
-
uuid (optional)
String A universally unique identifier (UUID) for the action.
-
-
-
-
-
Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
-
-
query (optional)
-
timeframe (optional)
-
-
-
-
-
Defines a query filter that determines whether the action runs.
-
-
kql (optional)
String A filter written in Kibana Query Language (KQL).
-
filters (optional)
-
-
-
-
-
Defines a period that limits whether the action runs.
-
-
days (optional)
array[Integer] Defines the days of the week that the action can run, represented as an array of numbers. For example,
1 represents Monday. An empty array is equivalent to specifying all the days of the week.
-
hours (optional)
-
timezone (optional)
String The ISO time zone for the
hours values. Values such as
UTC and
UTC+1 also work but lack built-in daylight savings time support and are not recommended.
-
-
-
-
-
Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
-
-
end (optional)
String The end of the time frame in 24-hour notation (
hh:mm).
-
start (optional)
String The start of the time frame in 24-hour notation (
hh:mm).
-
-
-
-
-
The properties that affect how often actions are generated. If the rule type supports setting summary to true, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters when notify_when or throttle are defined at the rule level.
-
-
notify_when
-
summary
Boolean Indicates whether the action is a summary.
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
The type of aggregation to perform.
-
-
-
-
-
-
-
-
actions (optional)
-
alertTypeId (optional)
-
apiKeyOwner (optional)
-
createdAt (optional)
Date The date and time that the alert was created. format: date-time
-
createdBy (optional)
String The identifier for the user that created the alert.
-
enabled (optional)
Boolean Indicates whether the alert is currently enabled.
-
executionStatus (optional)
-
id (optional)
String The identifier for the alert.
-
muteAll (optional)
-
mutedInstanceIds (optional)
-
name (optional)
-
notifyWhen (optional)
-
params (optional)
-
schedule (optional)
-
scheduledTaskId (optional)
-
tags (optional)
-
throttle (optional)
-
updatedAt (optional)
-
updatedBy (optional)
String The identifier for the user that updated this alert most recently.
-
-
-
-
-
-
-
lastExecutionDate (optional)
-
status (optional)
-
-
-
-
-
-
-
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
timeUnit (optional)
-
timeSize (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
aggType (optional)
-
-
count
-
-
-
-
-
A rule that checks if the anomaly detection job results contain anomalies that match the rule conditions.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.ml.anomaly_detection_alert
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
An rule that monitors job health and alerts if an operational issue occurred that may prevent the job from detecting anomalies.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.ml.anomaly_detection_jobs_health
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when either the latency, throughput, or failed transaction rate of a service is anomalous.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
apm.anomaly
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the number of errors in a service exceeds a defined threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
apm.error_rate
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the latency of a specific transaction type in a service exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
apm.transaction_duration
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that sends notifications when the rate of transaction errors in a service exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
apm.transaction_error_rate
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that runs a user-configured query, compares the number of matches to a configured threshold, and schedules actions to run when the threshold condition is met.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
.es-query
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that runs an Elasticsearch query over indices to determine whether any documents are currently contained within any boundaries from the specified boundary index. In the event that an entity is contained within a boundary, an alert may be generated.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
.geo-containment
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
.index-threshold
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that sends notifications when a metric has reached or exceeded a value for a specific resource or a group of resources within your infrastructure.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
metrics.alert.inventory.threshold
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
metrics.alert.anomaly
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that sends notifications when a metric has reached or exceeded a value for a specific time period.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
metrics.alert.threshold
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a log aggregation exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
logs.alert.document.count
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects cross-cluster replication (CCR) read exceptions.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_ccr_read_exceptions
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the health of the cluster changes.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_cluster_health
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the CPU load for a node is consistently high.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_cpu_usage
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the disk usage for a node is consistently high.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_disk_usage
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the cluster has multipe versions of Elasticsearch.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_elasticsearch_version_mismatch
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a node reports high memory usage.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_jvm_memory_usage
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the cluster has multiple versions of Kibana.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_kibana_version_mismatch
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the cluster license is about to expire.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_license_expiration
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the cluster has multiple versions of Logstash.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_logstash_version_mismatch
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when monitoring data is missing.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_missing_monitoring_data
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when nodes are added, removed, or restarted.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_nodes_changed
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the average shard size is larger than a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_shard_size
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the number of rejections in the thread pool exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_thread_pool_search_rejections
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the number of rejections in the write thread pool exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
monitoring_alert_thread_pool_write_rejections
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
The properties vary depending on the rule type.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.monitorStatus
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that uses Event Query Language (EQL) to match events, generate sequences, and stack data.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.eqlRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that uses indicators from intelligence sources to detect matching events and alerts.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.indicatorRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a machine learning job discovers an anomaly above the defined threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.mlRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that finds documents with values that appear for the first time.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.newTermsRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.notifications
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that uses KQL or Lucene to detect issues across indices.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.queryRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that searches the defined indices and creates an alert when a document matches the saved search.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.savedQueryRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that aggregates query results to detect when the number of matches exceeds a threshold.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
siem.thresholdRule
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when the burn rate is above a defined threshold for two different lookback periods. The two periods are a long period and a short period that is 1/12th of the long period. For each lookback period, the burn rate is computed as the error rate divided by the error budget. When the burn rates for both periods surpass the threshold, an alert occurs.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
slo.rules.burnRate
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a monitor is down or an availability threshold is breached.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.synthetics.alerts.monitorStatus
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects response durations for all of the geographic locations of each monitor. When a monitor runs for an unusual amount of time, at a particular time, an anomaly is recorded.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.durationAnomaly
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects when a monitor has a TLS certificate expiring or when it exceeds an age limit.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.tlsCertificate
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.tls
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that monitors transforms health and alerts if an operational issue occurred.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
transform_health
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
A rule that detects monitor errors and outages.
-
-
actions (optional)
-
consumer
String The name of the application or feature that owns the rule. For example:
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
enabled (optional)
Boolean Indicates whether you want to run the rule on an interval basis after it is created.
-
name
String The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when (optional)
-
params
-
rule_type_id
String The ID of the rule type that you want to call when the rule is scheduled to run.
-
-
xpack.uptime.alerts.monitorStatus
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
timeUnit (optional)
-
timeSize (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
aggType (optional)
-
-
custom
-
customMetric (optional)
-
equation (optional)
-
label (optional)
-
-
-
-
-
-
-
name (optional)
-
aggType (optional)
-
-
count
-
field (optional)
-
filter (optional)
-
-
-
-
-
-
-
name (optional)
-
aggType (optional)
-
-
avg
sum
max
min
cardinality
-
field (optional)
-
-
-
-
-
-
-
name (optional)
-
aggType (optional)
-
-
count
-
filter (optional)
-
-
-
-
-
A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
-
-
meta (optional)
-
query (optional)
-
Dollarstate (optional)
-
-
-
-
-
-
-
alias (optional)
-
controlledBy (optional)
-
disabled (optional)
-
field (optional)
-
group (optional)
-
index (optional)
-
isMultiIndex (optional)
-
key (optional)
-
negate (optional)
-
params (optional)
-
type (optional)
-
value (optional)
-
-
-
-
-
-
-
data (optional)
-
page (optional)
-
per_page (optional)
-
total (optional)
-
-
-
-
-
-
-
id (optional)
-
type (optional)
-
-
-
-
-
-
-
-
alerting_framework_health (optional)
-
has_permanent_encryption_key (optional)
Boolean If
false, the encrypted saved object plugin does not have a permanent encryption key.
-
is_sufficiently_secure (optional)
Boolean If
false, security is enabled but TLS is not.
-
-
-
-
-
Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.
-
-
decryption_health (optional)
-
execution_health (optional)
-
read_health (optional)
-
-
-
-
-
The timestamp and status of the rule decryption.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
The timestamp and status of the rule run.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
The timestamp and status of the rule reading events.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
-
-
action_groups (optional)
-
action_variables (optional)
-
authorized_consumers (optional)
-
default_action_group_id (optional)
String The default identifier for the rule type group.
-
does_set_recovery_context (optional)
Boolean Indicates whether the rule passes context variables to its recovery action.
-
enabled_in_license (optional)
Boolean Indicates whether the rule type is enabled or disabled based on the subscription.
-
id (optional)
String The unique identifier for the rule type.
-
is_exportable (optional)
Boolean Indicates whether the rule type is exportable in
Stack Management > Saved Objects.
-
minimum_license_required (optional)
String The subscriptions required to use the rule type.
-
name (optional)
String The descriptive name of the rule type.
-
producer (optional)
String An identifier for the application that produces this rule type.
-
recovery_action_group (optional)
-
rule_task_timeout (optional)
-
-
-
-
-
-
-
id (optional)
-
name (optional)
-
-
-
-
-
A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.
-
-
context (optional)
-
params (optional)
-
state (optional)
-
-
-
-
-
-
-
name (optional)
-
description (optional)
-
useWithTripleBracesInTemplates (optional)
-
-
-
-
-
-
-
description (optional)
-
name (optional)
-
-
-
-
-
The list of the plugins IDs that have access to the rule type.
-
-
alerts (optional)
-
apm (optional)
-
discover (optional)
-
infrastructure (optional)
-
logs (optional)
-
ml (optional)
-
monitoring (optional)
-
siem (optional)
-
stackAlerts (optional)
-
uptime (optional)
-
-
-
-
-
-
-
all (optional)
-
read (optional)
-
-
-
-
-
An action group to use when an alert goes from an active state to an inactive one.
-
-
id (optional)
-
name (optional)
-
-
-
-
-
Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.
-
-
-
-
-
-
-
-
data (optional)
-
page (optional)
-
perPage (optional)
-
total (optional)
-
-
-
-
-
-
-
actionGroups (optional)
-
actionVariables (optional)
-
authorizedConsumers (optional)
Object The list of the plugins IDs that have access to the alert type.
-
defaultActionGroupId (optional)
String The default identifier for the alert type group.
-
enabledInLicense (optional)
Boolean Indicates whether the rule type is enabled based on the subscription.
-
id (optional)
String The unique identifier for the alert type.
-
isExportable (optional)
Boolean Indicates whether the alert type is exportable in Saved Objects Management UI.
-
minimumLicenseRequired (optional)
String The subscriptions required to use the alert type.
-
name (optional)
String The descriptive name of the alert type.
-
producer (optional)
String An identifier for the application that produces this alert type.
-
recoveryActionGroup (optional)
-
-
-
-
-
A list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors.
-
-
context (optional)
-
params (optional)
-
state (optional)
-
-
-
-
-
-
-
name (optional)
-
description (optional)
-
-
-
-
-
An action group to use when an alert instance goes from an active state to an inactive one. If it is not specified, the default recovered action group is used.
-
-
id (optional)
-
name (optional)
-
-
-
-
-
-
-
alertingFrameworkHealth (optional)
-
hasPermanentEncryptionKey (optional)
Boolean If
false, the encrypted saved object plugin does not have a permanent encryption key.
-
isSufficientlySecure (optional)
Boolean If
false, security is enabled but TLS is not.
-
-
-
-
-
Three substates identify the health of the alerting framework: decryptionHealth, executionHealth, and readHealth.
-
-
decryptionHealth (optional)
-
executionHealth (optional)
-
readHealth (optional)
-
-
-
-
-
The timestamp and status of the alert decryption.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
The timestamp and status of the alert execution.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
The timestamp and status of the alert reading events.
-
-
status (optional)
-
-
error
ok
warn
-
timestamp (optional)
-
-
-
-
-
-
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
timeUnit (optional)
-
timeSize (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
metric (optional)
-
aggType (optional)
-
-
avg
max
min
cardinality
rate
count
sum
p95
p99
custom
-
-
-
-
-
Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-
-
-
-
-
-
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is
avg,
max,
min or
sum.
-
aggType (optional)
-
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
-
groupBy (optional)
-
searchConfiguration (optional)
-
searchType
String The type of query, in this case a query that uses Elasticsearch Query DSL.
-
-
esQuery
-
size
Integer The number of documents to pass to the configured actions when the threshold condition is met.
-
termField (optional)
String This property is required when
groupBy is
top. The name of the field that is used for grouping the aggregation.
-
termSize (optional)
Integer This property is required when
groupBy is
top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
-
threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the
thresholdComparator is
between or
notBetween, you must specify the boundary values.
-
thresholdComparator
-
timeField
String The field that is used to calculate the time window.
-
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
-
timeWindowUnit
-
esQuery
String The query definition, which uses Elasticsearch Query DSL.
-
index
oneOf The indices to query.
-
-
-
-
-
The parameters for an Elasticsearch query rule that uses KQL or Lucene to define the query.
-
-
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is
avg,
max,
min or
sum.
-
aggType (optional)
-
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
-
groupBy (optional)
-
searchConfiguration (optional)
-
searchType
String The type of query, in this case a text-based query that uses KQL or Lucene.
-
-
searchSource
-
size
Integer The number of documents to pass to the configured actions when the threshold condition is met.
-
termField (optional)
String This property is required when
groupBy is
top. The name of the field that is used for grouping the aggregation.
-
termSize (optional)
Integer This property is required when
groupBy is
top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
-
threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the
thresholdComparator is
between or
notBetween, you must specify the boundary values.
-
thresholdComparator
-
timeField (optional)
String The field that is used to calculate the time window.
-
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
-
timeWindowUnit
-
-
-
-
-
The parameters for an Elasticsearch query rule that uses Elasticsearch Query DSL to define the query.
-
-
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is
avg,
max,
min or
sum.
-
aggType (optional)
-
esQuery
String The query definition, which uses Elasticsearch Query DSL.
-
excludeHitsFromPreviousRun (optional)
Boolean Indicates whether to exclude matches from previous runs. If
true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
-
groupBy (optional)
-
index
oneOf The indices to query.
-
searchType (optional)
String The type of query, in this case a query that uses Elasticsearch Query DSL.
-
-
esQuery
-
size (optional)
Integer The number of documents to pass to the configured actions when the threshold condition is met.
-
termField (optional)
String This property is required when
groupBy is
top. The name of the field that is used for grouping the aggregation.
-
termSize (optional)
Integer This property is required when
groupBy is
top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
-
threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the
thresholdComparator is
between or
notBetween, you must specify the boundary values.
-
thresholdComparator
-
timeField
String The field that is used to calculate the time window.
-
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
-
timeWindowUnit
-
-
-
-
-
The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.
-
-
filter (optional)
-
index (optional)
oneOf The indices to query.
-
query (optional)
-
-
-
-
-
-
-
language (optional)
-
query (optional)
-
-
-
-
-
The parameters for an index threshold rule.
-
-
aggField (optional)
String The name of the numeric field that is used in the aggregation. This property is required when
aggType is
avg,
max,
min or
sum.
-
aggType (optional)
-
filterKuery (optional)
String A KQL expression thats limits the scope of alerts.
-
groupBy (optional)
-
index
-
termField (optional)
String This property is required when
groupBy is
top. The name of the field that is used for grouping the aggregation.
-
termSize (optional)
Integer This property is required when
groupBy is
top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
-
threshold
array[Integer] The threshold value that is used with the
thresholdComparator. If the
thresholdComparator is
between or
notBetween, you must specify the boundary values.
-
thresholdComparator
-
timeField
String The field that is used to calculate the time window.
-
timeWindowSize
Integer The size of the time window (in
timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
-
timeWindowUnit
-
-
-
-
-
-
-
serviceName (optional)
String The service name from APM
-
transactionType (optional)
String The transaction type from APM
-
windowSize
-
windowUnit
-
-
m
h
d
-
environment
String The environment from APM
-
anomalySeverityType
String The anomaly threshold value
-
-
critical
major
minor
warning
-
-
-
-
-
-
-
serviceName (optional)
String The service name from APM
-
windowSize
-
windowUnit
-
-
m
h
d
-
environment
String The environment from APM
-
threshold
-
groupBy (optional)
-
-
-
errorGroupingKey (optional)
-
-
-
-
-
-
-
serviceName (optional)
String The service name from APM
-
transactionType (optional)
String The transaction type from APM
-
transactionName (optional)
String The transaction name from APM
-
windowSize
-
windowUnit
-
-
m
h
d
-
environment
-
threshold
-
groupBy (optional)
-
-
-
aggregationType
-
-
avg
95th
99th
-
-
-
-
-
-
-
serviceName (optional)
String The service name from APM
-
transactionType (optional)
String The transaction type from APM
-
transactionName (optional)
String The transaction name from APM
-
windowSize
-
windowUnit
-
-
m
h
d
-
environment
String The environment from APM
-
threshold
-
groupBy (optional)
-
-
-
-
-
-
-
-
-
criteria (optional)
-
filterQuery (optional)
-
filterQueryText (optional)
-
nodeType (optional)
-
-
host
pod
container
awsEC2
awsS3
awsSQS
awsRDS
-
sourceId (optional)
-
alertOnNoData (optional)
-
-
-
-
-
-
-
metric (optional)
-
-
count
cpu
diskLatency
load
memory
memoryTotal
tx
rx
logRate
diskIOReadBytes
diskIOWriteBytes
s3TotalRequests
s3NumberOfObjects
s3BucketSize
s3DownloadBytes
s3UploadBytes
rdsConnections
rdsQueriesExecuted
rdsActiveTransactions
rdsLatency
sqsMessagesVisible
sqsMessagesDelayed
sqsMessagesSent
sqsMessagesEmpty
sqsOldestMessage
custom
-
timeSize (optional)
-
timeUnit (optional)
-
-
s
m
h
d
-
sourceId (optional)
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
customMetric (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
-
-
-
-
-
-
type (optional)
-
-
custom
-
field (optional)
-
aggregation (optional)
-
-
avg
max
min
rate
-
id (optional)
-
label (optional)
-
-
-
-
-
-
-
criteria (optional)
-
groupBy (optional)
-
filterQuery (optional)
-
sourceId (optional)
-
alertOnNoData (optional)
-
alertOnGroupDisappear (optional)
-
-
-
-
-
-
-
threshold (optional)
-
comparator (optional)
-
-
<
<=
>
>=
between
outside
-
timeUnit (optional)
-
timeSize (optional)
-
warningThreshold (optional)
-
warningComparator (optional)
-
-
<
<=
>
>=
between
outside
-
metric (optional)
-
aggType (optional)
-
-
custom
-
customMetric (optional)
-
equation (optional)
-
label (optional)
-
-
-
-
-
-
-
criteria (optional)
-
count
-
timeSize
-
timeUnit
-
-
s
m
h
d
-
logView
-
groupBy (optional)
-
-
-
-
-
-
-
sloId (optional)
String The SLO identifier used by the rule
-
burnRateThreshold (optional)
BigDecimal The burn rate threshold used to trigger the alert
-
maxBurnRateThreshold (optional)
BigDecimal The maximum burn rate threshold value defined by the SLO error budget
-
longWindow (optional)
-
shortWindow (optional)
-
-
-
-
-
The duration of the long window used to compute the burn rate
-
-
value (optional)
-
unit (optional)
-
-
-
-
-
The duration of the short window used to compute the burn rate
-
-
value (optional)
-
unit (optional)
-
-
-
-
-
-
-
availability (optional)
-
filters (optional)
-
locations (optional)
-
numTimes
-
search (optional)
-
shouldCheckStatus
-
shouldCheckAvailability
-
timerangeCount (optional)
-
timerangeUnit (optional)
-
timerange (optional)
-
version (optional)
-
isAutoGenerated (optional)
-
-
-
-
-
-
-
range (optional)
-
rangeUnit (optional)
-
threshold (optional)
-
-
-
-
-
-
-
monitorPeriodtype (optional)
-
observerPeriodgeoPeriodname (optional)
-
tags (optional)
-
urlPeriodport (optional)
-
-
-
-
-
-
-
monitorPeriodtype (optional)
-
observerPeriodgeoPeriodname (optional)
-
tags (optional)
-
urlPeriodport (optional)
-
-
-
-
-
-
-
from (optional)
-
to (optional)
-
-
-
-
-
-
-
search (optional)
-
certExpirationThreshold (optional)
-
certAgeThreshold (optional)
-
-
-
-
-
-
-
actions
-
api_key_created_by_user (optional)
Boolean Indicates whether the API key that is associated with the rule was created by the user.
-
api_key_owner
String The owner of the API key that is associated with the rule and used to run background tasks.
-
consumer
String The application or feature that owns the rule. For example,
alerts,
apm,
discover,
infrastructure,
logs,
metrics,
ml,
monitoring,
securitySolution,
siem,
stackAlerts, or
uptime.
-
created_at
Date The date and time that the rule was created. format: date-time
-
created_by
String The identifier for the user that created the rule.
-
enabled
Boolean Indicates whether the rule is currently enabled.
-
execution_status
-
id
String The identifier for the rule.
-
last_run (optional)
-
muted_alert_ids
-
mute_all
-
name
-
next_run (optional)
-
notify_when (optional)
String Indicates how often alerts generate actions.
-
params
-
revision (optional)
-
rule_type_id
String The identifier for the type of rule. For example,
.es-query,
.index-threshold,
logs.alert.document.count,
monitoring_alert_cluster_health,
siem.thresholdRule, or
xpack.ml.anomaly_detection_alert.
-
running (optional)
Boolean Indicates whether the rule is running.
-
schedule
-
scheduled_task_id (optional)
-
tags
-
throttle
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
updated_at
String The date and time that the rule was updated most recently.
-
updated_by
String The identifier for the user that updated this rule most recently.
-
-
-
-
-
-
-
last_duration (optional)
-
last_execution_date (optional)
-
status (optional)
-
-
-
-
-
-
-
alerts_count (optional)
-
outcome (optional)
-
outcome_msg (optional)
-
outcome_order (optional)
-
warning (optional)
-
-
-
-
-
-
-
active (optional)
-
ignored (optional)
-
new (optional)
-
recovered (optional)
-
-
-
-
-
The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
-
-
-
-
-
The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
-
-
-
-
-
-
The type of units for the time window: seconds, minutes, hours, or days.
-
-
-
-
-
-
The update rule API request body varies depending on the type of rule and actions.
-
-
actions (optional)
-
name
-
notify_when (optional)
-
params
-
schedule
-
tags (optional)
-
throttle (optional)
String The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if
notify_when is set to
onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
-
-
-