diff --git a/oas_docs/kibana.info.serverless.yaml b/oas_docs/kibana.info.serverless.yaml deleted file mode 100644 index b2f451373e7a1..0000000000000 --- a/oas_docs/kibana.info.serverless.yaml +++ /dev/null @@ -1,51 +0,0 @@ -openapi: 3.0.3 -info: - title: Kibana Serverless APIs - description: | - **Technical preview** - This functionality is in technical preview and may be changed or removed in a future release. - Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. - - The Kibana REST APIs for Elastic serverless enable you to manage resources - such as connectors, data views, and saved objects. The API calls are - stateless. Each request that you make happens in isolation from other calls - and must include all of the necessary information for Kibana to fulfill the - request. API requests return JSON output, which is a format that is - machine-readable and works well for automation. - - To interact with Kibana APIs, use the following operations: - - - GET: Fetches the information. - - POST: Adds new information. - - PUT: Updates the existing information. - - DELETE: Removes the information. - - You can prepend any Kibana API endpoint with `kbn:` and run the request in - **Dev Tools → Console**. For example: - - ``` - GET kbn:/api/data_views - ``` - - ## Documentation source and versions - - This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - version: "1.0.2" - x-doc-license: - name: Attribution-NonCommercial-NoDerivatives 4.0 International - url: https://creativecommons.org/licenses/by-nc-nd/4.0/ - contact: - name: Kibana Team - x-feedbackLink: - label: Feedback - url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ -security: - - apiKeyAuth: [] -components: - securitySchemes: - apiKeyAuth: - type: apiKey - in: header - name: Authorization - description: You must create an API key and use the encoded value in the request header. To learn about creating keys, go to [API keys](https://www.elastic.co/docs/current/serverless/api-keys). diff --git a/oas_docs/kibana.info.yaml b/oas_docs/kibana.info.yaml index aa4119df7f61d..b2bd80ae2c688 100644 --- a/oas_docs/kibana.info.yaml +++ b/oas_docs/kibana.info.yaml @@ -29,7 +29,7 @@ info: ## Documentation source and versions - This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. + This documentation is derived from the `8.16` branch of the [kibana](https://github.com/elastic/kibana) repository. It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). version: '1.0.2' x-doc-license: diff --git a/oas_docs/makefile b/oas_docs/makefile index 52b381ee33f63..f0f58b5e61747 100644 --- a/oas_docs/makefile +++ b/oas_docs/makefile @@ -30,7 +30,7 @@ api-docs-lint-stateful: ## Run redocly API docs linter on kibana.yaml @npx @redocly/cli lint "output/kibana.yaml" --config "linters/redocly.yaml" --format stylish --max-problems 500 .PHONY: api-docs-overlay -api-docs-overlay: ## Run spectral API docs linter on kibana.serverless.yaml +api-docs-overlay: ## Run spectral API docs linter on kibana.yaml @npx bump overlay "output/kibana.yaml" "overlays/kibana.overlays.yaml" > "output/kibana.tmp1.yaml" @npx bump overlay "output/kibana.tmp1.yaml" "overlays/alerting.overlays.yaml" > "output/kibana.tmp2.yaml" @npx bump overlay "output/kibana.tmp2.yaml" "overlays/connectors.overlays.yaml" > "output/kibana.tmp3.yaml" @@ -39,11 +39,11 @@ api-docs-overlay: ## Run spectral API docs linter on kibana.serverless.yaml rm output/kibana.tmp*.yaml .PHONY: api-docs-preview -api-docs-preview: ## Generate a preview for kibana.yaml and kibana.serverless.yaml +api-docs-preview: ## Generate a preview for kibana.yaml @npx bump preview "output/kibana.yaml" .PHONY: api-docs-overlay-preview -api-docs-overlay-preview: ## Generate a preview for kibana.new.yaml and kibana.serverless.new.yaml +api-docs-overlay-preview: ## Generate a preview for kibana.new.yaml @npx bump preview "output/kibana.new.yaml" help: ## Display help diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml deleted file mode 100644 index d5dc0dd30e8b8..0000000000000 --- a/oas_docs/output/kibana.serverless.yaml +++ /dev/null @@ -1,27965 +0,0 @@ -openapi: 3.0.3 -info: - contact: - name: Kibana Team - description: > - **Technical preview** - - This functionality is in technical preview and may be changed or removed in - a future release. - - Elastic will work to fix any issues, but features in technical preview are - not subject to the support SLA of official GA features. - - - The Kibana REST APIs for Elastic serverless enable you to manage resources - - such as connectors, data views, and saved objects. The API calls are - - stateless. Each request that you make happens in isolation from other calls - - and must include all of the necessary information for Kibana to fulfill the - - request. API requests return JSON output, which is a format that is - - machine-readable and works well for automation. - - - To interact with Kibana APIs, use the following operations: - - - - GET: Fetches the information. - - - POST: Adds new information. - - - PUT: Updates the existing information. - - - DELETE: Removes the information. - - - You can prepend any Kibana API endpoint with `kbn:` and run the request in - - **Dev Tools → Console**. For example: - - - ``` - - GET kbn:/api/data_views - - ``` - - - ## Documentation source and versions - - - This documentation is derived from the `main` branch of the - [kibana](https://github.com/elastic/kibana) repository. - - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 - International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - title: Kibana Serverless APIs - version: 1.0.2 - x-doc-license: - name: Attribution-NonCommercial-NoDerivatives 4.0 International - url: 'https://creativecommons.org/licenses/by-nc-nd/4.0/' - x-feedbackLink: - label: Feedback - url: >- - https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ -servers: - - url: 'http://{kibana_host}:{port}' - variables: - kibana_host: - default: localhost - port: - default: '5601' - - url: 'https://{kibana_url}' - variables: - kibana_url: - default: 'localhost:5601' - - url: / - - url: 'http://KIBANA_HOST:5601' - - description: local - url: 'http://localhost:5601' -paths: - /api/apm/agent_keys: - post: - description: Create a new agent key for APM. - operationId: createAgentKey - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - name: - type: string - privileges: - items: - enum: - - 'event:write' - - 'config_agent:read' - type: string - type: array - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: - type: string - name: - type: string - description: Agent key created successfully - summary: Create an APM agent key - tags: - - APM agent keys - '/api/apm/services/{serviceName}/annotation': - post: - description: Create a new annotation for a specific service. - operationId: createAnnotation - parameters: - - description: The name of the service - in: path - name: serviceName - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - '@timestamp': - type: string - message: - type: string - service: - type: object - properties: - environment: - type: string - version: - type: string - tags: - items: - type: string - type: array - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _id: - type: string - _index: - type: string - _source: - type: object - properties: - '@timestamp': - type: string - annotation: - type: string - event: - type: object - properties: - created: - type: string - message: - type: string - service: - type: object - properties: - environment: - type: string - name: - type: string - version: - type: string - tags: - items: - type: string - type: array - description: Annotation created successfully - summary: Create a service annotation - tags: - - APM annotations - '/api/apm/services/{serviceName}/annotation/search': - get: - description: Search for annotations related to a specific service. - operationId: getAnnotation - parameters: - - description: The name of the service - in: path - name: serviceName - required: true - schema: - type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - in: query - name: start - required: false - schema: - type: string - - description: The end date for the search - in: query - name: end - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - annotations: - items: - type: object - properties: - '@timestamp': - type: number - id: - type: string - text: - type: string - type: - enum: - - version - type: string - type: array - description: Successful response - summary: Search for annotations - tags: - - APM annotations - /api/asset_criticality: - delete: - description: Delete the asset criticality record for a specific asset if it exists. - operationId: DeleteAssetCriticalityRecord - parameters: - - description: The ID value of the asset. - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. - in: query - name: refresh - required: false - schema: - enum: - - wait_for - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - deleted: - description: >- - True if the record was deleted or false if the record did - not exist. - type: boolean - record: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete Criticality Record - tags: - - Security Entity Analytics API - get: - description: Get the criticality record for a specific asset. - operationId: GetAssetCriticalityRecord - parameters: - - description: The ID value of the asset. - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get Criticality Record - tags: - - Security Entity Analytics API - post: - description: Create or update a criticality record for a specific asset. - operationId: CreateAssetCriticalityRecord - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - type: object - properties: - refresh: - description: >- - If 'wait_for' the request will wait for the index - refresh. - enum: - - wait_for - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - summary: Upsert Criticality Record - tags: - - Security Entity Analytics API - /api/asset_criticality/bulk: - post: - description: >- - Bulk upsert up to 1000 asset criticality records, creating or updating - them as needed. - operationId: BulkUpsertAssetCriticalityRecords - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 - type: object - properties: - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - maxItems: 1000 - minItems: 1 - type: array - required: - - records - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk Upsert Asset Criticality Records - tags: - - Security Entity Analytics API - /api/asset_criticality/list: - get: - description: 'List asset criticality records, paging, sorting and filtering as needed.' - operationId: FindAssetCriticalityRecords - parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false - schema: - enum: - - id_value - - id_field - - criticality_level - - \@timestamp - type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false - schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Bulk upload successful - summary: List Asset Criticality Records - tags: - - Security Entity Analytics API - /api/data_views: - get: - operationId: getAllDataViewsDefault - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' - schema: - type: object - properties: - data_view: - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - items: - type: string - type: array - title: - type: string - typeMeta: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views - tags: - - data views - /api/data_views/data_view: - post: - operationId: createDataViewDefaultw - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - '/api/data_views/data_view/{viewId}': - delete: - description: | - WARNING: When you delete a data view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view - tags: - - data views - get: - operationId: getDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view - tags: - - data views - post: - operationId: updateDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view - tags: - - data views - '/api/data_views/data_view/{viewId}/fields': - post: - description: > - Update fields presentation metadata such as count, customLabel, - customDescription, and format. - operationId: updateFieldsMetadataDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update data view fields metadata - tags: - - data views - '/api/data_views/data_view/{viewId}/runtime_field': - post: - operationId: createRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: Indicates a successful call. - summary: Create a runtime field - tags: - - data views - put: - operationId: createUpdateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - '/api/data_views/data_view/{viewId}/runtime_field/{fieldName}': - delete: - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field from a data view - tags: - - data views - get: - operationId: getRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field - tags: - - data views - post: - operationId: updateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' - schema: - type: object - properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object - required: - - runtimeField - required: true - responses: - '200': - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field - tags: - - data views - /api/data_views/default: - get: - operationId: getDefaultDataViewDefault - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response - schema: - type: object - properties: - data_view_id: - type: string - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view - tags: - - data views - post: - operationId: setDefaultDatailViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' - schema: - type: object - properties: - data_view_id: - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean - required: - - data_view_id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view - tags: - - data views - /api/data_views/swap_references: - post: - description: > - Changes saved object references from one data view identifier to - another. WARNING: Misuse can break large numbers of saved objects! - Practicing with a backup is recommended. - operationId: swapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Swap saved object references - tags: - - data views - /api/data_views/swap_references/_preview: - post: - description: > - Preview the impact of swapping saved object references from one data - view identifier to another. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview a saved object reference swap - tags: - - data views - /api/detection_engine/privileges: - get: - description: > - Retrieves whether or not the user is authenticated, and the user's - Kibana - - space and index privileges, which determine if the user can create an - - index for the Elastic Security alerts generated by - - detection engine rules. - operationId: ReadPrivileges - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - has_encryption_key: - type: boolean - is_authenticated: - type: boolean - required: - - is_authenticated - - has_encryption_key - description: Successful response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Returns user privileges for the Kibana space - tags: - - Security Detections API - - Privileges API - /api/detection_engine/rules: - delete: - description: Delete a detection rule using the `rule_id` or `id` field. - operationId: DeleteRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule - tags: - - Security Detections API - - Rules API - get: - description: Retrieve a detection rule using the `rule_id` or `id` field. - operationId: ReadRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Retrieve a detection rule - tags: - - Security Detections API - - Rules API - patch: - description: >- - Update specific fields of an existing detection rule using the `rule_id` - or `id` field. - operationId: PatchRule - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule - tags: - - Security Detections API - - Rules API - post: - description: Create a new detection rule. - operationId: CreateRule - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule - tags: - - Security Detections API - - Rules API - put: - description: > - Update a detection rule using the `rule_id` or `id` field. The original - rule is replaced, and all unspecified fields are deleted. - - > info - - > You cannot modify the `id` or `rule_id` values. - operationId: UpdateRule - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule - tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_bulk_action: - post: - description: >- - Apply a bulk action, such as bulk edit, duplicate, or delete, to - multiple detection rules. The bulk action is applied to all rules that - match the query or to the rules listed by their IDs. - operationId: PerformRulesBulkAction - parameters: - - description: Enables dry run mode for the request call. - in: query - name: dry_run - required: false - schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDisableRules - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDuplicateRules - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleRun - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResponse - - $ref: >- - #/components/schemas/Security_Detections_API_BulkExportActionResponse - description: OK - summary: Apply a bulk action to detection rules - tags: - - Security Detections API - - Bulk API - /api/detection_engine/rules/_export: - post: - description: > - Export detection rules to an `.ndjson` file. The following configuration - items are also included in the `.ndjson` file: - - - Actions - - - Exception lists - - > info - - > You cannot export prebuilt rules. - operationId: ExportRules - parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false - schema: - default: false - type: boolean - - description: File name for saving the exported rules. - in: query - name: file_name - required: false - schema: - default: export.ndjson - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - nullable: true - type: object - properties: - objects: - description: >- - Array of `rule_id` fields. Exports all rules when - unspecified. - items: - type: object - properties: - rule_id: - $ref: >- - #/components/schemas/Security_Detections_API_RuleSignatureId - required: - - rule_id - type: array - required: - - objects - required: false - responses: - '200': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - description: An `.ndjson` file containing the returned rules. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules - tags: - - Security Detections API - - Import/Export API - /api/detection_engine/rules/_find: - get: - description: >- - Retrieve a paginated list of detection rules. By default, the first page - is returned, with 20 results per page. - operationId: FindRules - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RuleResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - summary: List all detection rules - tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_import: - post: - description: > - Import detection rules from an `.ndjson` file, including actions and - exception lists. The request must include: - - - The `Content-Type: multipart/form-data` HTTP header. - - - A link to the `.ndjson` file containing the rules. - operationId: ImportRules - parameters: - - description: >- - Determines whether existing rules with the same `rule_id` are - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing exception lists with the same `list_id` - are overwritten. - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing actions with the same - `kibana.alert.rule.actions.id` are overwritten. - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. - in: query - name: as_new_list - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer - required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules - tags: - - Security Detections API - - Import/Export API - '/api/detection_engine/rules/{id}/exceptions': - post: - operationId: CreateRuleExceptionListItems - parameters: - - description: Detection rule's identifier - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_RuleId' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps - type: array - required: - - items - description: Rule exception list items - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Creates rule exception list items - tags: - - Security Exceptions API - /api/detection_engine/rules/preview: - post: - operationId: RulePreview - parameters: - - description: >- - Enables logging and returning in response ES queries, performed - during rule execution - in: query - name: enable_logged_requests - required: false - schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - anyOf: - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EsqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - discriminator: - propertyName: type - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - isAborted: - type: boolean - logs: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLogs - type: array - previewId: - $ref: >- - #/components/schemas/Security_Detections_API_NonEmptyString - required: - - logs - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Preview rule alerts generated on specified time range - tags: - - Security Detections API - - Rule preview API - /api/detection_engine/signals/assignees: - post: - description: | - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - assignees: - $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' - description: Details about the assignees to assign and unassign. - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - description: List of alerts ids to assign and unassign passed assignees. - required: - - assignees - - ids - required: true - responses: - '200': - description: Indicates a successful call. - '400': - description: Invalid request. - summary: Assign and unassign users from detection alerts - tags: - - Security Detections API - /api/detection_engine/signals/search: - post: - description: Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - description: Elasticsearch query and aggregation request - type: object - properties: - _source: - oneOf: - - type: boolean - - type: string - - items: - type: string - type: array - aggs: - additionalProperties: true - type: object - fields: - items: - type: string - type: array - query: - additionalProperties: true - type: object - runtime_mappings: - additionalProperties: true - type: object - size: - minimum: 0 - type: integer - sort: - $ref: '#/components/schemas/Security_Detections_API_AlertsSort' - track_total_hits: - type: boolean - description: Search and/or aggregation query - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: true - description: Elasticsearch search response - type: object - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Find and/or aggregate detection alerts - tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/status: - post: - description: Set the status of one or more detection alerts. - operationId: SetAlertsStatus - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIds - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery - description: >- - An object containing desired status and explicit alert ids or a query - to select alerts - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status - tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/tags: - post: - description: | - And tags to detection alerts, and remove them from alerts. - > info - > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - tags: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' - required: - - ids - - tags - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags - tags: - - Security Detections API - - Alerts API - /api/detection_engine/tags: - get: - description: List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - - Tags API - /api/endpoint_list: - post: - description: Creates an endpoint list or does nothing if the list already exists - operationId: CreateEndpointList - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Creates an endpoint list - tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items: - delete: - operationId: DeleteEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Deletes an endpoint list item - tags: - - Security Endpoint Exceptions API - get: - operationId: ReadEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - type: array - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Reads an endpoint list item - tags: - - Security Endpoint Exceptions API - post: - operationId: CreateEndpointListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item already exists - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Creates an endpoint list item - tags: - - Security Endpoint Exceptions API - put: - operationId: UpdateEndpointListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Updates an endpoint list item - tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items/_find: - get: - operationId: FindEndpointListItems - parameters: - - description: > - Filters the returned results according to the value of the specified - field, - - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list not found - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Finds endpoint list items - tags: - - Security Endpoint Exceptions API - /api/endpoint/action: - get: - description: Get a list of all response actions. - operationId: EndpointGetActionsList - parameters: - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get response actions - tags: - - Security Endpoint Management API - '/api/endpoint/action_log/{agent_id}': - get: - deprecated: true - description: Get an action request log for the specified agent ID. - operationId: EndpointGetActionLog - parameters: - - in: path - name: agent_id - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionLogRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get an action request log - tags: - - Security Endpoint Management API - /api/endpoint/action_status: - get: - description: Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus - parameters: - - in: query - name: query - required: true - schema: - type: object - properties: - agent_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse - description: OK - summary: Get response actions status - tags: - - Security Endpoint Management API - '/api/endpoint/action/{action_id}': - get: - description: Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - in: path - name: action_id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get action details - tags: - - Security Endpoint Management API - '/api/endpoint/action/{action_id}/file/{file_id}': - get: - description: Get information for the specified file using the file ID. - operationId: EndpointFileInfo - parameters: - - in: path - name: action_id - required: true - schema: - type: string - - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get file information - tags: - - Security Endpoint Management API - '/api/endpoint/action/{action_id}/file/{file_id}/download': - get: - description: Download a file from an endpoint. - operationId: EndpointFileDownload - parameters: - - in: path - name: action_id - required: true - schema: - type: string - - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Download a file - tags: - - Security Endpoint Management API - /api/endpoint/action/execute: - post: - description: Run a shell command on an endpoint. - operationId: EndpointExecuteAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Run a command - tags: - - Security Endpoint Management API - /api/endpoint/action/get_file: - post: - description: Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get a file - tags: - - Security Endpoint Management API - /api/endpoint/action/isolate: - post: - description: >- - Isolate an endpoint from the network. The endpoint remains isolated - until it's released. - operationId: EndpointIsolateAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Isolate an endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/kill_process: - post: - description: Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Terminate a process - tags: - - Security Endpoint Management API - /api/endpoint/action/running_procs: - post: - description: Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get running processes - tags: - - Security Endpoint Management API - /api/endpoint/action/scan: - post: - description: Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Scan a file or directory - tags: - - Security Endpoint Management API - /api/endpoint/action/state: - get: - description: >- - Get a response actions state, which reports whether encryption is - enabled. - operationId: EndpointGetActionsState - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse - description: OK - summary: Get actions state - tags: - - Security Endpoint Management API - /api/endpoint/action/suspend_process: - post: - description: Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Suspend a process - tags: - - Security Endpoint Management API - /api/endpoint/action/unisolate: - post: - description: 'Release an isolated endpoint, allowing it to rejoin a network.' - operationId: EndpointUnisolateAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/upload: - post: - description: Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Upload a file - tags: - - Security Endpoint Management API - /api/endpoint/metadata: - get: - operationId: GetEndpointMetadataList - parameters: - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ListRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get a metadata list - tags: - - Security Endpoint Management API - '/api/endpoint/metadata/{id}': - get: - operationId: GetEndpointMetadata - parameters: - - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get metadata - tags: - - Security Endpoint Management API - /api/endpoint/metadata/transforms: - get: - deprecated: true - operationId: GetEndpointMetadataTransform - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get metadata transforms - tags: - - Security Endpoint Management API - /api/endpoint/policy_response: - get: - operationId: GetPolicyResponse - parameters: - - in: query - name: query - required: true - schema: - type: object - properties: - agentId: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get a policy response - tags: - - Security Endpoint Management API - /api/endpoint/policy/summaries: - get: - deprecated: true - operationId: GetAgentPolicySummary - parameters: - - in: query - name: query - required: true - schema: - type: object - properties: - package_name: - type: string - policy_id: - nullable: true - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get an agent policy summary - tags: - - Security Endpoint Management API - '/api/endpoint/protection_updates_note/{package_policy_id}': - get: - operationId: GetProtectionUpdatesNote - parameters: - - in: path - name: package_policy_id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: OK - summary: Get a protection updates note - tags: - - Security Endpoint Management API - post: - operationId: CreateUpdateProtectionUpdatesNote - parameters: - - in: path - name: package_policy_id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - note: - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: OK - summary: Create or update a protection updates note - tags: - - Security Endpoint Management API - '/api/endpoint/suggestions/{suggestion_type}': - post: - deprecated: true - operationId: GetEndpointSuggestions - parameters: - - in: path - name: suggestion_type - required: true - schema: - enum: - - eventFilters - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - field: - type: string - fieldMeta: {} - filters: {} - query: - type: string - required: - - parameters - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get suggestions - tags: - - Security Endpoint Management API - /api/entity_store/engines: - get: - operationId: ListEntityEngines - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - count: - type: integer - engines: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - description: Successful response - summary: List the Entity Engines - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}': - delete: - operationId: DeleteEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - deleted: - type: boolean - description: Successful response - summary: Delete the Entity Engine - tags: - - Security Entity Analytics API - get: - operationId: GetEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Get an Entity Engine - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}/init': - post: - operationId: InitEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - description: Schema for the engine initialization - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}/start': - post: - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - started: - type: boolean - description: Successful response - summary: Start an Entity Engine - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}/stats': - post: - operationId: GetEntityEngineStats - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - indices: - items: - type: object - type: array - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineStatus - transforms: - items: - type: object - type: array - type: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - description: Successful response - summary: Get Entity Engine stats - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}/stop': - post: - operationId: StopEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - stopped: - type: boolean - description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/apply_dataview_indices: - post: - operationId: ApplyEntityEngineDataviewIndices - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - result: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - type: boolean - description: Successful response - '207': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - errors: - items: - type: string - type: array - result: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - type: boolean - description: Partial successful response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Error response - summary: Apply DataView indices to all installed engines - tags: - - Security Entity Analytics API - /api/entity_store/entities/list: - get: - description: 'List entities records, paging, sorting and filtering as needed.' - operationId: ListEntities - parameters: - - in: query - name: sort_field - required: false - schema: - type: string - - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - in: query - name: entities_types - required: true - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - inspect: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_InspectQuery - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Entity - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - /api/exception_lists: - delete: - operationId: DeleteExceptionList - parameters: - - description: Either `id` or `list_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Either `id` or `list_id` must be specified - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes an exception list - tags: - - Security Exceptions API - get: - operationId: ReadExceptionList - parameters: - - description: Either `id` or `list_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Either `id` or `list_id` must be specified - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieves an exception list using its `id` or `list_id` field - tags: - - Security Exceptions API - post: - operationId: CreateExceptionList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Creates an exception list - tags: - - Security Exceptions API - put: - operationId: UpdateExceptionList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Updates an exception list - tags: - - Security Exceptions API - /api/exception_lists/_duplicate: - post: - operationId: DuplicateExceptionList - parameters: - - description: Exception list's human identifier - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '405': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicates an exception list - tags: - - Security Exceptions API - /api/exception_lists/_export: - post: - description: Exports an exception list and its associated items to an .ndjson file - operationId: ExportExceptionList - parameters: - - description: Exception list's identifier - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human identifier - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - type: string - responses: - '200': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - description: >- - A `.ndjson` file containing specified exception list and its - items - format: binary - type: string - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Exports an exception list - tags: - - Security Exceptions API - /api/exception_lists/_find: - get: - operationId: FindExceptionLists - parameters: - - description: > - Filters the returned results according to the value of the specified - field. - - - Uses the `so type.field name:field` value syntax, where `so type` - can be: - - - - `exception-list`: Specify a space-aware exception list. - - - `exception-list-agnostic`: Specify an exception list that is - shared across spaces. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space - - or available in all spaces (`agnostic` or `single`) - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of exception lists to return per page - in: query - name: per_page - required: false - schema: - minimum: 1 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - type: string - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionList - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Finds exception lists - tags: - - Security Exceptions API - /api/exception_lists/_import: - post: - description: Imports an exception list and associated items - operationId: ImportExceptionList - parameters: - - description: > - Determines whether existing exception lists with the same `list_id` - are overwritten. - - If any exception items have the same `item_id`, those are also - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: > - Determines whether the list being imported will have a new `list_id` - generated. - - Additional `item_id`'s are generated for each exception item. Both - the exception - - list and its items are overwritten. - in: query - name: as_new_list - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - file: - description: A `.ndjson` file containing the exception list - format: binary - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - errors: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean - required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Imports an exception list - tags: - - Security Exceptions API - /api/exception_lists/items: - delete: - operationId: DeleteExceptionListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes an exception list item - tags: - - Security Exceptions API - get: - operationId: ReadExceptionListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Gets an exception list item - tags: - - Security Exceptions API - post: - operationId: CreateExceptionListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemType - required: - - list_id - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Creates an exception list item - tags: - - Security Exceptions API - put: - operationId: UpdateExceptionListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Updates an exception list item - tags: - - Security Exceptions API - /api/exception_lists/items/_find: - get: - operationId: FindExceptionListItems - parameters: - - description: List's id - in: query - name: list_id - required: true - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - type: array - - description: > - Filters the returned results according to the value of the specified - field, - - using the `:` syntax. - in: query - name: filter - required: false - schema: - default: [] - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter - type: array - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space - - or available in all spaces (`agnostic` or `single`) - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - in: query - name: search - required: false - schema: - type: string - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Finds exception list items - tags: - - Security Exceptions API - /api/exception_lists/summary: - get: - operationId: ReadExceptionListSummary - parameters: - - description: Exception list's identifier generated upon creation - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - - description: Search filter clause - in: query - name: filter - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieves an exception list summary - tags: - - Security Exceptions API - /api/exceptions/shared: - post: - operationId: CreateSharedExceptionList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - required: - - name - - description - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Creates a shared exception list - tags: - - Security Exceptions API - /api/fleet/agent_download_sources: - get: - operationId: get-download-sources - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_download_sources' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent binary download sources - tags: - - Elastic Agent binary download sources - post: - operationId: post-download-sources - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - type: string - id: - type: string - is_default: - type: boolean - name: - type: string - required: - - name - - host - - is_default - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent binary download source - tags: - - Elastic Agent binary download sources - '/api/fleet/agent_download_sources/{sourceId}': - delete: - operationId: delete-download-source - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent binary download source by ID - tags: - - Elastic Agent binary download sources - get: - operationId: get-one-download-source - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent binary download source by ID - tags: - - Elastic Agent binary download sources - parameters: - - in: path - name: sourceId - required: true - schema: - type: string - put: - operationId: update-download-source - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - type: string - is_default: - type: boolean - name: - type: string - required: - - name - - is_default - - host - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent binary download source by ID - tags: - - Elastic Agent binary download sources - /api/fleet/agent_policies: - get: - description: '' - operationId: agent-policy-list - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_format' - - description: >- - When set to true, retrieve the related package policies for each - agent policy. - in: query - name: full - schema: - type: boolean - - description: >- - When set to true, do not count how many agents are in the agent - policy, this can improve performance if you are searching over a - large number of agent policies. The "agents" property will always be - 0 if set to true. - in: query - name: noAgentCount - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent_policy' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent policies - tags: - - Elastic Agent policies - post: - operationId: create-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_agent_policy_create_request' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent policy - tags: - - Elastic Agent policies - /api/fleet/agent_policies/_bulk_get: - post: - operationId: bulk-get-agent-policies - parameters: - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of agent policy ids - items: - type: string - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent_policy' - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get agent policies - tags: - - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}': - get: - description: Get one agent policy - operationId: agent-policy-info - parameters: [] - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent policy by ID - tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - $ref: '#/components/parameters/Fleet_format' - put: - operationId: update-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_agent_policy_update_request' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent policy by ID - tags: - - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}/copy': - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - $ref: '#/components/parameters/Fleet_format' - post: - operationId: agent-policy-copy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - description: - type: string - name: - type: string - required: - - name - description: '' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Copy agent policy by ID - tags: - - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}/download': - get: - operationId: agent-policy-download - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Download agent policy by ID - tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: download - required: false - schema: - type: string - - in: query - name: standalone - required: false - schema: - type: string - - in: query - name: kubernetes - required: false - schema: - type: string - '/api/fleet/agent_policies/{agentPolicyId}/full': - get: - operationId: agent-policy-full - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - oneOf: - - type: string - - $ref: '#/components/schemas/Fleet_agent_policy_full' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get full agent policy by ID - tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: download - required: false - schema: - type: string - - in: query - name: standalone - required: false - schema: - type: string - - in: query - name: kubernetes - required: false - schema: - type: string - /api/fleet/agent_policies/delete: - parameters: [] - post: - operationId: delete-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - agentPolicyId: - type: string - force: - description: >- - bypass validation checks that can prevent agent policy - deletion - type: boolean - required: - - agentPolicyId - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - success: - type: boolean - required: - - id - - success - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent policy by ID - tags: - - Elastic Agent policies - /api/fleet/agent_status: - get: - operationId: get-agent-status - parameters: - - in: query - name: policyId - required: false - schema: - type: string - - deprecated: true - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - active: - type: integer - all: - type: integer - error: - type: integer - events: - type: integer - inactive: - type: integer - offline: - type: integer - online: - type: integer - other: - type: integer - total: - deprecated: true - type: integer - unenrolled: - type: integer - updating: - type: integer - required: - - active - - all - - error - - events - - inactive - - offline - - online - - other - - total - - updating - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent status summary - tags: - - Elastic Agent status - /api/fleet/agent_status/data: - get: - operationId: get-agent-data - parameters: - - in: query - name: agentsIds - required: true - schema: - items: - type: string - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - additionalProperties: - type: object - properties: - data: - type: boolean - type: object - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get incoming agent data - tags: - - Elastic Agent status - /api/fleet/agent-status: - get: - deprecated: true - operationId: get-agent-status-deprecated - parameters: - - in: query - name: policyId - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: integer - events: - type: integer - inactive: - type: integer - offline: - type: integer - online: - type: integer - other: - type: integer - total: - type: integer - updating: - type: integer - required: - - error - - events - - inactive - - offline - - online - - other - - total - - updating - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent status summary - tags: - - Elastic Agent status - /api/fleet/agents: - get: - operationId: get-agents - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_show_inactive' - - $ref: '#/components/parameters/Fleet_show_upgradeable' - - $ref: '#/components/parameters/Fleet_sort_field' - - $ref: '#/components/parameters/Fleet_sort_order' - - $ref: '#/components/parameters/Fleet_with_metrics' - - in: query - name: getStatusSummary - required: false - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_agents_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agents - tags: - - Elastic Agents - post: - operationId: get-agents-by-actions - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionIds: - items: - type: string - type: array - required: - - policy_id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_agent_get_by_actions' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agents by action ids - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}': - delete: - operationId: delete-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent by ID - tags: - - Elastic Agents - get: - operationId: get-agent - parameters: - - $ref: '#/components/parameters/Fleet_with_metrics' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent by ID - tags: - - Elastic Agents - parameters: - - in: path - name: agentId - required: true - schema: - type: string - put: - operationId: update-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - tags: - items: - type: string - type: array - user_provided_metadata: - type: object - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent by ID - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/actions': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: new-agent-action - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - $ref: '#/components/schemas/Fleet_agent_action' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - items: - type: number - type: array - headers: - type: string - statusCode: - type: number - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent action - tags: - - Elastic Agent actions - '/api/fleet/agents/{agentId}/reassign': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: reassign-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - policy_id: - type: string - required: - - policy_id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Reassign agent - tags: - - Elastic Agents - put: - deprecated: true - operationId: reassign-agent-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - policy_id: - type: string - required: - - policy_id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Reassign agent - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/request_diagnostics': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: request-diagnostics-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - additional_metrics: - items: - oneOf: - - enum: - - CPU - type: string - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Request agent diagnostics - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/unenroll': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: unenroll-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - revoke: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: OK - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - enum: - - 400 - type: number - description: BAD REQUEST - summary: Unenroll agent - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/upgrade': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: upgrade-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_upgrade_agent' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_upgrade_agent' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Upgrade agent - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/uploads': - get: - operationId: list-agent-uploads - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - properties: - item: - items: - $ref: '#/components/schemas/Fleet_agent_diagnostics' - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent uploads - tags: - - Elastic Agents - parameters: - - in: path - name: agentId - required: true - schema: - type: string - /api/fleet/agents/action_status: - get: - operationId: agents-action-status - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - in: query - name: errorSize - schema: - default: 5 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - latestErrors: - description: >- - latest errors that happened when the agents executed - the action - items: - type: object - properties: - agentId: - type: string - error: - type: string - timestamp: - type: string - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: string - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - POLICY_REASSIGN - - UPGRADE - - UNENROLL - - FORCE_UNENROLL - - UPDATE_TAGS - - CANCEL - - REQUEST_DIAGNOSTICS - - SETTINGS - - POLICY_CHANGE - - INPUT_ACTION - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - complete - - nbAgentsActioned - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - status - - creationTime - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent action status - tags: - - Elastic Agent actions - '/api/fleet/agents/actions/{actionId}/cancel': - parameters: - - in: path - name: actionId - required: true - schema: - type: string - post: - operationId: agent-action-cancel - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_action' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Cancel agent action - tags: - - Elastic Agent actions - /api/fleet/agents/bulk_reassign: - post: - operationId: bulk-reassign-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' - policy_id: policy_id - schema: - type: object - properties: - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - policy_id: - description: new agent policy id - type: string - required: - - policy_id - - agents - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk reassign agents - tags: - - Elastic Agents - /api/fleet/agents/bulk_request_diagnostics: - post: - operationId: bulk-request-diagnostics - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' - schema: - type: object - properties: - additional_metrics: - items: - oneOf: - - enum: - - CPU - type: string - type: array - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - batchSize: - type: number - required: - - agents - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk request diagnostics from agents - tags: - - Elastic Agents - /api/fleet/agents/bulk_unenroll: - post: - operationId: bulk-unenroll-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - force: false - revoke: true - schema: - type: object - properties: - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: >- - When passing agents by KQL query, unenrolls inactive agents - too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk unenroll agents - tags: - - Elastic Agents - /api/fleet/agents/bulk_update_agent_tags: - post: - operationId: bulk-update-agent-tags - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - tagsToAdd: - - newTag - tagsToRemove: - - existingTag - schema: - type: object - properties: - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - batchSize: - type: number - tagsToAdd: - items: - type: string - type: array - tagsToRemove: - items: - type: string - type: array - required: - - agents - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk update agent tags - tags: - - Elastic Agents - /api/fleet/agents/bulk_upgrade: - post: - operationId: bulk-upgrade-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - rollout_duration_seconds: 3600 - source_uri: 'https://artifacts.elastic.co/downloads/beats/elastic-agent' - start_time: '2022-08-03T14:00:00.000Z' - version: 8.4.0 - schema: - $ref: '#/components/schemas/Fleet_bulk_upgrade_agents' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk upgrade agents - tags: - - Elastic Agents - '/api/fleet/agents/files/{fileId}': - delete: - operationId: delete-agent-upload-file - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - properties: - deleted: - type: boolean - id: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete file uploaded by agent - tags: - - Elastic Agents - parameters: - - in: path - name: fileId - required: true - schema: - type: string - '/api/fleet/agents/files/{fileId}/{fileName}': - get: - operationId: get-agent-upload-file - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - properties: - items: - type: object - properties: - body: {} - headers: {} - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get file uploaded by agent - tags: - - Elastic Agents - parameters: - - in: path - name: fileId - required: true - schema: - type: string - - in: path - name: fileName - required: true - schema: - type: string - /api/fleet/agents/setup: - get: - operationId: get-agents-setup-status - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_status_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent setup info - tags: - - Elastic Agents - post: - operationId: setup-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - admin_password: - type: string - admin_username: - type: string - required: - - admin_username - - admin_password - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_setup_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Initiate agent setup - tags: - - Elastic Agents - /api/fleet/agents/tags: - get: - operationId: get-agent-tags - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_agent_tags_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent tags - tags: - - Elastic Agents - /api/fleet/data_streams: - get: - operationId: data-streams-list - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data_streams: - items: - $ref: '#/components/schemas/Fleet_data_stream' - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List data streams - tags: - - Data streams - parameters: [] - /api/fleet/enrollment_api_keys: - get: - operationId: get-enrollment-api-keys - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - page - - perPage - - total - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List enrollment API keys - tags: - - Fleet enrollment API keys - post: - operationId: create-enrollment-api-keys - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - name: - description: The name of the enrollment API key. Must be unique. - type: string - policy_id: - description: >- - The ID of the agent policy the Elastic Agent will be - enrolled in. - type: string - required: - - policy_id - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create enrollment API key - tags: - - Fleet enrollment API keys - '/api/fleet/enrollment_api_keys/{keyId}': - delete: - operationId: delete-enrollment-api-key - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Revoke enrollment API key by ID by marking it as inactive - tags: - - Fleet enrollment API keys - get: - operationId: get-enrollment-api-key - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get enrollment API key by ID - tags: - - Fleet enrollment API keys - parameters: - - in: path - name: keyId - required: true - schema: - type: string - /api/fleet/enrollment-api-keys: - get: - deprecated: true - operationId: get-enrollment-api-keys-deprecated - parameters: [] - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - page - - perPage - - total - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List enrollment API keys - tags: - - Fleet enrollment API keys - post: - deprecated: true - operationId: create-enrollment-api-keys-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create enrollment API key - tags: - - Fleet enrollment API keys - '/api/fleet/enrollment-api-keys/{keyId}': - delete: - deprecated: true - operationId: delete-enrollment-api-key-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete enrollment API key by ID - tags: - - Fleet enrollment API keys - get: - deprecated: true - operationId: get-enrollment-api-key-deprecated - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get enrollment API key by ID - tags: - - Fleet enrollment API keys - parameters: - - in: path - name: keyId - required: true - schema: - type: string - /api/fleet/epm/bulk_assets: - post: - operationId: bulk-get-assets - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - assetIds: - description: list of items necessary to fetch assets - items: - type: object - properties: - id: - type: string - type: - type: string - type: array - required: - - assetIds - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_bulk_assets_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get assets - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/categories: - get: - operationId: get-package-categories - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_categories_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List package categories - tags: - - Elastic Package Manager (EPM) - parameters: - - description: >- - Whether to include prerelease packages in categories count (e.g. beta, - rc, preview) - in: query - name: prerelease - schema: - default: false - type: boolean - - deprecated: true - in: query - name: experimental - schema: - default: false - type: boolean - - in: query - name: include_policy_templates - schema: - default: false - type: boolean - /api/fleet/epm/packages: - get: - operationId: list-all-packages - parameters: - - description: >- - Whether to exclude the install status of each package. Enabling this - option will opt in to caching for the response via `cache-control` - headers. If you don't need up-to-date installation info for a - package, and are querying for a list of available packages, - providing this flag can improve performance substantially. - in: query - name: excludeInstallStatus - schema: - default: false - type: boolean - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - - deprecated: true - in: query - name: experimental - schema: - default: false - type: boolean - - in: query - name: category - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_packages_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List packages - tags: - - Elastic Package Manager (EPM) - post: - description: '' - operationId: install-package-by-upload - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean - requestBody: - content: - application/gzip; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string - application/zip; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _meta: - type: object - properties: - install_source: - enum: - - upload - - registry - - bundled - type: string - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '429': - $ref: '#/components/responses/Fleet_error' - summary: Install by package by direct upload - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk: - post: - operationId: bulk-install-packages - parameters: - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - description: force install to ignore package verification errors - type: boolean - packages: - description: list of packages to install - items: - oneOf: - - description: package name - type: string - - type: object - properties: - name: - description: package name - type: string - version: - description: package version - type: string - type: array - required: - - packages - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_bulk_install_packages_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk install packages - tags: - - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgkey}': - delete: - deprecated: true - operationId: delete-package-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgkey - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - response: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete ackage - tags: - - Elastic Package Manager (EPM) - get: - deprecated: true - operationId: get-package-deprecated - parameters: - - in: path - name: pkgkey - required: true - schema: - type: string - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - allOf: - - properties: - response: - $ref: '#/components/schemas/Fleet_package_info' - - properties: - savedObject: - type: string - status: - enum: - - installed - - installing - - install_failed - - not_installed - type: string - required: - - status - - savedObject - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package - tags: - - Elastic Package Manager (EPM) - post: - deprecated: true - description: '' - operationId: install-package-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgkey - required: true - schema: - type: string - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - response: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Install package - tags: - - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}': - delete: - operationId: delete-package - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: delete package even if policies used by agents - in: query - name: force - schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - deprecated: true - type: object - properties: - force: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package - tags: - - Elastic Package Manager (EPM) - get: - operationId: get-package - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - allOf: - - properties: - item: - $ref: '#/components/schemas/Fleet_package_info' - - properties: - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - licensePath: - type: string - notice: - type: string - savedObject: - deprecated: true - type: object - status: - enum: - - installed - - installing - - install_failed - - not_installed - type: string - required: - - status - - savedObject - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: Ignore if the package is fails signature verification - in: query - name: ignoreUnverified - schema: - type: boolean - - description: >- - Return all fields from the package manifest, not just those supported - by the Elastic Package Registry - in: query - name: full - schema: - type: boolean - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - post: - description: '' - operationId: install-package - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - ignore_constraints: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _meta: - type: object - properties: - install_source: - enum: - - registry - - upload - - bundled - type: string - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Install package - tags: - - Elastic Package Manager (EPM) - put: - description: '' - operationId: update-package - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - keepPoliciesUpToDate: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}': - get: - operationId: packages-get-file - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - headers: - type: object - statusCode: - type: number - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package file - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: path - name: filePath - required: true - schema: - type: string - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize': - post: - description: '' - operationId: reauthorize-transforms - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: >- - Whether to include prerelease packages in categories count (e.g. - beta, rc, preview) - in: query - name: prerelease - schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - transforms: - items: - type: object - properties: - transformId: - type: string - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - error: - type: string - success: - type: boolean - transformId: - type: string - required: - - transformId - - error - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Authorize transforms - tags: - - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/stats': - get: - operationId: get-package-stats - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - response: - $ref: '#/components/schemas/Fleet_package_usage_stats' - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package stats - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - /api/fleet/epm/packages/limited: - get: - operationId: list-limited-packages - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: string - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get limited package list - tags: - - Elastic Package Manager (EPM) - parameters: [] - '/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs': - get: - operationId: get-inputs-template - responses: - '200': - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get inputs template - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: Format of response - json or yaml - in: query - name: format - schema: - enum: - - json - - yaml - - yml - type: string - - description: Specify if version is prerelease - in: query - name: prerelease - schema: - type: boolean - - description: Ignore if the package is fails signature verification - in: query - name: ignoreUnverified - schema: - type: boolean - /api/fleet/epm/verification_key_id: - get: - operationId: packages-get-verification-key-id - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - properties: - id: - description: >- - the key ID of the GPG key used to verify package - signatures - nullable: true - type: string - headers: - type: object - statusCode: - type: number - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package signature verification key ID - tags: - - Elastic Package Manager (EPM) - parameters: [] - /api/fleet/fleet_server_hosts: - get: - operationId: get-fleet-server-hosts - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_fleet_server_host' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List Fleet Server hosts - tags: - - Fleet Server hosts - post: - operationId: post-fleet-server-hosts - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host_urls: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this fleet server host. See - the proxies API for more information. - type: string - required: - - name - - host_urls - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create Fleet Server host - tags: - - Fleet Server hosts - '/api/fleet/fleet_server_hosts/{itemId}': - delete: - operationId: delete-fleet-server-hosts - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete Fleet Server host by ID - tags: - - Fleet Server hosts - get: - operationId: get-one-fleet-server-hosts - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get Fleet Server host by ID - tags: - - Fleet Server hosts - parameters: - - in: path - name: itemId - required: true - schema: - type: string - put: - operationId: update-fleet-server-hosts - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host_urls: - items: - type: string - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this fleet server host. See - the proxies API for more information. - nullable: true - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update Fleet Server host by ID - tags: - - Fleet Server hosts - /api/fleet/health_check: - post: - operationId: fleet-server-health-check - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - deprecated: true - type: string - id: - type: string - required: - - id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - deprecated: true - type: string - id: - description: Fleet Server host id - type: string - status: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Fleet Server health check - tags: - - Fleet internals - /api/fleet/kubernetes: - get: - operationId: get-full-k8s-manifest - parameters: - - in: query - name: download - required: false - schema: - type: boolean - - in: query - name: fleetServer - required: false - schema: - type: string - - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get full K8s agent manifest - tags: - - Fleet Kubernetes - /api/fleet/logstash_api_keys: - post: - operationId: generate-logstash-api-key - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - api_key: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Generate Logstash API key - tags: - - Fleet outputs - /api/fleet/outputs: - get: - operationId: get-outputs - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_output_create_request' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List outputs - tags: - - Fleet outputs - post: - operationId: post-outputs - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_output_create_request' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_create_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create output - tags: - - Fleet outputs - '/api/fleet/outputs/{outputId}': - delete: - operationId: delete-output - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete output by ID - tags: - - Fleet outputs - get: - operationId: get-output - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_create_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get output by ID - tags: - - Fleet outputs - parameters: - - in: path - name: outputId - required: true - schema: - type: string - put: - operationId: update-output - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_output_update_request' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_update_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update output by ID - tags: - - Fleet outputs - '/api/fleet/outputs/{outputId}/health': - get: - operationId: get-output-health - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: 'state of output, HEALTHY or DEGRADED' - type: string - timestamp: - description: timestamp of reported state - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get latest output health - tags: - - Fleet outputs - parameters: - - in: path - name: outputId - required: true - schema: - type: string - /api/fleet/package_policies: - get: - operationId: get-package-policies - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_format' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List package policies - tags: - - Fleet package policies - parameters: [] - post: - operationId: create-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_package_policy_request' - description: >- - You should use inputs as an object and not use the deprecated inputs - array. - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '409': - $ref: '#/components/responses/Fleet_error' - summary: Create package policy - tags: - - Fleet package policies - /api/fleet/package_policies/_bulk_get: - post: - operationId: bulk-get-package-policies - parameters: - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get package policies - tags: - - Fleet package policies - '/api/fleet/package_policies/{packagePolicyId}': - delete: - operationId: delete-package-policy - parameters: - - in: query - name: force - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package policy by ID - tags: - - Fleet package policies - get: - operationId: get-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_format' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package policy by ID - tags: - - Fleet package policies - parameters: - - in: path - name: packagePolicyId - required: true - schema: - type: string - put: - operationId: update-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_package_policy_request' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update package policy by ID - tags: - - Fleet package policies - /api/fleet/package_policies/delete: - post: - operationId: post-delete-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - type: array - required: - - packagePolicyIds - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - properties: - id: - type: string - name: - type: string - success: - type: boolean - required: - - id - - success - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package policy - tags: - - Fleet package policies - /api/fleet/package_policies/upgrade: - post: - operationId: upgrade-package-policy - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - packagePolicyIds: - items: - type: string - type: array - required: - - packagePolicyIds - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - properties: - id: - type: string - name: - type: string - success: - type: boolean - required: - - id - - success - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '409': - $ref: '#/components/responses/Fleet_error' - summary: Upgrade package policy to a newer package version - tags: - - Fleet package policies - /api/fleet/package_policies/upgrade/dryrun: - post: - operationId: upgrade-package-policy-dry-run - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - packagePolicyIds: - items: - type: string - type: array - packageVersion: - type: string - required: - - packagePolicyIds - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - properties: - agent_diff: - $ref: '#/components/schemas/Fleet_upgrade_agent_diff' - diff: - $ref: '#/components/schemas/Fleet_upgrade_diff' - hasErrors: - type: boolean - required: - - hasErrors - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Dry run package policy upgrade - tags: - - Fleet package policies - /api/fleet/proxies: - get: - operationId: get-fleet-proxies - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_proxies' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List proxies - tags: - - Fleet proxies - post: - operationId: post-fleet-proxies - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - id: - type: string - name: - type: string - proxy_headers: - type: object - url: - type: string - required: - - name - - url - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create proxy - tags: - - Fleet proxies - '/api/fleet/proxies/{itemId}': - delete: - operationId: delete-fleet-proxies - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete proxy by ID - tags: - - Fleet proxies - get: - operationId: get-one-fleet-proxies - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get proxy by ID - tags: - - Fleet proxies - parameters: - - in: path - name: itemId - required: true - schema: - type: string - put: - operationId: update-fleet-proxies - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - name: - type: string - proxy_headers: - type: object - url: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update proxy by ID - tags: - - Fleet proxies - /api/fleet/service_tokens: - post: - operationId: generate-service-token - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - name: - type: string - value: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create service token - tags: - - Fleet service tokens - /api/fleet/service-tokens: - post: - deprecated: true - operationId: generate-service-token-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - name: - type: string - value: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create service token - tags: - - Fleet service tokens - /api/fleet/settings: - get: - operationId: get-settings - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_settings_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get settings - tags: - - Fleet internals - put: - operationId: update-settings - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - additional_yaml_config: - type: string - delete_unenrolled_agents: - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - fleet_server_hosts: - description: Protocol and path must be the same for each URL - items: - type: string - type: array - has_seen_add_data_notice: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_settings_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update settings - tags: - - Fleet internals - /api/fleet/setup: - post: - operationId: setup - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_setup_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - message: - type: string - description: Internal Server Error - summary: Initiate Fleet setup - tags: - - Fleet internals - /api/fleet/uninstall_tokens: - get: - operationId: get-uninstall-tokens - parameters: - - description: The number of items to return - in: query - name: perPage - required: false - schema: - default: 20 - minimum: 5 - type: integer - - $ref: '#/components/parameters/Fleet_page_index' - - description: Partial match filtering for policy IDs - in: query - name: policyId - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - created_at: - type: string - id: - type: string - policy_id: - type: string - required: - - id - - policy_id - - created_at - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List metadata for latest uninstall tokens per agent policy - tags: - - Fleet uninstall tokens - '/api/fleet/uninstall_tokens/{uninstallTokenId}': - get: - operationId: get-uninstall-token - parameters: - - in: path - name: uninstallTokenId - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - type: object - properties: - created_at: - type: string - id: - type: string - policy_id: - type: string - token: - type: string - required: - - id - - token - - policy_id - - created_at - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get one decrypted uninstall token by its ID - tags: - - Fleet uninstall tokens - /api/lists: - delete: - operationId: DeleteList - parameters: - - description: List's `id` value - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - in: query - name: deleteReferences - required: false - schema: - default: false - type: boolean - - in: query - name: ignoreReferences - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes a list - tags: - - Security Lists API - get: - operationId: ReadList - parameters: - - description: List's `id` value - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieves a list using its id field - tags: - - Security Lists API - patch: - operationId: PatchList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - minimum: 1 - type: integer - required: - - id - description: List's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patches a list - tags: - - Security Lists API - post: - operationId: CreateList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - deserializer: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - serializer: - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - version: - default: 1 - minimum: 1 - type: integer - required: - - name - - description - - type - description: List's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Creates a list - tags: - - Security Lists API - put: - operationId: UpdateList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - minimum: 1 - type: integer - required: - - id - - name - - description - description: List's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Updates a list - tags: - - Security Lists API - /api/lists/_find: - get: - operationId: FindLists - parameters: - - description: The page number to return - in: query - name: page - required: false - schema: - type: integer - - description: The number of lists to return per page - in: query - name: per_page - required: false - schema: - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - - description: > - Returns the list that come after the last list returned in the - previous call - - (use the cursor value returned in the previous call). This parameter - uses - - the `tie_breaker_id` field to ensure all lists are sorted and - returned correctly. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_List' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Finds lists - tags: - - Security Lists API - /api/lists/index: - delete: - operationId: DeleteListIndex - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes list data streams - tags: - - Security Lists API - get: - operationId: ReadListIndex - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get list data stream existence status - tags: - - Security Lists API - post: - operationId: CreateListIndex - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Creates necessary list data streams - tags: - - Security Lists API - /api/lists/items: - delete: - operationId: DeleteListItem - parameters: - - description: Required if `list_id` and `value` are not specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Required if `id` is not specified - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Required if `id` is not specified - in: query - name: value - required: false - schema: - type: string - - description: >- - Determines when changes made by the request are made visible to - search - in: query - name: refresh - required: false - schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes a list item - tags: - - Security Lists API - get: - operationId: ReadListItem - parameters: - - description: Required if `list_id` and `value` are not specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Required if `id` is not specified - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Required if `id` is not specified - in: query - name: value - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Gets a list item - tags: - - Security Lists API - patch: - operationId: PatchListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search - enum: - - 'true' - - 'false' - - wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - description: List item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patches a list item - tags: - - Security Lists API - post: - operationId: CreateListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search - enum: - - 'true' - - 'false' - - wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - list_id - - value - description: List item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Creates a list item - tags: - - Security Lists API - put: - operationId: UpdateListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - value - description: List item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Updates a list item - tags: - - Security Lists API - /api/lists/items/_export: - post: - description: Exports list item values from the specified list - operationId: ExportListItems - parameters: - - description: List's id to export - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - description: A `.txt` file containing list items from the specified list - format: binary - type: string - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Exports list items - tags: - - Security Lists API - /api/lists/items/_find: - get: - operationId: FindListItems - parameters: - - description: List's id - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return - in: query - name: page - required: false - schema: - type: integer - - description: The number of list items to return per page - in: query - name: per_page - required: false - schema: - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - - description: > - Returns the list that come after the last list returned in the - previous call - - (use the cursor value returned in the previous call). This parameter - uses - - the `tie_breaker_id` field to ensure all lists are sorted and - returned correctly. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - cursor: - $ref: >- - #/components/schemas/Security_Lists_API_FindListItemsCursor - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Finds list items - tags: - - Security Lists API - /api/lists/items/_import: - post: - description: > - Imports a list of items from a `.txt` or `.csv` file. The maximum file - size is 9 million bytes. - - - You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. - - Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: > - Type of the importing list. - - - Required when importing a new list that is `list_id` is not - specified. - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - in: query - name: serializer - required: false - schema: - type: string - - in: query - name: deserializer - required: false - schema: - type: string - - description: >- - Determines when changes made by the request are made visible to - search - in: query - name: refresh - required: false - schema: - enum: - - 'true' - - 'false' - - wait_for - type: string - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - file: - description: >- - A `.txt` or `.csv` file containing newline separated list - items - format: binary - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Imports list items - tags: - - Security Lists API - /api/lists/privileges: - get: - operationId: ReadListPrivileges - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Gets list privileges - tags: - - Security Lists API - /api/ml/saved_objects/sync: - get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models. This API runs automatically when you start Kibana and - periodically thereafter. - operationId: mlSync - parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync machine learning saved objects - tags: - - ml - /api/note: - delete: - operationId: DeleteNote - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - nullable: true - type: object - properties: - noteId: - type: string - required: - - noteId - - nullable: true - type: object - properties: - noteIds: - items: - type: string - nullable: true - type: array - required: - - noteIds - description: The id of the note to delete. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - description: Indicates the note was successfully deleted. - summary: Deletes a note from a timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - get: - description: Gets notes - operationId: GetNotes - parameters: - - in: query - name: documentIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - in: query - name: savedObjectIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - in: query - name: page - schema: - nullable: true - type: string - - in: query - name: perPage - schema: - nullable: true - type: string - - in: query - name: search - schema: - nullable: true - type: string - - in: query - name: sortField - schema: - nullable: true - type: string - - in: query - name: sortOrder - schema: - nullable: true - type: string - - in: query - name: filter - schema: - nullable: true - type: string - - in: query - name: createdByFilter - schema: - nullable: true - type: string - - in: query - name: associatedFilter - schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - - type: object - description: Indicates the requested notes were returned. - summary: Get all notes for a given document. - tags: - - Security Timeline API - - 'access:securitySolution' - patch: - operationId: PersistNoteRoute - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - eventDataView: - nullable: true - type: string - eventIngested: - nullable: true - type: string - eventTimestamp: - nullable: true - type: string - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - noteId: - nullable: true - type: string - overrideOwner: - nullable: true - type: boolean - version: - nullable: true - type: string - required: - - note - description: The note to persist or update along with additional metadata. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - properties: - persistNote: - $ref: >- - #/components/schemas/Security_Timeline_API_ResponseNote - required: - - persistNote - required: - - data - description: Indicates the note was successfully created. - summary: Persists a note to a timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/osquery/live_queries: - get: - description: Get a list of all live queries. - operationId: OsqueryFindLiveQueries - parameters: - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get live queries - tags: - - Security Osquery API - post: - description: Create and run a live query. - operationId: OsqueryCreateLiveQuery - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Create a live query - tags: - - Security Osquery API - '/api/osquery/live_queries/{id}': - get: - description: Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_Id' - - in: query - name: query - schema: - additionalProperties: true - type: object - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get live query details - tags: - - Security Osquery API - '/api/osquery/live_queries/{id}/results/{actionId}': - get: - description: Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_Id' - - in: path - name: actionId - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_Id' - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get live query results - tags: - - Security Osquery API - /api/osquery/packs: - get: - description: Get a list of all query packs. - operationId: OsqueryFindPacks - parameters: - - in: query - name: query - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get packs - tags: - - Security Osquery API - post: - description: Create a query pack. - operationId: OsqueryCreatePacks - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Create a pack - tags: - - Security Osquery API - '/api/osquery/packs/{id}': - delete: - description: Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Delete a pack - tags: - - Security Osquery API - get: - description: Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get pack details - tags: - - Security Osquery API - put: - description: | - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Update a pack - tags: - - Security Osquery API - /api/osquery/saved_queries: - get: - description: Get a list of all saved queries. - operationId: OsqueryFindSavedQueries - parameters: - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get saved queries - tags: - - Security Osquery API - post: - description: Create and run a saved query. - operationId: OsqueryCreateSavedQuery - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Create a saved query - tags: - - Security Osquery API - '/api/osquery/saved_queries/{id}': - delete: - description: Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Delete a saved query - tags: - - Security Osquery API - get: - description: Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get saved query details - tags: - - Security Osquery API - put: - description: | - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Update a saved query - tags: - - Security Osquery API - /api/pinned_event: - patch: - operationId: PersistPinnedEventRoute - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - eventId: - type: string - pinnedEventId: - nullable: true - type: string - timelineId: - type: string - required: - - eventId - - timelineId - description: The pinned event to persist or update along with additional metadata. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - properties: - persistPinnedEventOnTimeline: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse - required: - - persistPinnedEventOnTimeline - required: - - data - description: Indicate the event was successfully pinned in the timeline. - summary: Persists a pinned event to a timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse - description: Unexpected error - summary: Cleanup the Risk Engine - tags: - - Security Entity Analytics API - /api/risk_score/engine/schedule_now: - post: - operationId: ScheduleRiskEngineNow - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: {} - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse - description: Unexpected error - summary: Schedule the risk engine to run as soon as possible - tags: - - Security Entity Analytics API - /api/saved_objects/_export: - post: - description: > - Retrieve sets of saved objects that you want to import into Kibana. - - You must include `type` or `objects` in the request body. - - - Exported saved objects are not backwards compatible and cannot be - imported into an older version of Kibana. - - - NOTE: The `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be exported. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: exportSavedObjectsDefault - parameters: - - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - exportSavedObjectsRequest: - $ref: >- - #/components/examples/Serverless_saved_objects_export_objects_request - schema: - type: object - properties: - excludeExportDetails: - default: false - description: Do not add export details entry at the end of the stream. - type: boolean - includeReferencesDeep: - description: >- - Includes all of the referenced objects in the exported - objects. - type: boolean - objects: - description: A list of objects to export. - items: - type: object - type: array - type: - description: >- - The saved object types to include in the export. Use `*` to - export all the types. - oneOf: - - type: string - - items: - type: string - type: array - required: true - responses: - '200': - content: - application/x-ndjson; Elastic-Api-Version=2023-10-31: - examples: - exportSavedObjectsResponse: - $ref: >- - #/components/examples/Serverless_saved_objects_export_objects_response - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Serverless_saved_objects_400_response' - description: Bad request. - summary: Export saved objects - tags: - - saved objects - /api/saved_objects/_import: - post: - description: > - Create sets of Kibana saved objects from a file created by the export - API. - - Saved objects can be imported only into the same version, a newer minor - on the same major, or the next major. Exported saved objects are not - backwards compatible and cannot be imported into an older version of - Kibana. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: importSavedObjectsDefault - parameters: - - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' - - description: > - Creates copies of saved objects, regenerates each object ID, and - resets the origin. When used, potential conflict errors are avoided. - NOTE: This option cannot be used with the `overwrite` and - `compatibilityMode` options. - in: query - name: createNewCopies - required: false - schema: - type: boolean - - description: > - Overwrites saved objects when they already exist. When used, - potential conflict errors are automatically resolved by overwriting - the destination object. NOTE: This option cannot be used with the - `createNewCopies` option. - in: query - name: overwrite - required: false - schema: - type: boolean - - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. Use this option only if you encounter issues with imported - saved objects. NOTE: This option cannot be used with the - `createNewCopies` option. - in: query - name: compatibilityMode - required: false - schema: - type: boolean - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - examples: - importObjectsRequest: - $ref: >- - #/components/examples/Serverless_saved_objects_import_objects_request - schema: - type: object - properties: - file: - description: > - A file exported using the export API. NOTE: The - `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be included in - this file. Similarly, the - `savedObjects.maxImportPayloadBytes` setting limits the - overall size of the file that can be imported. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - importObjectsResponse: - $ref: >- - #/components/examples/Serverless_saved_objects_import_objects_response - schema: - type: object - properties: - errors: - description: > - Indicates the import was unsuccessful and specifies the - objects that failed to import. - - - NOTE: One object may result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and conflict error. - items: - type: object - type: array - success: - description: > - Indicates when the import was successfully completed. When - set to false, some objects may not have been created. For - additional information, refer to the `errors` and - `successResults` properties. - type: boolean - successCount: - description: Indicates the number of successfully imported records. - type: integer - successResults: - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. - - - NOTE: Objects are created only when all resolvable errors - are addressed, including conflicts and missing references. - If objects are created as new copies, each entry in the - `successResults` array includes a `destinationId` - attribute. - items: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Serverless_saved_objects_400_response' - description: Bad request. - summary: Import saved objects - tags: - - saved objects - x-codeSamples: - - label: Import with createNewCopies - lang: cURL - source: | - curl \ - -X POST api/saved_objects/_import?createNewCopies=true - -H "kbn-xsrf: true" - --form file=@file.ndjson - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: >- - Apply a bulk action to multiple anonymization fields. The bulk action is - applied to all anonymization fields that match the filter or to the list - of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - create: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps - type: array - delete: - type: object - properties: - ids: - description: Array of anonymization fields IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter anonymization fields - type: string - update: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Apply a bulk action to anonymization fields - tags: - - Security AI Assistant API - - Bulk API - /api/security_ai_assistant/anonymization_fields/_find: - get: - description: Get a list of all anonymization fields. - operationId: FindAnonymizationFields - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get anonymization fields - tags: - - Security AI Assistant API - - AnonymizationFields API - /api/security_ai_assistant/chat/complete: - post: - description: Create a model response for the given chat conversation. - operationId: ChatComplete - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true - responses: - '200': - content: - application/octet-stream; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Create a model response - tags: - - Security AI Assistant API - - Chat Complete API - /api/security_ai_assistant/current_user/conversations: - post: - description: Create a new Security AI Assistant conversation. - operationId: CreateConversation - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Create a conversation - tags: - - Security AI Assistant API - - Conversation API - /api/security_ai_assistant/current_user/conversations/_find: - get: - description: Get a list of all conversations for the current user. - operationId: FindConversations - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Conversations per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get conversations - tags: - - Security AI Assistant API - - Conversations API - '/api/security_ai_assistant/current_user/conversations/{id}': - delete: - description: Delete an existing conversation using the conversation ID. - operationId: DeleteConversation - parameters: - - description: The conversation's `id` value. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Delete a conversation - tags: - - Security AI Assistant API - - Conversation API - get: - description: Get the details of an existing conversation using the conversation ID. - operationId: ReadConversation - parameters: - - description: The conversation's `id` value. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get a conversation - tags: - - Security AI Assistant API - - Conversations API - put: - description: Update an existing conversation using the conversation ID. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Update a conversation - tags: - - Security AI Assistant API - - Conversation API - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: >- - Apply a bulk action to multiple prompts. The bulk action is applied to - all prompts that match the filter or to the list of prompts by their - IDs. - operationId: PerformPromptsBulkAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - create: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptCreateProps - type: array - delete: - type: object - properties: - ids: - description: Array of prompts IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter promps - type: string - update: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Apply a bulk action to prompts - tags: - - Security AI Assistant API - - Bulk API - /api/security_ai_assistant/prompts/_find: - get: - description: Get a list of all prompts. - operationId: FindPrompts - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Prompts per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get prompts - tags: - - Security AI Assistant API - - Prompts API - /api/timeline: - delete: - operationId: DeleteTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - savedObjectIds: - items: - type: string - type: array - searchIds: - description: >- - Saved search ids that should be deleted alongside the - timelines - items: - type: string - type: array - required: - - savedObjectIds - description: The ids of the timelines or timeline templates to delete. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - properties: - deleteTimeline: - type: boolean - required: - - deleteTimeline - required: - - data - description: Indicates the timeline was successfully deleted. - summary: Deletes one or more timelines or timeline templates. - tags: - - Security Timeline API - - 'access:securitySolution' - get: - operationId: GetTimeline - parameters: - - description: The ID of the template timeline to retrieve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to retrieve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - type: object - properties: - data: - type: object - properties: - getOneTimeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - required: - - getOneTimeline - required: - - data - - additionalProperties: false - type: object - description: Indicates that the (template) timeline was found and returned. - summary: >- - Get an existing saved timeline or timeline template. This API is used to - retrieve an existing saved timeline or timeline template. - tags: - - Security Timeline API - - 'access:securitySolution' - patch: - description: >- - Updates an existing timeline. This API is used to update the title, - description, date range, pinned events, pinned queries, and/or pinned - saved queries of an existing timeline. - operationId: PatchTimeline - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - nullable: true - type: string - version: - nullable: true - type: string - required: - - timelineId - - version - - timeline - description: The timeline updates along with the timeline ID and version. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: >- - Indicates that the draft timeline was successfully created. In the - event the user already has a draft timeline, the existing draft - timeline is cleared and returned. - '405': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates that the user does not have the required access to create - a draft timeline. - summary: Updates an existing timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - post: - operationId: CreateTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true - type: string - required: - - timeline - description: >- - The required timeline fields used to create a new timeline along with - optional fields that will be created if not provided. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates the timeline was successfully created. - '405': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Indicates that there was an error in the timeline creation. - summary: Creates a new timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_copy: - get: - description: | - Copies and returns a timeline or timeline template. - operationId: CopyTimeline - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - type: string - required: - - timeline - - timelineIdToCopy - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates that the timeline has been successfully copied. - summary: Copies timeline or timeline template - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_draft: - get: - operationId: GetDraftTimelines - parameters: - - in: query - name: timelineType - required: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates that the draft timeline was successfully retrieved. - '403': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - If a draft timeline was not found and we attempted to create one, it - indicates that the user does not have the required permissions to - create a draft timeline. - '409': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - This should never happen, but if a draft timeline was not found and - we attempted to create one, it indicates that there is already a - draft timeline with the given timelineId. - summary: >- - Retrieves the draft timeline for the current user. If the user does not - have a draft timeline, an empty timeline is returned. - tags: - - Security Timeline API - - 'access:securitySolution' - post: - description: > - Retrieves a clean draft timeline. If a draft timeline does not exist, it - is created and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - required: - - timelineType - description: >- - The type of timeline to create. Valid values are `default` and - `template`. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: >- - Indicates that the draft timeline was successfully created. In the - event the user already has a draft timeline, the existing draft - timeline is cleared and returned. - '403': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that the user does not have the required permissions to - create a draft timeline. - '409': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that there is already a draft timeline with the given - timelineId. - summary: Retrieves a draft timeline or timeline template. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_export: - post: - operationId: ExportTimelines - parameters: - - description: The name of the file to export - in: query - name: file_name - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - ids: - items: - type: string - nullable: true - type: array - description: The ids of the timelines to export - required: true - responses: - '200': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - description: NDJSON of the exported timelines - type: string - description: Indicates the timelines were successfully exported - '400': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Indicates that the export size limit was exceeded - summary: Exports timelines as an NDJSON file - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_favorite: - patch: - operationId: PersistFavoriteRoute - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) timeline. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - properties: - persistFavorite: - $ref: >- - #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse - required: - - persistFavorite - required: - - data - description: Indicates the favorite status was successfully updated. - '403': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the user does not have the required permissions to persist - the favorite status. - summary: Persists a given users favorite status of a timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_import: - post: - operationId: ImportTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - file: {} - isImmutable: - enum: - - 'true' - - 'false' - type: string - required: - - file - description: The timelines to import as a readable stream. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates the import of timelines was successful. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - id: - type: string - statusCode: - type: number - description: >- - Indicates the import of timelines was unsuccessful because of an - invalid file extension. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - statusCode: - type: number - description: >- - Indicates that we were unable to locate the saved object client - necessary to handle the import. - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - id: - type: string - statusCode: - type: number - description: Indicates the import of timelines was unsuccessful. - summary: Imports timelines. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_prepackaged: - post: - operationId: InstallPrepackedTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - prepackagedTimelines: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The timelines to install or update. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates the installation of prepackaged timelines was successful. - '500': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the installation of prepackaged timelines was - unsuccessful. - summary: Installs prepackaged timelines. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/resolve: - get: - operationId: ResolveTimeline - parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to resolve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - type: object - properties: - data: - $ref: >- - #/components/schemas/Security_Timeline_API_ResolvedTimeline - required: - - data - - additionalProperties: false - type: object - description: The (template) timeline has been found - '400': - description: The request is missing parameters - '404': - description: The (template) timeline was not found - summary: Get an existing saved timeline or timeline template. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timelines: - get: - operationId: GetTimelines - parameters: - - description: >- - If true, only timelines that are marked as favorites by the user are - returned. - in: query - name: only_user_favorite - schema: - enum: - - 'true' - - 'false' - nullable: true - type: string - - in: query - name: timeline_type - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - in: query - name: sort_field - schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - in: query - name: sort_order - schema: - enum: - - asc - - desc - type: string - - in: query - name: page_size - schema: - nullable: true - type: string - - in: query - name: page_index - schema: - nullable: true - type: string - - in: query - name: search - schema: - nullable: true - type: string - - in: query - name: status - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - customTemplateTimelineCount: - type: number - defaultTimelineCount: - type: number - elasticTemplateTimelineCount: - type: number - favoriteCount: - type: number - templateTimelineCount: - type: number - timeline: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - type: array - totalCount: - type: number - required: - - timeline - - totalCount - description: Indicates that the (template) timelines were found and returned. - '400': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Bad request. The user supplied invalid data. - summary: >- - This API is used to retrieve a list of existing saved timelines or - timeline templates. - tags: - - Security Timeline API - - 'access:securitySolution' - '/s/{spaceId}/api/observability/slos': - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: findSlosOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: - type: string - - description: 'The page to use for pagination, must be greater or equal than 1' - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining - type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc - type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings - in: query - name: hideStale - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs - tags: - - slo - post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: createSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - servers: - - url: 'https://localhost:5601' - summary: Create an SLO - tags: - - slo - '/s/{spaceId}/api/observability/slos/_delete_instances': - post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' - required: true - responses: - '204': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - servers: - - url: 'https://localhost:5601' - summary: Batch delete rollup and summary data - tags: - - slo - '/s/{spaceId}/api/observability/slos/{sloId}': - delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO - tags: - - slo - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO - tags: - - slo - put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: updateSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_update_slo_request' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO - tags: - - slo - '/s/{spaceId}/api/observability/slos/{sloId}/_reset': - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: resetSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO - tags: - - slo - '/s/{spaceId}/api/observability/slos/{sloId}/disable': - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: disableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '200': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO - tags: - - slo - '/s/{spaceId}/api/observability/slos/{sloId}/enable': - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: enableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO - tags: - - slo -components: - examples: - Data_views_create_data_view_request: - summary: Create a data view with runtime fields. - value: - data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: 'emit(doc[''shape_name''].value)' - type: keyword - title: logstash-* - Data_views_create_runtime_field_request: - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - script: - source: 'emit(doc["foo"].value)' - type: long - Data_views_get_data_view_response: - summary: >- - The get data view API returns a JSON object that contains information - about the data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - fieldFormats: - products.base_price: - id: number - params: - pattern: '$0,0.00' - products.base_unit_price: - id: number - params: - pattern: '$0,0.00' - products.min_price: - id: number - params: - pattern: '$0,0.00' - products.price: - id: number - params: - pattern: '$0,0.00' - products.taxful_price: - id: number - params: - pattern: '$0,0.00' - products.taxless_price: - id: number - params: - pattern: '$0,0.00' - taxful_total_price: - id: number - params: - pattern: '$0,0.[00]' - taxless_total_price: - id: number - params: - pattern: '$0,0.00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: category - type: string - currency: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: currency - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_first_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name - type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name - type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name - type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer - type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id - type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category - type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer - type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name - type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.[00]' - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: '$0,0.[00]' - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: '$0,0.[00]' - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: 'emit(doc[''timestamp''].value.getHour());' - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: 'emit(doc[''timestamp''].value.getHour());' - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: 'emit(doc[''timestamp''].value.getHour());' - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: 'emit(doc["bar"].value)' - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Serverless_saved_objects_export_objects_request: - summary: Export a specific saved object. - value: - excludeExportDetails: true - includeReferencesDeep: false - objects: - - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - type: map - Serverless_saved_objects_export_objects_response: - summary: >- - The export objects API response contains a JSON record for each exported - object. - value: - attributes: - description: '' - layerListJSON: >- - [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total - Requests by - Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web - logs - count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual - Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total - Requests and - Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web - logs - count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] - mapStateJSON: >- - {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} - title: '[Logs] Total Requests and Bytes' - uiStateJSON: '{"isDarkMode":false}' - coreMigrationVersion: 8.8.0 - created_at: '2023-08-23T20:03:32.204Z' - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - managed: false - references: - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_1_join_0_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_2_source_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_3_source_index_pattern - type: index-pattern - type: map - typeMigrationVersion: 8.4.0 - updated_at: '2023-08-23T20:03:32.204Z' - version: WzEzLDFd - Serverless_saved_objects_import_objects_request: - value: - file: file.ndjson - Serverless_saved_objects_import_objects_response: - summary: >- - The import objects API response indicates a successful import and the - objects are created. Since these objects are created as new copies, each - entry in the successResults array includes a destinationId attribute. - value: - success: true - successCount: 1 - successResults: - - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - managed: false - meta: - icon: indexPatternApp - title: Kibana Sample Data Logs - type: index-pattern - parameters: - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Fleet_format: - description: Simplified or legacy format for package inputs - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - Fleet_kbn_xsrf: - description: Kibana's anti Cross-Site Request Forgery token. Can be any string value. - in: header - name: kbn-xsrf - required: true - schema: - type: string - Fleet_kuery: - in: query - name: kuery - required: false - schema: - type: string - Fleet_page_index: - in: query - name: page - required: false - schema: - default: 1 - type: integer - Fleet_page_size: - description: The number of items to return - in: query - name: perPage - required: false - schema: - default: 20 - type: integer - Fleet_show_inactive: - in: query - name: showInactive - required: false - schema: - type: boolean - Fleet_show_upgradeable: - in: query - name: showUpgradeable - required: false - schema: - type: boolean - Fleet_sort_field: - in: query - name: sortField - required: false - schema: - deprecated: true - type: string - Fleet_sort_order: - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - Fleet_with_metrics: - description: 'Return agent metrics, false by default' - in: query - name: withMetrics - required: false - schema: - type: boolean - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - Serverless_saved_objects_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - responses: - Fleet_error: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - schemas: - Data_views_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - Data_views_404_response: - type: object - properties: - error: - enum: - - Not Found - example: Not Found - type: string - message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found - type: string - statusCode: - enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: Allows the data view saved object to exist before the data is available. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request - type: object - properties: - data_view: - description: The data view object. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - required: - - title - override: - default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. - type: boolean - required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. - type: object - properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 - type: string - customLabel: - description: Custom label for the field. - type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. - type: object - properties: - script: - type: object - properties: - source: - description: Script for the runtime field. - type: string - type: - description: Mapping type of the runtime field. - type: string - required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request - type: object - properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string - type: array - forType: - description: Limit the affected saved objects by type. - type: string - fromId: - description: The saved object reference to change. - type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. - type: string - toId: - description: New saved object reference value to replace the old value. - type: string - required: - - fromId - - toId - Data_views_timefieldname: - description: 'The timestamp field name, which you use for time-based data views.' - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: 'When set to `rollup`, identifies the rollup data views.' - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request - type: object - properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: - type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean - required: - - data_view - Fleet_agent: - title: Agent - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - components: - items: - $ref: '#/components/schemas/Fleet_agent_component' - type: array - default_api_key: - type: string - default_api_key_id: - type: string - enrolled_at: - type: string - id: - type: string - last_checkin: - type: string - local_metadata: - $ref: '#/components/schemas/Fleet_agent_metadata' - metrics: - type: object - properties: - cpu_avg: - description: >- - Average agent CPU usage during the last 5 minutes, number - between 0-1 - type: number - memory_size_byte_avg: - description: Average agent memory consumption during the last 5 minutes - type: number - policy_id: - type: string - policy_revision: - type: number - status: - $ref: '#/components/schemas/Fleet_agent_status' - type: - $ref: '#/components/schemas/Fleet_agent_type' - unenrolled_at: - type: string - unenrollment_started_at: - type: string - user_provided_metadata: - $ref: '#/components/schemas/Fleet_agent_metadata' - required: - - type - - active - - enrolled_at - - id - - status - Fleet_agent_action: - oneOf: - - properties: - ack_data: - type: string - data: - type: string - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - - properties: - data: - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - type: - type: string - title: Agent action - Fleet_agent_component: - title: Agent component - type: object - properties: - id: - type: string - message: - type: string - status: - $ref: '#/components/schemas/Fleet_agent_component_status' - type: - type: string - units: - items: - $ref: '#/components/schemas/Fleet_agent_component_unit' - type: array - Fleet_agent_component_status: - enum: - - starting - - configuring - - healthy - - degraded - - failed - - stopping - - stopped - title: Agent component status - type: string - Fleet_agent_component_unit: - title: Agent component unit - type: object - properties: - id: - type: string - message: - type: string - payload: - type: object - status: - $ref: '#/components/schemas/Fleet_agent_component_status' - type: - $ref: '#/components/schemas/Fleet_agent_component_unit_type' - Fleet_agent_component_unit_type: - enum: - - input - - output - title: Agent component unit type - type: string - Fleet_agent_diagnostics: - title: Agent diagnostics - type: object - properties: - actionId: - type: string - createTime: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - IN_PROGRESS - required: - - id - - name - - createTime - - filePath - - actionId - - status - Fleet_agent_get_by_actions: - items: - items: - type: string - type: array - title: Agents get by action ids - type: array - Fleet_agent_metadata: - title: Agent metadata - type: object - Fleet_agent_policy: - title: Agent Policy - type: object - properties: - advanced_settings: - description: >- - Advanced settings stored in the agent policy, e.g. - agent_limits_go_max_procs - nullable: true - type: object - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - agents: - type: number - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object - type: array - id: - type: string - inactivity_timeout: - type: integer - is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. - type: boolean - keep_monitoring_alive: - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true - type: boolean - monitoring_diagnostics: - type: object - properties: - limit: - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - metrics - - logs - type: string - type: array - monitoring_http: - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - required: - - enabled - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - type: string - namespace: - type: string - overrides: - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_policies: - description: >- - This field is present only when retrieving a single agent policy, or - when retrieving a list of agent policies with the ?full=true - parameter - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - revision: - type: number - supports_agentless: - description: >- - Indicates whether the agent policy supports agentless integrations. - Only allowed in a serverless environment. - type: boolean - unenroll_timeout: - type: integer - unprivileged_agents: - type: number - updated_by: - type: string - updated_on: - format: date-time - type: string - required: - - id - - status - - name - - namespace - Fleet_agent_policy_create_request: - title: Create agent policy request - type: object - properties: - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - description: Force agent policy creation even if packages are not verified. - type: boolean - global_data_tags: - items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object - type: array - id: - type: string - inactivity_timeout: - type: integer - is_protected: - type: boolean - monitoring_enabled: - items: - enum: - - metrics - - logs - type: string - type: array - monitoring_output_id: - nullable: true - type: string - name: - type: string - namespace: - type: string - unenroll_timeout: - type: integer - required: - - name - - namespace - Fleet_agent_policy_full: - oneOf: - - type: object - properties: - item: - type: string - - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_full_agent_policy' - title: Agent policy full response - type: object - Fleet_agent_policy_update_request: - title: Update agent policy request - type: object - properties: - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - description: Force agent policy creation even if packages are not verified. - type: boolean - global_data_tags: - items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object - type: array - inactivity_timeout: - type: integer - is_protected: - type: boolean - monitoring_enabled: - items: - enum: - - metrics - - logs - type: string - type: array - monitoring_output_id: - nullable: true - type: string - name: - type: string - namespace: - type: string - unenroll_timeout: - type: integer - required: - - name - - namespace - Fleet_agent_status: - enum: - - offline - - error - - online - - inactive - - warning - title: Elastic Agent status - type: string - Fleet_agent_type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - title: Agent type - type: string - Fleet_bulk_install_packages_response: - title: Bulk install packages response - type: object - properties: - items: - items: - type: object - properties: - name: - type: string - version: - type: string - type: array - response: - deprecated: true - items: - type: object - properties: - name: - type: string - version: - type: string - type: array - required: - - items - Fleet_bulk_upgrade_agents: - title: Bulk upgrade agents - type: object - properties: - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - force: - description: 'Force upgrade, skipping validation (should be used with caution)' - type: boolean - rollout_duration_seconds: - description: rolling upgrade window duration in seconds - type: number - skipRateLimitCheck: - description: Skip rate limit check for upgrade - type: boolean - source_uri: - description: alternative upgrade binary download url - type: string - start_time: - description: start time of upgrade in ISO 8601 format - type: string - version: - description: version to upgrade to - type: string - required: - - agents - - version - Fleet_data_stream: - title: Data stream - type: object - properties: - dashboard: - items: - type: object - properties: - id: - type: string - title: - type: string - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - size_in_bytes: - type: number - size_in_bytes_formatted: - type: string - type: - type: string - Fleet_download_sources: - title: Download Source - type: object - properties: - host: - type: string - id: - type: string - is_default: - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the proxies - API for more information. - nullable: true - type: string - required: - - is_default - - name - - host - Fleet_elasticsearch_asset_type: - enum: - - component_template - - ingest_pipeline - - index_template - - ilm_policy - - transform - - data_stream_ilm_policy - title: Elasticsearch asset type - type: string - Fleet_enrollment_api_key: - title: Enrollment API key - type: object - properties: - active: - description: >- - When false, the enrollment API key is revoked and cannot be used for - enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - Fleet_fleet_server_host: - title: Fleet Server Host - type: object - properties: - host_urls: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - proxy_id: - type: string - required: - - fleet_server_hosts - - id - - is_default - - is_preconfigured - - host_urls - Fleet_fleet_settings_response: - title: Fleet settings response - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_settings' - required: - - item - Fleet_fleet_setup_response: - title: Fleet Setup response - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - type: array - required: - - isInitialized - - nonFatalErrors - Fleet_fleet_status_response: - title: Fleet status response - type: object - properties: - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - type: array - missing_requirements: - items: - enum: - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - type: array - package_verification_key_id: - type: string - required: - - isReady - - missing_requirements - - missing_optional_features - Fleet_full_agent_policy: - title: Full agent policy - type: object - properties: - agent: - nullable: true - type: string - fleet: - oneOf: - - type: object - properties: - hosts: - items: - type: string - type: array - proxy_headers: {} - proxy_url: - type: string - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - - type: object - properties: - kibana: - type: object - properties: - hosts: - items: - type: string - type: array - path: - type: string - protocol: - type: string - id: - type: string - inputs: - type: string - monitoring: - type: object - properties: - diagnostics: - type: object - properties: - limit: - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - required: - - enabled - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - output_permissions: - additionalProperties: - type: object - properties: - data: - $ref: >- - #/components/schemas/Fleet_full_agent_policy_output_permissions - output: - type: integer - type: object - outputs: - additionalProperties: - $ref: '#/components/schemas/Fleet_full_agent_policy_output' - type: object - revision: - type: number - secret_references: - items: - type: object - properties: - id: - type: string - type: array - required: - - id - - outputs - - inputs - Fleet_full_agent_policy_input: - allOf: - - additionalProperties: true - type: object - properties: - data_stream: - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - revision: - type: number - streams: - $ref: '#/components/schemas/Fleet_full_agent_policy_input_stream' - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - title: Full agent policy input - Fleet_full_agent_policy_input_stream: - allOf: - - additionalProperties: true - type: object - properties: - data_stream: - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - - type - id: - type: string - required: - - id - - data_stream - title: Full agent policy input stream - Fleet_full_agent_policy_output: - title: Full agent policy - type: object - properties: - additionalProperties: - type: object - properties: - text: {} - ca_sha256: - nullable: true - type: string - hosts: - items: - type: string - type: array - proxy_headers: {} - proxy_url: - type: string - type: {} - required: - - type - - hosts - - ca_sha256 - Fleet_full_agent_policy_output_permissions: - additionalProperties: - type: object - properties: - data: - type: object - properties: - cluster: - items: - type: string - type: array - indices: - items: - type: object - properties: - names: - items: - type: string - type: array - privileges: - items: - type: string - type: array - type: array - packagePolicyName: - type: string - title: Full agent policy output permissions - Fleet_get_agent_tags_response: - title: Get Agent Tags response - type: object - properties: - items: - items: - type: string - type: array - Fleet_get_agents_response: - title: Get Agent response - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_agent' - type: array - page: - type: number - perPage: - type: number - statusSummary: - type: object - properties: - degraded': - type: number - enrolling: - type: number - error: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - unenrolled: - type: number - unenrolling: - type: number - updating: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - Fleet_get_bulk_assets_response: - deprecated: true - properties: - items: - items: - type: object - properties: - appLink: - type: string - attributes: - type: object - properties: - description: - type: string - title: - type: string - id: - type: string - type: - $ref: '#/components/schemas/Fleet_saved_object_type' - updatedAt: - type: string - type: array - required: - - items - title: Bulk get assets response - type: object - Fleet_get_categories_response: - title: Get categories response - type: object - properties: - items: - items: - type: object - properties: - count: - type: number - id: - type: string - title: - type: string - required: - - id - - title - - count - type: array - response: - items: - deprecated: true - type: object - properties: - count: - type: number - id: - type: string - title: - type: string - required: - - id - - title - - count - type: array - required: - - items - Fleet_get_packages_response: - title: Get Packages response - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_search_result' - type: array - response: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_search_result' - type: array - required: - - items - Fleet_installation_info: - title: Installation info object - type: object - properties: - created_at: - type: string - experimental_data_stream_features: - type: array - properties: - data_stream: - type: string - features: - type: object - properties: - doc_value_only_numeric: - nullable: true - type: boolean - doc_value_only_other: - nullable: true - type: boolean - synthetic_source: - nullable: true - type: boolean - tsdb: - nullable: true - type: boolean - install_format_schema_version: - type: string - install_kibana_space_id: - type: string - install_source: - enum: - - registry - - upload - - bundled - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - $ref: '#/components/schemas/Fleet_elasticsearch_asset_type' - installed_kibana: - type: object - properties: - id: - type: string - type: - $ref: '#/components/schemas/Fleet_kibana_saved_object_type' - latest_executed_state: - description: Latest successfully executed state in package install state machine - type: object - properties: - error: - type: string - name: - enum: - - create_restart_installation - - install_kibana_assets - - install_ilm_policies - - install_ml_model - - install_index_template_pipelines - - remove_legacy_templates - - update_current_write_indices - - install_transforms - - delete_previous_pipelines - - save_archive_entries_from_assets_map - - update_so - type: string - started_at: - type: string - latest_install_failed_attempts: - description: Latest failed install errors - items: - type: object - properties: - created_at: - type: string - error: - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - target_version: - type: string - type: array - name: - type: string - namespaces: - items: - type: string - type: array - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - verified - - unverified - - unknown - type: string - version: - type: string - required: - - installed_kibana - - installed_es - - name - - version - - install_status - - install_version - - install_started_at - - install_source - - verification_status - - latest_install_failed_attempts - Fleet_kibana_saved_object_type: - enum: - - dashboard - - visualization - - search - - index-pattern - - map - - lens - - ml-module - - security-rule - - csp_rule_template - title: Kibana saved object asset type - type: string - Fleet_new_package_policy: - description: '' - properties: - description: - type: string - enabled: - type: boolean - inputs: - items: - type: object - properties: - config: - type: object - enabled: - type: boolean - processors: - items: - type: string - type: array - streams: - items: {} - type: array - type: - type: string - vars: - type: object - required: - - type - - enabled - type: array - name: - type: string - namespace: - type: string - output_id: - type: string - overrides: - type: object - package: - type: object - properties: - name: - type: string - requires_root: - type: boolean - title: - type: string - version: - type: string - required: - - name - - version - policy_id: - deprecated: true - nullable: true - type: string - policy_ids: - items: - type: string - type: array - required: - - inputs - - name - title: New package policy - type: object - Fleet_output_create_request: - discriminator: - mapping: - elasticsearch: '#/components/schemas/Fleet_output_create_request_elasticsearch' - kafka: '#/components/schemas/Fleet_output_create_request_kafka' - logstash: '#/components/schemas/Fleet_output_create_request_logstash' - remote_elasticsearch: >- - #/components/schemas/Fleet_output_create_request_remote_elasticsearch - propertyName: type - oneOf: - - $ref: '#/components/schemas/Fleet_output_create_request_elasticsearch' - - $ref: '#/components/schemas/Fleet_output_create_request_kafka' - - $ref: '#/components/schemas/Fleet_output_create_request_logstash' - - $ref: >- - #/components/schemas/Fleet_output_create_request_remote_elasticsearch - title: Output - Fleet_output_create_request_elasticsearch: - title: elasticsearch - type: object - properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - elasticsearch - type: string - required: - - name - Fleet_output_create_request_kafka: - title: kafka - type: object - properties: - auth_type: - type: string - broker_timeout: - type: number - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - client_id: - type: string - compression: - type: string - compression_level: - type: number - config: - type: object - config_yaml: - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - headers: - items: - type: object - properties: - key: - type: string - value: - type: string - type: array - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - key: - type: string - name: - type: string - partition: - type: string - password: - type: string - proxy_id: - type: string - random: - type: object - properties: - group_events: - type: number - required_acks: - type: number - round_robin: - type: object - properties: - group_events: - type: number - sasl: - type: object - properties: - mechanism: - type: string - secrets: - type: object - properties: - password: - type: string - ssl: - type: object - properties: - key: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - verification_mode: - enum: - - none - - full - - certificate - - strict - type: string - timeout: - type: number - topic: - type: string - topics: - deprecated: true - description: Use topic instead. - items: - type: object - properties: - topic: - type: string - when: - deprecated: true - description: >- - Deprecated, kafka output do not support conditionnal topics - anymore. - type: object - properties: - condition: - type: string - type: - type: string - type: array - type: - enum: - - kafka - type: string - username: - type: string - version: - type: string - required: - - name - - type - - topics - - auth_type - - hosts - Fleet_output_create_request_logstash: - title: logstash - type: object - properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - type: string - secrets: - type: object - properties: - ssl: - type: object - properties: - key: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - logstash - type: string - required: - - name - - hosts - - type - Fleet_output_create_request_remote_elasticsearch: - title: remote_elasticsearch - type: object - properties: - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - secrets: - type: object - properties: - service_token: - type: string - service_token: - type: string - type: - enum: - - remote_elasticsearch - type: string - required: - - name - Fleet_output_update_request: - discriminator: - mapping: - elasticsearch: '#/components/schemas/Fleet_output_update_request_elasticsearch' - kafka: '#/components/schemas/Fleet_output_update_request_kafka' - logstash: '#/components/schemas/Fleet_output_update_request_logstash' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Fleet_output_update_request_elasticsearch' - - $ref: '#/components/schemas/Fleet_output_update_request_kafka' - - $ref: '#/components/schemas/Fleet_output_update_request_logstash' - title: Output - Fleet_output_update_request_elasticsearch: - title: elasticsearch - type: object - properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - elasticsearch - type: string - required: - - name - - hosts - - type - Fleet_output_update_request_kafka: - title: kafka - type: object - properties: - auth_type: - type: string - broker_timeout: - type: number - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - client_id: - type: string - compression: - type: string - compression_level: - type: number - config: - type: object - config_yaml: - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - headers: - items: - type: object - properties: - key: - type: string - value: - type: string - type: array - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - key: - type: string - name: - type: string - partition: - type: string - password: - type: string - proxy_id: - type: string - random: - type: object - properties: - group_events: - type: number - required_acks: - type: number - round_robin: - type: object - properties: - group_events: - type: number - sasl: - type: object - properties: - mechanism: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - verification_mode: - enum: - - none - - full - - certificate - - strict - type: string - timeout: - type: number - topic: - type: string - topics: - deprecated: true - description: Use topic instead. - items: - type: object - properties: - topic: - type: string - when: - deprecated: true - description: >- - Deprecated, kafka output do not support conditionnal topics - anymore. - type: object - properties: - condition: - type: string - type: - type: string - type: array - type: - enum: - - kafka - type: string - username: - type: string - version: - type: string - required: - - name - Fleet_output_update_request_logstash: - title: logstash - type: object - properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - logstash - type: string - required: - - name - Fleet_package_info: - title: Package information - type: object - properties: - agent: - type: object - properties: - privileges: - type: object - properties: - root: - type: boolean - asset_tags: - items: - type: object - properties: - asset_ids: - items: - type: string - type: array - asset_types: - items: - type: string - type: array - text: - type: string - required: - - text - type: array - assets: - items: - type: string - type: array - categories: - items: - type: string - type: array - conditions: - type: object - properties: - elasticsearch: - type: object - properties: - subscription: - enum: - - basic - - gold - - platinum - - enterprise - type: string - kibana: - type: object - properties: - versions: - type: string - data_streams: - items: - type: object - properties: - ingeset_pipeline: - type: string - name: - type: string - package: - type: string - release: - type: string - title: - type: string - type: - type: string - vars: - items: - type: object - properties: - default: - type: string - name: - type: string - required: - - name - - default - type: array - required: - - title - - name - - release - - ingeset_pipeline - - type - - package - type: array - description: - type: string - discovery: - type: object - properties: - fields: - items: - type: object - properties: - name: - type: string - required: - - name - type: array - download: - type: string - elasticsearch: - type: object - properties: - privileges: - type: object - properties: - cluster: - items: - type: string - type: array - format_version: - type: string - icons: - items: - type: string - type: array - internal: - type: boolean - name: - type: string - owner: - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - required: - - github - path: - type: string - readme: - type: string - release: - deprecated: true - description: >- - release label is deprecated, derive from the version instead - (packages follow semver) - enum: - - experimental - - beta - - ga - type: string - screenshots: - items: - type: object - properties: - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - - path - type: array - source: - type: object - properties: - license: - enum: - - Apache-2.0 - - Elastic-2.0 - type: string - title: - type: string - type: - enum: - - integration - - input - - content - type: string - version: - type: string - required: - - name - - title - - version - - description - - type - - categories - - conditions - - assets - - format_version - - download - - path - - owner - Fleet_package_policy: - allOf: - - type: object - properties: - id: - type: string - inputs: - oneOf: - - items: {} - type: array - - type: object - revision: - type: number - required: - - id - - revision - - $ref: '#/components/schemas/Fleet_new_package_policy' - title: Package policy - Fleet_package_policy_request: - title: Package Policy Request - type: object - properties: - description: - description: Package policy description - example: my description - type: string - force: - description: >- - Force package policy creation even if package is not verified, or if - the agent policy is managed. - type: boolean - id: - description: Package policy unique identifier - type: string - inputs: - additionalProperties: - type: object - properties: - enabled: - description: 'enable or disable that input, (default to true)' - type: boolean - streams: - additionalProperties: - type: object - properties: - enabled: - description: 'enable or disable that stream, (default to true)' - type: boolean - vars: - description: >- - Stream level variable (see integration documentation for - more information) - type: object - description: >- - Input streams (see integration documentation to know what - streams are available) - type: object - vars: - description: >- - Input level variable (see integration documentation for more - information) - type: object - description: >- - Package policy inputs (see integration documentation to know what - inputs are available) - example: - nginx-logfile: - enabled: true - streams: - nginx.access: - enabled: true - vars: - ignore_older: 72h - paths: - - /var/log/nginx/access.log* - preserve_original_event: false - tags: - - nginx-access - type: object - name: - description: Package policy name (should be unique) - example: nginx-123 - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - example: customnamespace - type: string - output_id: - description: Output ID to send package data to - example: output-id - nullable: true - type: string - overrides: - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - type: object - package: - type: object - properties: - name: - description: Package name - example: nginx - type: string - version: - description: Package version - example: 1.6.0 - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Agent policy ID where that package policy will be added - example: agent-policy-id - nullable: true - type: string - policy_ids: - description: Agent policy IDs where that package policy will be added - example: - - agent-policy-id - items: - type: string - type: array - vars: - description: >- - Package root level variable (see integration documentation for more - information) - type: object - required: - - name - - package - Fleet_package_usage_stats: - title: Package usage stats - type: object - properties: - agent_policy_count: - type: integer - required: - - agent_policy_count - Fleet_proxies: - title: Fleet Proxy - type: object - properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - id: - type: string - name: - type: string - proxy_headers: - type: object - url: - type: string - required: - - name - - url - Fleet_saved_object_type: - oneOf: - - enum: - - dashboard - - visualization - - search - - index_pattern - - map - - lens - - security_rule - - csp_rule_template - - ml_module - - tag - - osquery_pack_asset - - osquery_saved_query - type: string - - enum: - - index - - component_template - - ingest_pipeline - - index_template - - ilm_policy - - transform - - data_stream_ilm_policy - - ml_model - type: string - title: Saved Object type - Fleet_search_result: - title: Search result - type: object - properties: - description: - type: string - download: - type: string - icons: - type: string - installationInfo: - $ref: '#/components/schemas/Fleet_installation_info' - name: - type: string - path: - type: string - savedObject: - deprecated: true - type: object - status: - type: string - title: - type: string - type: - type: string - version: - type: string - required: - - description - - download - - icons - - name - - path - - title - - type - - version - - status - Fleet_settings: - title: Settings - type: object - properties: - delete_unenrolled_agents: - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - fleet_server_hosts: - deprecated: true - items: - type: string - type: array - has_seen_add_data_notice: - type: boolean - id: - type: string - prerelease_integrations_enabled: - type: boolean - required: - - fleet_server_hosts - - id - Fleet_upgrade_agent: - title: Upgrade agent - type: object - properties: - force: - description: 'Force upgrade, skipping validation (should be used with caution)' - type: boolean - skipRateLimitCheck: - description: Skip rate limit check for upgrade - type: boolean - source_uri: - type: string - version: - type: string - required: - - version - Fleet_upgrade_agent_diff: - items: - items: - $ref: '#/components/schemas/Fleet_full_agent_policy_input' - type: array - title: Package policy Upgrade dryrun - type: array - Fleet_upgrade_diff: - items: - allOf: - - $ref: '#/components/schemas/Fleet_package_policy' - - allOf: - - $ref: '#/components/schemas/Fleet_new_package_policy' - - type: object - properties: - errors: - items: - type: object - properties: - key: - type: string - message: - type: string - type: array - missingVars: - items: - type: string - type: array - type: object - title: Package policy Upgrade dryrun - type: array - Machine_learning_APIs_mlSync200Response: - properties: - datafeedsAdded: - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. - type: object - datafeedsRemoved: - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. - type: object - savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated - savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted - title: Successful sync API response - type: object - Machine_learning_APIs_mlSync4xxResponse: - properties: - error: - example: Unauthorized - type: string - message: - type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful sync API response - type: object - Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for anomaly detection jobs - type: object - Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for datafeeds - type: object - Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for data frame analytics jobs - type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. - properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: 'If saved objects are missing for trained models, they are created.' - type: object - title: Sync API response for created saved objects - type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. - properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. - type: object - title: Sync API response for deleted saved objects - type: object - Machine_learning_APIs_mlSyncResponseSuccess: - description: The success or failure of the synchronization. - type: boolean - Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for trained models - type: object - Security_AI_Assistant_API_AnonymizationFieldCreateProps: - type: object - properties: - allowed: - type: boolean - anonymized: - type: boolean - field: - type: string - required: - - field - Security_AI_Assistant_API_AnonymizationFieldDetailsInError: - type: object - properties: - id: - type: string - name: - type: string - required: - - id - Security_AI_Assistant_API_AnonymizationFieldResponse: - type: object - properties: - allowed: - type: boolean - anonymized: - type: boolean - createdAt: - type: string - createdBy: - type: string - field: - type: string - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - namespace: - description: Kibana space - type: string - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - updatedAt: - type: string - updatedBy: - type: string - required: - - id - - field - Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: - enum: - - ANONYMIZATION_FIELD_NOT_MODIFIED - type: string - Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: - type: object - properties: - id: - type: string - name: - type: string - skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason - required: - - id - - skip_reason - Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: - type: object - properties: - anonymization_fields_count: - type: integer - attributes: - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError - type: array - results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults - summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary - required: - - results - - summary - message: - type: string - status_code: - type: integer - success: - type: boolean - required: - - attributes - Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: - type: object - properties: - created: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - deleted: - items: - type: string - type: array - skipped: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult - type: array - updated: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - required: - - updated - - created - - deleted - - skipped - Security_AI_Assistant_API_AnonymizationFieldUpdateProps: - type: object - properties: - allowed: - type: boolean - anonymized: - type: boolean - id: - type: string - required: - - id - Security_AI_Assistant_API_ApiConfig: - type: object - properties: - actionTypeId: - description: action type id - type: string - connectorId: - description: connector id - type: string - defaultSystemPromptId: - description: defaultSystemPromptId - type: string - model: - description: model - type: string - provider: - $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' - description: Provider - required: - - connectorId - - actionTypeId - Security_AI_Assistant_API_BulkCrudActionSummary: - type: object - properties: - failed: - type: integer - skipped: - type: integer - succeeded: - type: integer - total: - type: integer - required: - - failed - - skipped - - succeeded - - total - Security_AI_Assistant_API_ChatCompleteProps: - type: object - properties: - connectorId: - type: string - conversationId: - type: string - isStream: - type: boolean - langSmithApiKey: - type: string - langSmithProject: - type: string - messages: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' - type: array - model: - type: string - persist: - type: boolean - promptId: - type: string - responseLanguage: - type: string - required: - - messages - - persist - - connectorId - Security_AI_Assistant_API_ChatMessage: - description: AI assistant message. - type: object - properties: - content: - description: Message content. - type: string - data: - $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' - description: ECS object to attach to the context of the message. - fields_to_anonymize: - items: - type: string - type: array - role: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' - description: Message role. - required: - - role - Security_AI_Assistant_API_ChatMessageRole: - description: Message role. - enum: - - system - - user - - assistant - type: string - Security_AI_Assistant_API_ConversationCategory: - description: The conversation category. - enum: - - assistant - - insights - type: string - Security_AI_Assistant_API_ConversationConfidence: - description: The conversation confidence. - enum: - - low - - medium - - high - type: string - Security_AI_Assistant_API_ConversationCreateProps: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - excludeFromLastConversationStorage: - description: excludeFromLastConversationStorage. - type: boolean - id: - description: The conversation id. - type: string - isDefault: - description: Is default conversation. - type: boolean - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - title: - description: The conversation title. - type: string - required: - - title - Security_AI_Assistant_API_ConversationResponse: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - createdAt: - description: The last time conversation was updated. - type: string - excludeFromLastConversationStorage: - description: excludeFromLastConversationStorage. - type: boolean - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - isDefault: - description: Is default conversation. - type: boolean - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - namespace: - description: Kibana space - type: string - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - title: - description: The conversation title. - type: string - updatedAt: - description: The last time conversation was updated. - type: string - users: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - id - - title - - createdAt - - users - - namespace - - category - Security_AI_Assistant_API_ConversationSummary: - type: object - properties: - confidence: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationConfidence - description: >- - How confident you are about this being a correct and useful - learning. - content: - description: Summary text of the conversation over time. - type: string - public: - description: Define if summary is marked as publicly available. - type: boolean - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - description: The timestamp summary was updated. - Security_AI_Assistant_API_ConversationUpdateProps: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - excludeFromLastConversationStorage: - description: excludeFromLastConversationStorage. - type: boolean - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' - title: - description: The conversation title. - type: string - required: - - id - Security_AI_Assistant_API_FindAnonymizationFieldsSortField: - enum: - - created_at - - anonymized - - allowed - - field - - updated_at - type: string - Security_AI_Assistant_API_FindConversationsSortField: - enum: - - created_at - - is_default - - title - - updated_at - type: string - Security_AI_Assistant_API_FindPromptsSortField: - enum: - - created_at - - is_default - - name - - updated_at - type: string - Security_AI_Assistant_API_Message: - description: AI assistant conversation message. - type: object - properties: - content: - description: Message content. - type: string - isError: - description: Is error message. - type: boolean - reader: - $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' - description: Message content. - role: - $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' - description: Message role. - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - description: The timestamp message was sent or received. - traceData: - $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' - description: trace Data - required: - - timestamp - - content - - role - Security_AI_Assistant_API_MessageData: - additionalProperties: true - type: object - Security_AI_Assistant_API_MessageRole: - description: Message role. - enum: - - system - - user - - assistant - type: string - Security_AI_Assistant_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_AI_Assistant_API_NormalizedAnonymizationFieldError: - type: object - properties: - anonymization_fields: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError - type: array - err_code: - type: string - message: - type: string - status_code: - type: integer - required: - - message - - status_code - - anonymization_fields - Security_AI_Assistant_API_NormalizedPromptError: - type: object - properties: - err_code: - type: string - message: - type: string - prompts: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError - type: array - status_code: - type: integer - required: - - message - - status_code - - prompts - Security_AI_Assistant_API_PromptCreateProps: - type: object - properties: - categories: - items: - type: string - type: array - color: - type: string - consumer: - type: string - content: - type: string - isDefault: - type: boolean - isNewConversationDefault: - type: boolean - name: - type: string - promptType: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' - required: - - name - - content - - promptType - Security_AI_Assistant_API_PromptDetailsInError: - type: object - properties: - id: - type: string - name: - type: string - required: - - id - Security_AI_Assistant_API_PromptResponse: - type: object - properties: - categories: - items: - type: string - type: array - color: - type: string - consumer: - type: string - content: - type: string - createdAt: - type: string - createdBy: - type: string - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - isDefault: - type: boolean - isNewConversationDefault: - type: boolean - name: - type: string - namespace: - description: Kibana space - type: string - promptType: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - updatedAt: - type: string - updatedBy: - type: string - users: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - id - - name - - promptType - - content - Security_AI_Assistant_API_PromptsBulkActionSkipReason: - enum: - - PROMPT_FIELD_NOT_MODIFIED - type: string - Security_AI_Assistant_API_PromptsBulkActionSkipResult: - type: object - properties: - id: - type: string - name: - type: string - skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason - required: - - id - - skip_reason - Security_AI_Assistant_API_PromptsBulkCrudActionResponse: - type: object - properties: - attributes: - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError - type: array - results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults - summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary - required: - - results - - summary - message: - type: string - prompts_count: - type: integer - status_code: - type: integer - success: - type: boolean - required: - - attributes - Security_AI_Assistant_API_PromptsBulkCrudActionResults: - type: object - properties: - created: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' - type: array - deleted: - items: - type: string - type: array - skipped: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult - type: array - updated: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' - type: array - required: - - updated - - created - - deleted - - skipped - Security_AI_Assistant_API_PromptType: - description: Prompt type - enum: - - system - - quick - type: string - Security_AI_Assistant_API_PromptUpdateProps: - type: object - properties: - categories: - items: - type: string - type: array - color: - type: string - consumer: - type: string - content: - type: string - id: - type: string - isDefault: - type: boolean - isNewConversationDefault: - type: boolean - required: - - id - Security_AI_Assistant_API_Provider: - description: Provider - enum: - - OpenAI - - Azure OpenAI - - Other - type: string - Security_AI_Assistant_API_Reader: - additionalProperties: true - type: object - Security_AI_Assistant_API_Replacements: - additionalProperties: - type: string - description: Replacements object used to anonymize/deanomymize messsages - type: object - Security_AI_Assistant_API_SortOrder: - enum: - - asc - - desc - type: string - Security_AI_Assistant_API_TraceData: - description: trace Data - type: object - properties: - traceId: - description: 'Could be any string, not necessarily a UUID' - type: string - transactionId: - description: 'Could be any string, not necessarily a UUID' - type: string - Security_AI_Assistant_API_User: - description: 'Could be any string, not necessarily a UUID' - type: object - properties: - id: - description: User id - type: string - name: - description: User name - type: string - Security_Detections_API_AlertAssignees: - type: object - properties: - add: - description: A list of users ids to assign. - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - remove: - description: A list of users ids to unassign. - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - required: - - add - - remove - Security_Detections_API_AlertIds: - description: A list of alerts ids. - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - minItems: 1 - type: array - Security_Detections_API_AlertsIndex: - deprecated: true - description: (deprecated) Has no effect. - type: string - Security_Detections_API_AlertsIndexNamespace: - description: Has no effect. - type: string - Security_Detections_API_AlertsSort: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - - items: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsSortCombinations - type: array - Security_Detections_API_AlertsSortCombinations: - anyOf: - - type: string - - additionalProperties: true - type: object - Security_Detections_API_AlertStatus: - enum: - - open - - closed - - acknowledged - - in-progress - type: string - Security_Detections_API_AlertSuppression: - type: object - properties: - duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration - group_by: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' - missing_fields_strategy: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy - required: - - group_by - Security_Detections_API_AlertSuppressionDuration: - type: object - properties: - unit: - enum: - - s - - m - - h - type: string - value: - minimum: 1 - type: integer - required: - - value - - unit - Security_Detections_API_AlertSuppressionGroupBy: - items: - type: string - maxItems: 3 - minItems: 1 - type: array - Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: >- - Describes how alerts will be generated for documents with missing - suppress by fields: - - doNotSuppress - per each document a separate alert will be created - - suppress - only alert will be created per suppress by bucket - enum: - - doNotSuppress - - suppress - type: string - Security_Detections_API_AlertTag: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - Security_Detections_API_AlertTags: - items: - $ref: '#/components/schemas/Security_Detections_API_AlertTag' - type: array - Security_Detections_API_AnomalyThreshold: - description: Anomaly threshold - minimum: 0 - type: integer - Security_Detections_API_BuildingBlockType: - description: >- - Determines if the rule acts as a building block. By default, - building-block alerts are not displayed in the UI. These rules are used - as a foundation for other rules that do generate alerts. Its value must - be default. - type: string - Security_Detections_API_BulkActionEditPayload: - anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule - Security_Detections_API_BulkActionEditPayloadIndexPatterns: - type: object - properties: - overwrite_data_views: - type: boolean - type: - enum: - - add_index_patterns - - delete_index_patterns - - set_index_patterns - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadInvestigationFields: - type: object - properties: - type: - enum: - - add_investigation_fields - - delete_investigation_fields - - set_investigation_fields - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadRuleActions: - type: object - properties: - type: - enum: - - add_rule_actions - - set_rule_actions - type: string - value: - type: object - properties: - actions: - items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleAction - type: array - throttle: - $ref: >- - #/components/schemas/Security_Detections_API_ThrottleForBulkActions - required: - - actions - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadSchedule: - type: object - properties: - type: - enum: - - set_schedule - type: string - value: - type: object - properties: - interval: - description: >- - Interval in which the rule runs. For example, `"1h"` means the - rule runs every hour. - example: 1h - pattern: '^[1-9]\d*[smh]$' - type: string - lookback: - description: Lookback time for the rule - example: 1h - pattern: '^[1-9]\d*[smh]$' - type: string - required: - - interval - - lookback - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadTags: - type: object - properties: - type: - enum: - - add_tags - - delete_tags - - set_tags - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadTimeline: - type: object - properties: - type: - enum: - - set_timeline - type: string - value: - type: object - properties: - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - required: - - timeline_id - - timeline_title - required: - - type - - value - Security_Detections_API_BulkActionsDryRunErrCode: - enum: - - IMMUTABLE - - MACHINE_LEARNING_AUTH - - MACHINE_LEARNING_INDEX_PATTERN - - ESQL_INDEX_PATTERN - - MANUAL_RULE_RUN_FEATURE - - MANUAL_RULE_RUN_DISABLED_RULE - type: string - Security_Detections_API_BulkActionSkipResult: - type: object - properties: - id: - type: string - name: - type: string - skip_reason: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - required: - - id - - skip_reason - Security_Detections_API_BulkDeleteRules: - type: object - properties: - action: - enum: - - delete - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkDisableRules: - type: object - properties: - action: - enum: - - disable - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkDuplicateRules: - type: object - properties: - action: - enum: - - duplicate - type: string - duplicate: - type: object - properties: - include_exceptions: - description: Whether to copy exceptions from the original rule - type: boolean - include_expired_exceptions: - description: Whether to copy expired exceptions from the original rule - type: boolean - required: - - include_exceptions - - include_expired_exceptions - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkEditActionResponse: - type: object - properties: - attributes: - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleError - type: array - results: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResults - summary: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionSummary - required: - - results - - summary - message: - type: string - rules_count: - type: integer - status_code: - type: integer - success: - type: boolean - required: - - attributes - Security_Detections_API_BulkEditActionResults: - type: object - properties: - created: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - deleted: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - skipped: - items: - $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' - type: array - updated: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - required: - - updated - - created - - deleted - - skipped - Security_Detections_API_BulkEditActionSummary: - type: object - properties: - failed: - type: integer - skipped: - type: integer - succeeded: - type: integer - total: - type: integer - required: - - failed - - skipped - - succeeded - - total - Security_Detections_API_BulkEditRules: - type: object - properties: - action: - enum: - - edit - type: string - edit: - description: Array of objects containing the edit operations - items: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' - minItems: 1 - type: array - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - - edit - Security_Detections_API_BulkEditSkipReason: - enum: - - RULE_NOT_MODIFIED - type: string - Security_Detections_API_BulkEnableRules: - type: object - properties: - action: - enum: - - enable - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkExportActionResponse: - type: string - Security_Detections_API_BulkExportRules: - type: object - properties: - action: - enum: - - export - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkManualRuleRun: - type: object - properties: - action: - enum: - - run - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - run: - type: object - properties: - end_date: - description: End date of the manual rule run - type: string - start_date: - description: Start date of the manual rule run - type: string - required: - - start_date - required: - - action - - run - Security_Detections_API_ConcurrentSearches: - minimum: 1 - type: integer - Security_Detections_API_DataViewId: - type: string - Security_Detections_API_DefaultParams: - type: object - properties: - command: - enum: - - isolate - type: string - comment: - type: string - required: - - command - Security_Detections_API_EcsMapping: - additionalProperties: - type: object - properties: - field: - type: string - value: - oneOf: - - type: string - - items: - type: string - type: array - type: object - Security_Detections_API_EndpointResponseAction: - type: object - properties: - action_type_id: - enum: - - .endpoint - type: string - params: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' - - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' - required: - - action_type_id - - params - Security_Detections_API_EqlOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - event_category_override: - $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - tiebreaker_field: - $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' - timestamp_field: - $ref: '#/components/schemas/Security_Detections_API_TimestampField' - Security_Detections_API_EqlQueryLanguage: - enum: - - eql - type: string - Security_Detections_API_EqlRequiredFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' - description: Query language to use - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - description: EQL query to execute - type: - description: Rule type - enum: - - eql - type: string - required: - - type - - query - - language - Security_Detections_API_EqlRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' - Security_Detections_API_EqlRuleCreateFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' - Security_Detections_API_EqlRulePatchFields: - allOf: - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' - description: Query language to use - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - description: EQL query to execute - type: - description: Rule type - enum: - - eql - type: string - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' - Security_Detections_API_EqlRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' - Security_Detections_API_ErrorSchema: - additionalProperties: false - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - id: - type: string - item_id: - minLength: 1 - type: string - list_id: - minLength: 1 - type: string - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - required: - - error - Security_Detections_API_EsqlQueryLanguage: - enum: - - esql - type: string - Security_Detections_API_EsqlRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' - Security_Detections_API_EsqlRuleCreateFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' - Security_Detections_API_EsqlRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' - Security_Detections_API_EsqlRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - Security_Detections_API_EsqlRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - language: - $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - description: ESQL query to execute - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - type: - description: Rule type - enum: - - esql - type: string - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - Security_Detections_API_EsqlRuleRequiredFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - description: ESQL query to execute - type: - description: Rule type - enum: - - esql - type: string - required: - - type - - language - - query - Security_Detections_API_EsqlRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' - Security_Detections_API_EsqlRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' - Security_Detections_API_EventCategoryOverride: - type: string - Security_Detections_API_ExceptionListType: - description: The exception type - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Detections_API_ExternalRuleSource: - description: >- - Type of rule source for externally sourced rules, i.e. rules that have - an external source, such as the Elastic Prebuilt rules repo. - type: object - properties: - is_customized: - $ref: >- - #/components/schemas/Security_Detections_API_IsExternalRuleCustomized - type: - enum: - - external - type: string - required: - - type - - is_customized - Security_Detections_API_FindRulesSortField: - enum: - - created_at - - createdAt - - enabled - - execution_summary.last_execution.date - - execution_summary.last_execution.metrics.execution_gap_duration_s - - execution_summary.last_execution.metrics.total_indexing_duration_ms - - execution_summary.last_execution.metrics.total_search_duration_ms - - execution_summary.last_execution.status - - name - - risk_score - - riskScore - - severity - - updated_at - - updatedAt - type: string - Security_Detections_API_HistoryWindowStart: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - Security_Detections_API_IndexPatternArray: - items: - type: string - type: array - Security_Detections_API_InternalRuleSource: - description: >- - Type of rule source for internally sourced rules, i.e. created within - the Kibana apps. - type: object - properties: - type: - enum: - - internal - type: string - required: - - type - Security_Detections_API_InvestigationFields: - description: > - Schema for fields relating to investigation fields. These are user - defined fields we use to highlight - - in various features in the UI such as alert details flyout and - exceptions auto-population from alert. - - Added in PR #163235 - - Right now we only have a single field but anticipate adding more related - fields to store various - - configuration states such as `override` - where a user might say if they - want only these fields to - - display, or if they want these fields + the fields we select. When - expanding this field, it may look - - something like: - - ```typescript - - const investigationFields = z.object({ - field_names: NonEmptyArray(NonEmptyString), - override: z.boolean().optional(), - }); - - ``` - type: object - properties: - field_names: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - minItems: 1 - type: array - required: - - field_names - Security_Detections_API_InvestigationGuide: - description: Notes to help investigate alerts produced by the rule. - type: string - Security_Detections_API_IsExternalRuleCustomized: - description: >- - Determines whether an external/prebuilt rule has been customized by the - user (i.e. any of its fields have been modified and diverged from the - base value). - type: boolean - Security_Detections_API_IsRuleEnabled: - description: Determines whether the rule is enabled. - type: boolean - Security_Detections_API_IsRuleImmutable: - deprecated: true - description: >- - This field determines whether the rule is a prebuilt Elastic rule. It - will be replaced with the `rule_source` field. - type: boolean - Security_Detections_API_ItemsPerSearch: - minimum: 1 - type: integer - Security_Detections_API_KqlQueryLanguage: - enum: - - kuery - - lucene - type: string - Security_Detections_API_MachineLearningJobId: - description: Machine learning job ID - oneOf: - - type: string - - items: - type: string - minItems: 1 - type: array - Security_Detections_API_MachineLearningRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields - Security_Detections_API_MachineLearningRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields - Security_Detections_API_MachineLearningRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - Security_Detections_API_MachineLearningRulePatchFields: - allOf: - - type: object - properties: - anomaly_threshold: - $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' - machine_learning_job_id: - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningJobId - type: - description: Rule type - enum: - - machine_learning - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields - Security_Detections_API_MachineLearningRuleRequiredFields: - type: object - properties: - anomaly_threshold: - $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' - machine_learning_job_id: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' - type: - description: Rule type - enum: - - machine_learning - type: string - required: - - type - - machine_learning_job_id - - anomaly_threshold - Security_Detections_API_MachineLearningRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields - Security_Detections_API_MaxSignals: - minimum: 1 - type: integer - Security_Detections_API_NewTermsFields: - items: - type: string - maxItems: 3 - minItems: 1 - type: array - Security_Detections_API_NewTermsRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields - Security_Detections_API_NewTermsRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields - Security_Detections_API_NewTermsRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields - Security_Detections_API_NewTermsRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_NewTermsRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - Security_Detections_API_NewTermsRulePatchFields: - allOf: - - type: object - properties: - history_window_start: - $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' - new_terms_fields: - $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - type: - description: Rule type - enum: - - new_terms - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields - Security_Detections_API_NewTermsRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' - Security_Detections_API_NewTermsRuleRequiredFields: - type: object - properties: - history_window_start: - $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' - new_terms_fields: - $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - type: - description: Rule type - enum: - - new_terms - type: string - required: - - type - - query - - new_terms_fields - - history_window_start - Security_Detections_API_NewTermsRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_NewTermsRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields - Security_Detections_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Detections_API_NormalizedRuleAction: - additionalProperties: false - type: object - properties: - alerts_filter: - $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' - frequency: - $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' - group: - $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleActionId' - params: - $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' - required: - - id - - params - Security_Detections_API_NormalizedRuleError: - type: object - properties: - err_code: - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode - message: - type: string - rules: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' - type: array - status_code: - type: integer - required: - - message - - status_code - - rules - Security_Detections_API_OsqueryParams: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Detections_API_EcsMapping' - pack_id: - type: string - queries: - items: - $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' - type: array - query: - type: string - saved_query_id: - type: string - timeout: - type: number - Security_Detections_API_OsqueryQuery: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Detections_API_EcsMapping' - id: - description: Query ID - type: string - platform: - type: string - query: - description: Query to run - type: string - removed: - type: boolean - snapshot: - type: boolean - version: - description: Query version - type: string - required: - - id - - query - Security_Detections_API_OsqueryResponseAction: - type: object - properties: - action_type_id: - enum: - - .osquery - type: string - params: - $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' - required: - - action_type_id - - params - Security_Detections_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Detections_API_ProcessesParams: - type: object - properties: - command: - enum: - - kill-process - - suspend-process - type: string - comment: - type: string - config: - type: object - properties: - field: - description: Field to use instead of process.pid - type: string - overwrite: - default: true - description: Whether to overwrite field with process.pid - type: boolean - required: - - field - required: - - command - - config - Security_Detections_API_QueryRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' - Security_Detections_API_QueryRuleCreateFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields - Security_Detections_API_QueryRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' - Security_Detections_API_QueryRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - Security_Detections_API_QueryRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - Security_Detections_API_QueryRulePatchFields: - allOf: - - type: object - properties: - type: - description: Rule type - enum: - - query - type: string - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields - Security_Detections_API_QueryRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' - Security_Detections_API_QueryRuleRequiredFields: - type: object - properties: - type: - description: Rule type - enum: - - query - type: string - required: - - type - Security_Detections_API_QueryRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - required: - - query - - language - Security_Detections_API_QueryRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' - Security_Detections_API_RelatedIntegration: - description: > - Related integration is a potential dependency of a rule. It's assumed - that if the user installs - - one of the related integrations of a rule, the rule might start to work - properly because it will - - have source events (generated by this integration) potentially matching - the rule's query. - - - NOTE: Proper work is not guaranteed, because a related integration, if - installed, can be - - configured differently or generate data that is not necessarily relevant - for this rule. - - - Related integration is a combination of a Fleet package and (optionally) - one of the - - package's "integrations" that this package contains. It is represented - by 3 properties: - - - - `package`: name of the package (required, unique id) - - - `version`: version of the package (required, semver-compatible) - - - `integration`: name of the integration of this package (optional, id - within the package) - - - There are Fleet packages like `windows` that contain only one - integration; in this case, - - `integration` should be unspecified. There are also packages like `aws` - and `azure` that contain - - several integrations; in this case, `integration` should be specified. - - - @example - - const x: RelatedIntegration = { - package: 'windows', - version: '1.5.x', - }; - - - @example - - const x: RelatedIntegration = { - package: 'azure', - version: '~1.1.6', - integration: 'activitylogs', - }; - type: object - properties: - integration: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - package: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - version: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - package - - version - Security_Detections_API_RelatedIntegrationArray: - items: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' - type: array - Security_Detections_API_RequiredField: - description: > - Describes an Elasticsearch field that is needed for the rule to - function. - - - Almost all types of Security rules check source event documents for a - match to some kind of - - query or filter. If a document has certain field with certain values, - then it's a match and - - the rule will generate an alert. - - - Required field is an event field that must be present in the source - indices of a given rule. - - - @example - - const standardEcsField: RequiredField = { - name: 'event.action', - type: 'keyword', - ecs: true, - }; - - - @example - - const nonEcsField: RequiredField = { - name: 'winlog.event_data.AttributeLDAPDisplayName', - type: 'keyword', - ecs: false, - }; - type: object - properties: - ecs: - description: Whether the field is an ECS field - type: boolean - name: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: Name of an Elasticsearch field - type: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: Type of the Elasticsearch field - required: - - name - - type - - ecs - Security_Detections_API_RequiredFieldArray: - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredField' - type: array - Security_Detections_API_RequiredFieldInput: - description: >- - Input parameters to create a RequiredField. Does not include the `ecs` - field, because `ecs` is calculated on the backend based on the field - name and type. - type: object - properties: - name: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: Name of an Elasticsearch field - type: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: Type of an Elasticsearch field - required: - - name - - type - Security_Detections_API_ResponseAction: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' - Security_Detections_API_ResponseFields: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - type: string - execution_summary: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - immutable: - $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' - required_fields: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' - revision: - minimum: 0 - type: integer - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_source: - $ref: '#/components/schemas/Security_Detections_API_RuleSource' - updated_at: - format: date-time - type: string - updated_by: - type: string - required: - - id - - rule_id - - immutable - - rule_source - - updated_at - - updated_by - - created_at - - created_by - - revision - - related_integrations - - required_fields - Security_Detections_API_RiskScore: - description: Risk score (0 to 100) - maximum: 100 - minimum: 0 - type: integer - Security_Detections_API_RiskScoreMapping: - description: >- - Overrides generated alerts' risk_score with a value from the source - event - items: - type: object - properties: - field: - type: string - operator: - enum: - - equals - type: string - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - value: - type: string - required: - - field - - operator - - value - type: array - Security_Detections_API_RuleAction: - type: object - properties: - action_type_id: - description: The action type used for sending notifications. - type: string - alerts_filter: - $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' - frequency: - $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' - group: - $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleActionId' - params: - $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' - uuid: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - action_type_id - - id - - params - Security_Detections_API_RuleActionAlertsFilter: - additionalProperties: true - type: object - Security_Detections_API_RuleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - rule execution or at specific time intervals). - type: object - properties: - notifyWhen: - $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' - summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert - type: boolean - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - nullable: true - required: - - summary - - notifyWhen - - throttle - Security_Detections_API_RuleActionGroup: - description: >- - Optionally groups actions by use cases. Use `default` for alert - notifications. - type: string - Security_Detections_API_RuleActionId: - description: The connector ID. - type: string - Security_Detections_API_RuleActionNotifyWhen: - description: >- - The condition for throttling the notification: `onActionGroupChange`, - `onActiveAlert`, or `onThrottleInterval` - enum: - - onActiveAlert - - onThrottleInterval - - onActionGroupChange - type: string - Security_Detections_API_RuleActionParams: - additionalProperties: true - description: >- - Object containing the allowed connector fields, which varies according - to the connector type. - type: object - Security_Detections_API_RuleActionThrottle: - description: Defines how often rule actions are taken. - oneOf: - - enum: - - no_actions - - rule - type: string - - description: 'Time interval in seconds, minutes, hours, or days.' - example: 1h - pattern: '^[1-9]\d*[smhd]$' - type: string - Security_Detections_API_RuleAuthorArray: - items: - type: string - type: array - Security_Detections_API_RuleCreateProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - discriminator: - propertyName: type - Security_Detections_API_RuleDescription: - minLength: 1 - type: string - Security_Detections_API_RuleDetailsInError: - type: object - properties: - id: - type: string - name: - type: string - required: - - id - Security_Detections_API_RuleExceptionList: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: ID of the exception container - list_id: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: List ID of the exception container - namespace_type: - description: Determines the exceptions validity in rule's Kibana space - enum: - - agnostic - - single - type: string - type: - $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' - required: - - id - - list_id - - type - - namespace_type - Security_Detections_API_RuleExecutionMetrics: - type: object - properties: - execution_gap_duration_s: - description: Duration in seconds of execution gap - minimum: 0 - type: integer - total_enrichment_duration_ms: - description: >- - Total time spent enriching documents during current rule execution - cycle - minimum: 0 - type: integer - total_indexing_duration_ms: - description: >- - Total time spent indexing documents during current rule execution - cycle - minimum: 0 - type: integer - total_search_duration_ms: - description: >- - Total time spent performing ES searches as measured by Kibana; - includes network latency and time spent serializing/deserializing - request/response - minimum: 0 - type: integer - Security_Detections_API_RuleExecutionStatus: - description: >- - Custom execution status of Security rules that is different from the - status used in the Alerting Framework. We merge our custom status with - the Framework's status to determine the resulting status of a rule. - - - going to run - @deprecated Replaced by the 'running' status but left - for backwards compatibility with rule execution events already written - to Event Log in the prior versions of Kibana. Don't use when writing - rule status changes. - - - running - Rule execution started but not reached any intermediate or - final status. - - - partial failure - Rule can partially fail for various reasons either - in the middle of an execution (in this case we update its status right - away) or in the end of it. So currently this status can be both - intermediate and final at the same time. A typical reason for a partial - failure: not all the indices that the rule searches over actually exist. - - - failed - Rule failed to execute due to unhandled exception or a reason - defined in the business logic of its executor function. - - - succeeded - Rule executed successfully without any issues. Note: this - status is just an indication of a rule's "health". The rule might or - might not generate any alerts despite of it. - enum: - - going to run - - running - - partial failure - - failed - - succeeded - type: string - Security_Detections_API_RuleExecutionStatusOrder: - type: integer - Security_Detections_API_RuleExecutionSummary: - type: object - properties: - last_execution: - type: object - properties: - date: - description: Date of the last execution - format: date-time - type: string - message: - type: string - metrics: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionMetrics - status: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' - description: Status of the last execution - status_order: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder - required: - - date - - status - - status_order - - message - - metrics - required: - - last_execution - Security_Detections_API_RuleFalsePositiveArray: - items: - type: string - type: array - Security_Detections_API_RuleFilterArray: - items: {} - type: array - Security_Detections_API_RuleInterval: - description: >- - Frequency of rule execution, using a date math range. For example, "1h" - means the rule runs every hour. Defaults to 5m (5 minutes). - type: string - Security_Detections_API_RuleIntervalFrom: - description: >- - Time from which data is analyzed each time the rule runs, using a date - math range. For example, now-4200s means the rule analyzes data from 70 - minutes before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). - format: date-math - type: string - Security_Detections_API_RuleIntervalTo: - type: string - Security_Detections_API_RuleLicense: - description: The rule's license. - type: string - Security_Detections_API_RuleMetadata: - additionalProperties: true - type: object - Security_Detections_API_RuleName: - minLength: 1 - type: string - Security_Detections_API_RuleNameOverride: - description: Sets the source field for the alert's signal.rule.name value - type: string - Security_Detections_API_RuleObjectId: - $ref: '#/components/schemas/Security_Detections_API_UUID' - Security_Detections_API_RulePatchProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' - Security_Detections_API_RulePreviewLoggedRequest: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - duration: - type: integer - request: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - request - Security_Detections_API_RulePreviewLogs: - type: object - properties: - duration: - description: Execution duration in milliseconds - type: integer - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - requests: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest - type: array - startedAt: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - warnings: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - required: - - errors - - warnings - - duration - Security_Detections_API_RulePreviewParams: - type: object - properties: - invocationCount: - type: integer - timeframeEnd: - format: date-time - type: string - required: - - invocationCount - - timeframeEnd - Security_Detections_API_RuleQuery: - type: string - Security_Detections_API_RuleReferenceArray: - items: - type: string - type: array - Security_Detections_API_RuleResponse: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRule' - - $ref: '#/components/schemas/Security_Detections_API_QueryRule' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' - discriminator: - propertyName: type - Security_Detections_API_RuleSignatureId: - description: 'Could be any string, not necessarily a UUID' - type: string - Security_Detections_API_RuleSource: - description: >- - Discriminated union that determines whether the rule is internally - sourced (created within the Kibana app) or has an external source, such - as the Elastic Prebuilt rules repo. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' - Security_Detections_API_RuleTagArray: - description: >- - String array containing words and phrases to help categorize, filter, - and search rules. Defaults to an empty array. - items: - type: string - type: array - Security_Detections_API_RuleUpdateProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - discriminator: - propertyName: type - Security_Detections_API_RuleVersion: - description: The rule's version number. - minimum: 1 - type: integer - Security_Detections_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Detections_API_SavedObjectResolveAliasTargetId: - type: string - Security_Detections_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Detections_API_SavedQueryId: - type: string - Security_Detections_API_SavedQueryRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields - Security_Detections_API_SavedQueryRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields - Security_Detections_API_SavedQueryRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SavedQueryRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_SavedQueryRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - Security_Detections_API_SavedQueryRulePatchFields: - allOf: - - type: object - properties: - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - type: - description: Rule type - enum: - - saved_query - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields - Security_Detections_API_SavedQueryRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields - Security_Detections_API_SavedQueryRuleRequiredFields: - type: object - properties: - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - type: - description: Rule type - enum: - - saved_query - type: string - required: - - type - - saved_id - Security_Detections_API_SavedQueryRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_SavedQueryRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SetAlertsStatusByIds: - type: object - properties: - signal_ids: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - minItems: 1 - type: array - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatus' - required: - - signal_ids - - status - Security_Detections_API_SetAlertsStatusByQuery: - type: object - properties: - conflicts: - default: abort - enum: - - abort - - proceed - type: string - query: - additionalProperties: true - type: object - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatus' - required: - - query - - status - Security_Detections_API_SetAlertTags: - type: object - properties: - tags_to_add: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - tags_to_remove: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - required: - - tags_to_add - - tags_to_remove - Security_Detections_API_SetupGuide: - type: string - Security_Detections_API_Severity: - description: Severity of the rule - enum: - - low - - medium - - high - - critical - type: string - Security_Detections_API_SeverityMapping: - description: Overrides generated alerts' severity with values from the source event - items: - type: object - properties: - field: - type: string - operator: - enum: - - equals - type: string - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - value: - type: string - required: - - field - - operator - - severity - - value - type: array - Security_Detections_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Detections_API_SortOrder: - enum: - - asc - - desc - type: string - Security_Detections_API_Threat: - type: object - properties: - framework: - description: Relevant attack framework - type: string - tactic: - $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' - technique: - description: Array containing information on the attack techniques (optional) - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' - type: array - required: - - framework - - tactic - Security_Detections_API_ThreatArray: - items: - $ref: '#/components/schemas/Security_Detections_API_Threat' - type: array - Security_Detections_API_ThreatFilters: - items: - description: >- - Query and filter context array used to filter documents from the - Elasticsearch index containing the threat values - type: array - Security_Detections_API_ThreatIndex: - items: - type: string - type: array - Security_Detections_API_ThreatIndicatorPath: - description: >- - Defines the path to the threat indicator in the indicator documents - (optional) - type: string - Security_Detections_API_ThreatMapping: - items: - type: object - properties: - entries: - items: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: - enum: - - mapping - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - field - - type - - value - type: array - required: - - entries - minItems: 1 - type: array - Security_Detections_API_ThreatMatchRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields - Security_Detections_API_ThreatMatchRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields - Security_Detections_API_ThreatMatchRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields - Security_Detections_API_ThreatMatchRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThreatMatchRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - concurrent_searches: - $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - items_per_search: - $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - threat_filters: - $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' - threat_indicator_path: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' - threat_language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThreatMatchRulePatchFields: - allOf: - - type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threat_index: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' - threat_mapping: - $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' - threat_query: - $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' - type: - description: Rule type - enum: - - threat_match - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields - Security_Detections_API_ThreatMatchRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields - Security_Detections_API_ThreatMatchRuleRequiredFields: - type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threat_index: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' - threat_mapping: - $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' - threat_query: - $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' - type: - description: Rule type - enum: - - threat_match - type: string - required: - - type - - query - - threat_query - - threat_mapping - - threat_index - Security_Detections_API_ThreatMatchRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_ThreatMatchRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields - Security_Detections_API_ThreatQuery: - description: Query to run - type: string - Security_Detections_API_ThreatSubtechnique: - type: object - properties: - id: - description: Subtechnique ID - type: string - name: - description: Subtechnique name - type: string - reference: - description: Subtechnique reference - type: string - required: - - id - - name - - reference - Security_Detections_API_ThreatTactic: - type: object - properties: - id: - description: Tactic ID - type: string - name: - description: Tactic name - type: string - reference: - description: Tactic reference - type: string - required: - - id - - name - - reference - Security_Detections_API_ThreatTechnique: - type: object - properties: - id: - description: Technique ID - type: string - name: - description: Technique name - type: string - reference: - description: Technique reference - type: string - subtechnique: - description: Array containing more specific information on the attack technique - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' - type: array - required: - - id - - name - - reference - Security_Detections_API_Threshold: - type: object - properties: - cardinality: - $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' - field: - $ref: '#/components/schemas/Security_Detections_API_ThresholdField' - value: - $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' - required: - - field - - value - Security_Detections_API_ThresholdAlertSuppression: - type: object - properties: - duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration - required: - - duration - Security_Detections_API_ThresholdCardinality: - items: - type: object - properties: - field: - type: string - value: - minimum: 0 - type: integer - required: - - field - - value - type: array - Security_Detections_API_ThresholdField: - description: Field to aggregate on - oneOf: - - type: string - - items: - type: string - type: array - Security_Detections_API_ThresholdRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields - Security_Detections_API_ThresholdRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields - Security_Detections_API_ThresholdRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields - Security_Detections_API_ThresholdRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThresholdRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - Security_Detections_API_ThresholdRulePatchFields: - allOf: - - type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threshold: - $ref: '#/components/schemas/Security_Detections_API_Threshold' - type: - description: Rule type - enum: - - threshold - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields - Security_Detections_API_ThresholdRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRulePatchFields - Security_Detections_API_ThresholdRuleRequiredFields: - type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threshold: - $ref: '#/components/schemas/Security_Detections_API_Threshold' - type: - description: Rule type - enum: - - threshold - type: string - required: - - type - - query - - threshold - Security_Detections_API_ThresholdRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_ThresholdRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields - Security_Detections_API_ThresholdValue: - description: Threshold value - minimum: 1 - type: integer - Security_Detections_API_ThrottleForBulkActions: - description: >- - The condition for throttling the notification: 'rule', 'no_actions', or - time duration - enum: - - rule - - 1h - - 1d - - 7d - type: string - Security_Detections_API_TiebreakerField: - description: Sets a secondary field for sorting events - type: string - Security_Detections_API_TimelineTemplateId: - description: Timeline template ID - type: string - Security_Detections_API_TimelineTemplateTitle: - description: Timeline template title - type: string - Security_Detections_API_TimestampField: - description: Contains the event timestamp used for sorting a sequence of events - type: string - Security_Detections_API_TimestampOverride: - description: Sets the time field used to query indices - type: string - Security_Detections_API_TimestampOverrideFallbackDisabled: - description: Disables the fallback to the event's @timestamp field - type: boolean - Security_Detections_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Detections_API_WarningSchema: - type: object - properties: - actionPath: - type: string - buttonLabel: - type: string - message: - type: string - type: - type: string - required: - - type - - message - - actionPath - Security_Endpoint_Exceptions_API_EndpointList: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' - - additionalProperties: false - type: object - Security_Endpoint_Exceptions_API_EndpointListItem: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - Security_Endpoint_Exceptions_API_ExceptionList: - type: object - properties: - _version: - type: string - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId - immutable: - type: boolean - list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags - tie_breaker_id: - type: string - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType - updated_at: - format: date-time - type: string - updated_by: - type: string - version: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion - required: - - id - - list_id - - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Endpoint_Exceptions_API_ExceptionListDescription: - type: string - Security_Endpoint_Exceptions_API_ExceptionListHumanId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - description: 'Human readable string identifier, e.g. `trusted-linux-processes`' - Security_Endpoint_Exceptions_API_ExceptionListId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ExceptionListItem: - type: object - properties: - _version: - type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - tie_breaker_id: - type: string - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - updated_at: - format: date-time - type: string - updated_by: - type: string - required: - - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Endpoint_Exceptions_API_ExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - created_at: - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - updated_at: - format: date-time - type: string - updated_by: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - id - - comment - - created_at - - created_by - Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemDescription: - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard - discriminator: - propertyName: type - Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - exists - type: string - required: - - type - - field - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - list: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' - required: - - id - - type - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - list - type: string - required: - - type - - field - - list - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match - type: string - value: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match_any - type: string - value: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - minItems: 1 - type: array - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - wildcard - type: string - value: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: - type: object - properties: - entries: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem - minItems: 1 - type: array - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - type: - enum: - - nested - type: string - required: - - type - - field - - entries - Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ExceptionListItemId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Endpoint_Exceptions_API_ExceptionListItemName: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemTags: - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Endpoint_Exceptions_API_ExceptionListMeta: - additionalProperties: true - type: object - Security_Endpoint_Exceptions_API_ExceptionListName: - type: string - Security_Endpoint_Exceptions_API_ExceptionListOsType: - enum: - - linux - - macos - - windows - type: string - Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType - type: array - Security_Endpoint_Exceptions_API_ExceptionListTags: - items: - type: string - type: array - Security_Endpoint_Exceptions_API_ExceptionListType: - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Endpoint_Exceptions_API_ExceptionListVersion: - minimum: 1 - type: integer - Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - - in which it is created, where: - - - - `single`: Only available in the Kibana space in which it is created. - - - `agnostic`: Available in all Kibana spaces. - enum: - - agnostic - - single - type: string - Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ListId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ListType: - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Endpoint_Exceptions_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Endpoint_Exceptions_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Endpoint_Exceptions_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Endpoint_Management_API_ActionLogRequestQuery: - type: object - properties: - end_date: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - page_size: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - start_date: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - Security_Endpoint_Management_API_ActionStateSuccessResponse: - type: object - properties: - body: - type: object - properties: - data: - type: object - properties: - canEncrypt: - type: boolean - required: - - data - required: - - body - Security_Endpoint_Management_API_ActionStatusSuccessResponse: - type: object - properties: - body: - type: object - properties: - data: - type: object - properties: - agent_id: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentId - pending_actions: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema - required: - - agent_id - - pending_actions - required: - - data - required: - - body - Security_Endpoint_Management_API_AgentId: - description: Agent ID - type: string - Security_Endpoint_Management_API_AgentIds: - minLength: 1 - oneOf: - - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - - minLength: 1 - type: string - Security_Endpoint_Management_API_AgentTypes: - enum: - - endpoint - - sentinel_one - - crowdstrike - type: string - Security_Endpoint_Management_API_AlertIds: - description: A list of alerts ids. - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_NonEmptyString' - minItems: 1 - type: array - Security_Endpoint_Management_API_CaseIds: - description: Case IDs to be updated (cannot contain empty strings) - items: - minLength: 1 - type: string - minItems: 1 - type: array - Security_Endpoint_Management_API_Command: - description: The command to be executed (cannot be an empty string) - enum: - - isolate - - unisolate - - kill-process - - suspend-process - - running-processes - - get-file - - execute - - upload - - scan - minLength: 1 - type: string - Security_Endpoint_Management_API_Commands: - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' - type: array - Security_Endpoint_Management_API_Comment: - description: Optional comment - type: string - Security_Endpoint_Management_API_EndDate: - description: End date - type: string - Security_Endpoint_Management_API_EndpointIds: - description: List of endpoint IDs (cannot contain empty strings) - items: - minLength: 1 - type: string - minItems: 1 - type: array - Security_Endpoint_Management_API_EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string - Security_Endpoint_Management_API_ExecuteRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - type: object - properties: - command: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Command - timeout: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Timeout - required: - - command - required: - - parameters - Security_Endpoint_Management_API_GetEndpointActionListRouteQuery: - type: object - properties: - agentIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - agentTypes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - commands: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - endDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - types: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - userIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - withOutputs: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - Security_Endpoint_Management_API_GetFileRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - type: object - properties: - path: - type: string - required: - - path - required: - - parameters - Security_Endpoint_Management_API_GetProcessesRouteRequestBody: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema - Security_Endpoint_Management_API_IsolateRouteRequestBody: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema - Security_Endpoint_Management_API_KillProcessRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EntityId - - type: object - properties: - process_name: - description: Valid for SentinelOne agent type only - minLength: 1 - type: string - required: - - parameters - Security_Endpoint_Management_API_ListRequestQuery: - type: object - properties: - hostStatuses: - items: - enum: - - healthy - - offline - - updating - - inactive - - unenrolled - type: string - type: array - kuery: - nullable: true - type: string - page: - default: 0 - description: Page number - minimum: 0 - type: integer - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - sortDirection: - enum: - - asc - - desc - nullable: true - type: string - sortField: - enum: - - enrolled_at - - metadata.host.hostname - - host_status - - metadata.Endpoint.policy.applied.name - - metadata.Endpoint.policy.applied.status - - metadata.host.os.name - - metadata.host.ip - - metadata.agent.version - - last_checkin - type: string - required: - - hostStatuses - Security_Endpoint_Management_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Endpoint_Management_API_NoParametersRequestSchema: - type: object - properties: - body: - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - required: - - body - Security_Endpoint_Management_API_Page: - default: 1 - description: Page number - minimum: 1 - type: integer - Security_Endpoint_Management_API_PageSize: - default: 10 - description: Number of items per page - maximum: 100 - minimum: 1 - type: integer - Security_Endpoint_Management_API_Parameters: - description: Optional parameters object - type: object - Security_Endpoint_Management_API_PendingActionDataType: - type: integer - Security_Endpoint_Management_API_PendingActionsSchema: - oneOf: - - type: object - properties: - execute: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - get-file: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - isolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - kill-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - running-processes: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - scan: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - suspend-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - unisolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - upload: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - - additionalProperties: true - type: object - Security_Endpoint_Management_API_Pid: - type: object - properties: - pid: - minimum: 1 - type: integer - Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: - type: object - properties: - note: - type: string - Security_Endpoint_Management_API_ScanRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - type: object - properties: - path: - type: string - required: - - path - required: - - parameters - Security_Endpoint_Management_API_StartDate: - description: Start date - type: string - Security_Endpoint_Management_API_SuccessResponse: - type: object - properties: {} - Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EntityId - required: - - parameters - Security_Endpoint_Management_API_Timeout: - description: The maximum timeout value in milliseconds (optional) - minimum: 1 - type: integer - Security_Endpoint_Management_API_Type: - description: Type of response action - enum: - - automated - - manual - type: string - Security_Endpoint_Management_API_Types: - description: List of types of response actions - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' - maxLength: 2 - minLength: 1 - type: array - Security_Endpoint_Management_API_UnisolateRouteRequestBody: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema - Security_Endpoint_Management_API_UploadRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - file: - format: binary - type: string - parameters: - type: object - properties: - overwrite: - default: false - type: boolean - required: - - parameters - - file - Security_Endpoint_Management_API_UserIds: - description: User IDs - oneOf: - - items: - minLength: 1 - type: string - minItems: 1 - type: array - - minLength: 1 - type: string - Security_Endpoint_Management_API_WithOutputs: - description: Shows detailed outputs for an action response - oneOf: - - items: - minLength: 1 - type: string - minItems: 1 - type: array - - minLength: 1 - type: string - Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: - type: object - properties: - index: - type: integer - message: - type: string - required: - - message - - index - Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: - type: object - properties: - failed: - type: integer - successful: - type: integer - total: - type: integer - required: - - successful - - failed - - total - Security_Entity_Analytics_API_AssetCriticalityLevel: - description: The criticality level of the asset. - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - Security_Entity_Analytics_API_AssetCriticalityRecord: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts - - type: object - properties: - '@timestamp': - description: The time the record was created or updated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - required: - - '@timestamp' - Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - asset - host: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - name: - type: string - required: - - name - user: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - name: - type: string - required: - - name - required: - - asset - Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: - type: object - properties: - id_field: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - description: The field representing the ID. - example: host.name - id_value: - description: The ID value of the asset. - type: string - required: - - id_value - - id_field - Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: - type: object - properties: - cleanup_successful: - example: false - type: boolean - errors: - items: - type: object - properties: - error: - type: string - seq: - type: integer - required: - - seq - - error - type: array - required: - - cleanup_successful - - errors - Security_Entity_Analytics_API_CreateAssetCriticalityRecord: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality_level - Security_Entity_Analytics_API_EngineDataviewUpdateResult: - type: object - properties: - changes: - type: object - properties: - indexPatterns: - items: - type: string - type: array - type: - type: string - required: - - type - Security_Entity_Analytics_API_EngineDescriptor: - type: object - properties: - error: - type: object - fieldHistoryLength: - type: integer - filter: - type: string - indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - required: - - type - - indexPattern - - status - - fieldHistoryLength - Security_Entity_Analytics_API_EngineStatus: - enum: - - installing - - started - - stopped - - updating - - error - type: string - Security_Entity_Analytics_API_Entity: - oneOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' - Security_Entity_Analytics_API_EntityRiskLevels: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - Security_Entity_Analytics_API_EntityRiskScoreRecord: - type: object - properties: - '@timestamp': - description: The time at which the risk score was calculated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - calculated_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - category_1_count: - description: >- - The number of risk input documents that contributed to the Category - 1 score (`category_1_score`). - format: integer - type: number - category_1_score: - description: >- - The contribution of Category 1 to the overall risk score - (`calculated_score`). Category 1 contains Detection Engine Alerts. - format: double - type: number - category_2_count: - format: integer - type: number - category_2_score: - format: double - type: number - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - criticality_modifier: - format: double - type: number - id_field: - description: >- - The identifier field defining this risk score. Coupled with - `id_value`, uniquely identifies the entity being scored. - example: host.name - type: string - id_value: - description: >- - The identifier value defining this risk score. Coupled with - `id_field`, uniquely identifies the entity being scored. - example: example.host - type: string - inputs: - description: >- - A list of the highest-risk documents contributing to this risk - score. Useful for investigative purposes. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' - type: array - notes: - items: - type: string - type: array - required: - - '@timestamp' - - id_field - - id_value - - calculated_level - - calculated_score - - calculated_score_norm - - category_1_score - - category_1_count - - inputs - - notes - Security_Entity_Analytics_API_EntityType: - enum: - - user - - host - type: string - Security_Entity_Analytics_API_HostEntity: - type: object - properties: - '@timestamp': - format: date-time - type: string - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - entity: - type: object - properties: - name: - type: string - source: - type: string - required: - - name - - source - host: - type: object - properties: - architecture: - items: - type: string - type: array - domain: - items: - type: string - type: array - hostname: - items: - type: string - type: array - id: - items: - type: string - type: array - ip: - items: - type: string - type: array - mac: - items: - type: string - type: array - name: - type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - type: - items: - type: string - type: array - required: - - name - required: - - '@timestamp' - - host - - entity - Security_Entity_Analytics_API_IdField: - enum: - - host.name - - user.name - type: string - Security_Entity_Analytics_API_IndexPattern: - type: string - Security_Entity_Analytics_API_InspectQuery: - type: object - properties: - dsl: - items: - type: string - type: array - response: - items: - type: string - type: array - required: - - dsl - - response - Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: - type: object - properties: - full_error: - type: string - message: - type: string - required: - - message - - full_error - Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: - type: object - properties: - success: - type: boolean - Security_Entity_Analytics_API_RiskScoreInput: - description: A generic representation of a document contributing to a Risk Score. - type: object - properties: - category: - description: The risk category of the risk input document. - example: category_1 - type: string - contribution_score: - format: double - type: number - description: - description: A human-readable description of the risk input document. - example: 'Generated from Detection Engine Rule: Malware Prevention Alert' - type: string - id: - description: The unique identifier (`_id`) of the original source document - example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c - type: string - index: - description: The unique index (`_index`) of the original source document - example: .internal.alerts-security.alerts-default-000001 - type: string - risk_score: - description: The weighted risk score of the risk input document. - format: double - maximum: 100 - minimum: 0 - type: number - timestamp: - description: The @timestamp of the risk input document. - example: '2017-07-21T17:32:28Z' - type: string - required: - - id - - index - - description - - category - Security_Entity_Analytics_API_TaskManagerUnavailableResponse: - description: Task manager is unavailable - type: object - properties: - message: - type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - Security_Entity_Analytics_API_UserEntity: - type: object - properties: - '@timestamp': - format: date-time - type: string - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - entity: - type: object - properties: - name: - type: string - source: - type: string - required: - - name - - source - user: - type: object - properties: - domain: - items: - type: string - type: array - email: - items: - type: string - type: array - full_name: - items: - type: string - type: array - hash: - items: - type: string - type: array - id: - items: - type: string - type: array - name: - type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - roles: - items: - type: string - type: array - required: - - name - required: - - '@timestamp' - - user - - entity - Security_Exceptions_API_CreateExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment - type: array - Security_Exceptions_API_CreateRuleExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment - type: array - Security_Exceptions_API_CreateRuleExceptionListItemProps: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - default: [] - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - - entries - Security_Exceptions_API_ExceptionList: - type: object - properties: - _version: - type: string - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - immutable: - type: boolean - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - tie_breaker_id: - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - updated_at: - format: date-time - type: string - updated_by: - type: string - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' - required: - - id - - list_id - - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListDescription: - type: string - Security_Exceptions_API_ExceptionListHumanId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - description: 'Human readable string identifier, e.g. `trusted-linux-processes`' - Security_Exceptions_API_ExceptionListId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ExceptionListItem: - type: object - properties: - _version: - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - tie_breaker_id: - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - updated_at: - format: date-time - type: string - updated_by: - type: string - required: - - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - created_at: - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - updated_at: - format: date-time - type: string - updated_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - id - - comment - - created_at - - created_by - Security_Exceptions_API_ExceptionListItemCommentArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' - type: array - Security_Exceptions_API_ExceptionListItemDescription: - type: string - Security_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard - discriminator: - propertyName: type - Security_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' - type: array - Security_Exceptions_API_ExceptionListItemEntryExists: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - exists - type: string - required: - - type - - field - - operator - Security_Exceptions_API_ExceptionListItemEntryList: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - list: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Exceptions_API_ListType' - required: - - id - - type - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - list - type: string - required: - - type - - field - - list - - operator - Security_Exceptions_API_ExceptionListItemEntryMatch: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match - type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchAny: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match_any - type: string - value: - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - minItems: 1 - type: array - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - wildcard - type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryNested: - type: object - properties: - entries: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem - minItems: 1 - type: array - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: - enum: - - nested - type: string - required: - - type - - field - - entries - Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - Security_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Exceptions_API_ExceptionListItemHumanId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ExceptionListItemId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Exceptions_API_ExceptionListItemName: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListItemTags: - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: array - Security_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Exceptions_API_ExceptionListMeta: - additionalProperties: true - type: object - Security_Exceptions_API_ExceptionListName: - type: string - Security_Exceptions_API_ExceptionListOsType: - enum: - - linux - - macos - - windows - type: string - Security_Exceptions_API_ExceptionListOsTypeArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListsImportBulkError: - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - required: - - error - Security_Exceptions_API_ExceptionListsImportBulkErrorArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError - type: array - Security_Exceptions_API_ExceptionListTags: - items: - type: string - type: array - Security_Exceptions_API_ExceptionListType: - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Exceptions_API_ExceptionListVersion: - minimum: 1 - type: integer - Security_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - - in which it is created, where: - - - - `single`: Only available in the Kibana space in which it is created. - - - `agnostic`: Available in all Kibana spaces. - enum: - - agnostic - - single - type: string - Security_Exceptions_API_FindExceptionListItemsFilter: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_FindExceptionListsFilter: - type: string - Security_Exceptions_API_ListId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ListType: - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Exceptions_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Exceptions_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Exceptions_API_RuleId: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - Security_Exceptions_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Exceptions_API_UpdateExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_UpdateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment - type: array - Security_Exceptions_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Lists_API_FindListItemsCursor: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_FindListItemsFilter: - type: string - Security_Lists_API_FindListsCursor: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_FindListsFilter: - type: string - Security_Lists_API_List: - type: object - properties: - _version: - type: string - '@timestamp': - format: date-time - type: string - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - deserializer: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - immutable: - type: boolean - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - serializer: - type: string - tie_breaker_id: - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - format: date-time - type: string - updated_by: - type: string - version: - minimum: 1 - type: integer - required: - - id - - type - - name - - description - - immutable - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListDescription: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListId: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListItem: - type: object - properties: - _version: - type: string - '@timestamp': - format: date-time - type: string - created_at: - format: date-time - type: string - created_by: - type: string - deserializer: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - serializer: - type: string - tie_breaker_id: - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - format: date-time - type: string - updated_by: - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - type - - list_id - - value - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListItemId: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListItemMetadata: - additionalProperties: true - type: object - Security_Lists_API_ListItemPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: - type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListItemValue: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListMetadata: - additionalProperties: true - type: object - Security_Lists_API_ListName: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: - type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListType: - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Lists_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Lists_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Lists_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Osquery_API_ArrayQueries: - items: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' - type: array - Security_Osquery_API_ArrayQueriesItem: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_Id' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CreateLiveQueryRequestBody: - type: object - properties: - agent_all: - type: boolean - agent_ids: - items: - type: string - type: array - agent_platforms: - items: - type: string - type: array - agent_policy_ids: - items: - type: string - type: array - alert_ids: - items: - type: string - type: array - case_ids: - items: - type: string - type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - event_ids: - items: - type: string - type: array - metadata: - nullable: true - type: object - pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - Security_Osquery_API_CreatePacksRequestBody: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_CreateSavedQueryRequestBody: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_DefaultSuccessResponse: - type: object - properties: {} - Security_Osquery_API_Description: - type: string - Security_Osquery_API_DescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Description' - nullable: true - Security_Osquery_API_ECSMapping: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - type: object - Security_Osquery_API_ECSMappingItem: - type: object - properties: - field: - type: string - value: - oneOf: - - type: string - - items: - type: string - type: array - Security_Osquery_API_ECSMappingOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - nullable: true - Security_Osquery_API_Enabled: - type: boolean - Security_Osquery_API_EnabledOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - nullable: true - Security_Osquery_API_FindLiveQueryRequestQuery: - type: object - properties: - kuery: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - page: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - pageSize: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - sort: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - sortOrder: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - Security_Osquery_API_FindPacksRequestQuery: - type: object - properties: - page: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - pageSize: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - sort: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - sortOrder: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - Security_Osquery_API_FindSavedQueryRequestQuery: - type: object - properties: - page: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - pageSize: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - sort: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - sortOrder: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - Security_Osquery_API_GetLiveQueryResultsRequestQuery: - type: object - properties: - kuery: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - page: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - pageSize: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - sort: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - sortOrder: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - Security_Osquery_API_Id: - type: string - Security_Osquery_API_Interval: - type: string - Security_Osquery_API_IntervalOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - nullable: true - Security_Osquery_API_KueryOrUndefined: - nullable: true - type: string - Security_Osquery_API_ObjectQueries: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' - type: object - Security_Osquery_API_ObjectQueriesItem: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_Id' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_PackId: - type: string - Security_Osquery_API_PackIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - nullable: true - Security_Osquery_API_PackName: - type: string - Security_Osquery_API_PageOrUndefined: - nullable: true - type: integer - Security_Osquery_API_PageSizeOrUndefined: - nullable: true - type: integer - Security_Osquery_API_Platform: - type: string - Security_Osquery_API_PlatformOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - nullable: true - Security_Osquery_API_PolicyIds: - items: - type: string - type: array - Security_Osquery_API_PolicyIdsOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - nullable: true - Security_Osquery_API_Query: - type: string - Security_Osquery_API_QueryOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Query' - nullable: true - Security_Osquery_API_Removed: - type: boolean - Security_Osquery_API_RemovedOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - nullable: true - Security_Osquery_API_SavedQueryId: - type: string - Security_Osquery_API_SavedQueryIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - nullable: true - Security_Osquery_API_Shards: - additionalProperties: - type: number - type: object - Security_Osquery_API_Snapshot: - type: boolean - Security_Osquery_API_SnapshotOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - nullable: true - Security_Osquery_API_SortOrderOrUndefined: - oneOf: - - nullable: true - type: string - - enum: - - asc - - desc - Security_Osquery_API_SortOrUndefined: - nullable: true - type: string - Security_Osquery_API_UpdatePacksRequestBody: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_UpdateSavedQueryRequestBody: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' - platform: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_Version: - type: string - Security_Osquery_API_VersionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Version' - nullable: true - Security_Timeline_API_AssociatedFilterType: - description: Filter notes based on their association with a document or saved object. - enum: - - all - - document_only - - saved_object_only - - document_and_saved_object - - orphan - type: string - Security_Timeline_API_BareNote: - type: object - properties: - created: - nullable: true - type: number - createdBy: - nullable: true - type: string - eventId: - nullable: true - type: string - note: - nullable: true - type: string - timelineId: - type: string - updated: - nullable: true - type: number - updatedBy: - nullable: true - type: string - required: - - timelineId - Security_Timeline_API_BarePinnedEvent: - type: object - properties: - created: - nullable: true - type: number - createdBy: - nullable: true - type: string - eventId: - type: string - timelineId: - type: string - updated: - nullable: true - type: number - updatedBy: - nullable: true - type: string - required: - - eventId - - timelineId - Security_Timeline_API_ColumnHeaderResult: - type: object - properties: - aggregatable: - nullable: true - type: boolean - category: - nullable: true - type: string - columnHeaderType: - nullable: true - type: string - description: - nullable: true - type: string - example: - nullable: true - type: string - id: - nullable: true - type: string - indexes: - items: - type: string - nullable: true - type: array - name: - nullable: true - type: string - placeholder: - nullable: true - type: string - searchable: - nullable: true - type: boolean - type: - nullable: true - type: string - Security_Timeline_API_DataProviderQueryMatch: - type: object - properties: - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' - nullable: true - type: array - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderType: - description: >- - The type of data provider to create. Valid values are `default` and - `template`. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - code: - nullable: true - type: number - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - message: - nullable: true - type: string - savedObjectId: - type: string - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - type: object - properties: - favoriteDate: - nullable: true - type: number - fullName: - nullable: true - type: string - userName: - nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: - type: object - properties: - exists: - nullable: true - type: string - match_all: - nullable: true - type: string - meta: - nullable: true - type: object - properties: - alias: - nullable: true - type: string - controlledBy: - nullable: true - type: string - disabled: - nullable: true - type: boolean - field: - nullable: true - type: string - formattedValue: - nullable: true - type: string - index: - nullable: true - type: string - key: - nullable: true - type: string - negate: - nullable: true - type: boolean - params: - nullable: true - type: string - type: - nullable: true - type: string - value: - nullable: true - type: string - missing: - nullable: true - type: string - query: - nullable: true - type: string - range: - nullable: true - type: string - script: - nullable: true - type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - type: array - totalCount: - type: number - required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: - type: object - properties: - errors: - items: - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - type: number - id: - type: string - type: array - success: - type: boolean - success_count: - type: number - timelines_installed: - type: number - timelines_updated: - type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - globalNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - savedObjectId: - nullable: true - type: string - version: - nullable: true - type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - - type: object - properties: - noteId: - type: string - version: - type: string - required: - - noteId - - version - Security_Timeline_API_PersistPinnedEventResponse: - oneOf: - - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - $ref: >- - #/components/schemas/Security_Timeline_API_PinnedEventBaseResponseBody - - nullable: true - type: object - Security_Timeline_API_PersistTimelineResponse: - type: object - properties: - data: - type: object - properties: - persistTimeline: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - required: - - timeline - required: - - persistTimeline - required: - - data - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object - properties: - pinnedEventId: - type: string - version: - type: string - required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventBaseResponseBody: - type: object - properties: - code: - type: number - message: - type: string - required: - - code - Security_Timeline_API_QueryMatchResult: - type: object - properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true - type: string - field: - nullable: true - type: string - operator: - nullable: true - type: string - value: - oneOf: - - nullable: true - type: string - - items: - type: string - nullable: true - type: array - Security_Timeline_API_ResolvedTimeline: - type: object - properties: - alias_purpose: - $ref: >- - #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose - alias_target_id: - type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: - type: object - properties: - code: - type: number - message: - type: string - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' - required: - - code - - message - - note - Security_Timeline_API_RowRendererId: - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: - type: object - properties: - columns: - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - nullable: true - type: number - createdBy: - nullable: true - type: string - dataProviders: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - nullable: true - type: string - dateRange: - nullable: true - type: object - properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - description: - nullable: true - type: string - eqlOptions: - nullable: true - type: object - properties: - eventCategoryField: - nullable: true - type: string - query: - nullable: true - type: string - size: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - tiebreakerField: - nullable: true - type: string - timestampField: - nullable: true - type: string - eventType: - nullable: true - type: string - excludedRowRendererIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true - type: array - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true - type: array - filters: - items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true - type: array - indexNames: - items: - type: string - nullable: true - type: array - kqlMode: - nullable: true - type: string - kqlQuery: - $ref: >- - #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult - nullable: true - savedQueryId: - nullable: true - type: string - savedSearchId: - nullable: true - type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - enum: - - active - - draft - - immutable - nullable: true - type: string - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - nullable: true - type: string - updated: - nullable: true - type: number - updatedBy: - nullable: true - type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - savedObjectId: - type: string - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - type: object - properties: - filterQuery: - nullable: true - type: object - properties: - kuery: - nullable: true - type: object - properties: - expression: - nullable: true - type: string - kind: - nullable: true - type: string - serializedQuery: - nullable: true - type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true - type: string - sortDirection: - nullable: true - type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: >- - #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - - type: object - properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - savedObjectId: - type: string - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: >- - The status of the timeline. Valid values are `active`, `draft`, and - `immutable`. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: >- - The type of timeline to create. Valid values are `default` and - `template`. - enum: - - default - - template - type: string - Serverless_saved_objects_400_response: - title: Bad request - type: object - properties: - error: - enum: - - Bad Request - type: string - message: - type: string - statusCode: - enum: - - 400 - type: integer - required: - - error - - message - - statusCode - SLOs_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Invalid value ''foo'' supplied to: [...]' - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized - type: object - properties: - error: - example: Unauthorized - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" - type: string - statusCode: - example: 401 - type: number - required: - - statusCode - - error - - message - SLOs_403_response: - title: Unauthorized - type: object - properties: - error: - example: Unauthorized - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" - type: string - statusCode: - example: 403 - type: number - required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found - type: object - properties: - error: - example: Not Found - type: string - message: - example: 'SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found' - type: string - statusCode: - example: 404 - type: number - required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict - type: object - properties: - error: - example: Conflict - type: string - message: - example: 'SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists' - type: string - statusCode: - example: 409 - type: number - required: - - statusCode - - error - - message - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. - enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method - type: string - SLOs_create_slo_request: - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars - example: my-super-slo-id - type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request - type: object - SLOs_create_slo_response: - title: Create SLO response - type: object - properties: - id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - id - SLOs_delete_slo_instances_request: - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo id and instance id - items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId - type: array - required: - - list - title: Delete SLO instances request - type: object - SLOs_error_budget: - title: Error budget - type: object - properties: - consumed: - description: 'The error budget consummed, as a percentage of the initial value.' - example: 0.8 - type: number - initial: - description: 'The initial error budget, as 1 - objective' - example: 0.02 - type: number - isEstimated: - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true - type: boolean - remaining: - description: 'The error budget remaining, as a percentage of the initial value.' - example: 0.2 - type: number - required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter - properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: - type: object - title: Filter - type: object - SLOs_filter_meta: - description: Defines properties for a filter - properties: - alias: - nullable: true - type: string - controlledBy: - type: string - disabled: - type: boolean - field: - type: string - group: - type: string - index: - type: string - isMultiIndex: - type: boolean - key: - type: string - negate: - type: boolean - params: - type: object - type: - type: string - value: - type: string - title: FilterMeta - type: object - SLOs_find_slo_response: - description: | - A paginated response of SLOs matching the query. - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number - title: Find SLO response - type: object - SLOs_group_by: - description: >- - optional group by field or fields to use to generate an SLO per distinct - value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: 'metrics-apm*,apm*' - type: string - service: - description: The APM service name - example: o11y-app - type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration - type: string - required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: 'metrics-apm*,apm*' - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration - type: string - required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom - type: string - required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "good" metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - type: object - properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option - is "sum" - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - required: - - name - - aggregation - - field - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "total" metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - type: object - properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option - is "sum" - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - required: - - name - - aggregation - - field - type: array - required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom - type: string - required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' - type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number - required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' - type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number - required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom - type: string - required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - index: - description: The index or index pattern to use - example: my-service-* - type: string - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not - type: object - properties: - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - type: array - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice - type: string - required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' - type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective - type: object - properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} - example: 5m - type: string - required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. - properties: - frequency: - default: 1m - description: 'Configure how often the transform runs, default 1m' - example: 5m - type: string - preventInitialBackfill: - default: false - description: Prevents the transform from backfilling data when it starts. - example: true - type: boolean - syncDelay: - default: 1m - description: The synch delay to apply to the transform. Default 1m - example: 5m - type: string - title: Settings - type: object - SLOs_slo_definition_response: - title: SLO definition response - type: object - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' - type: string - description: - description: The description of the SLO. - example: My SLO description - type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' - type: string - version: - description: The internal SLO version - example: 2 - type: number - required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response - type: object - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' - type: string - description: - description: The description of the SLO. - example: My SLO description - type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: 'the value derived from the groupBy field, if present, otherwise ''*''' - example: host-abcde - type: string - name: - description: The name of the SLO. - example: My Service SLO - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' - type: string - version: - description: The internal SLO version - example: 2 - type: number - required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data - properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' - required: - - status - - sliValue - - errorBudget - title: Summary - type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window - type: object - properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - example: 30d - type: string - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. - enum: - - rolling - - calendarAligned - example: rolling - type: string - required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: - type: object - properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: - type: object - properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option is - "percentile" - enum: - - percentile - example: percentile - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - percentile: - description: The percentile value. - example: 95 - type: number - required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request - type: object - securitySchemes: - apiKeyAuth: - description: >- - You must create an API key and use the encoded value in the request - header. To learn about creating keys, go to [API - keys](https://www.elastic.co/docs/current/serverless/api-keys). - in: header - name: Authorization - type: apiKey -security: - - apiKeyAuth: [] -tags: - - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - name: APM agent keys - - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - name: APM annotations - - name: Data streams - - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - name: data views - - name: Elastic Agent actions - - name: Elastic Agent binary download sources - - name: Elastic Agent policies - - name: Elastic Agent status - - name: Elastic Agents - - name: Elastic Package Manager (EPM) - - name: Fleet enrollment API keys - - name: Fleet internals - - name: Fleet Kubernetes - - name: Fleet outputs - - name: Fleet package policies - - name: Fleet proxies - - name: Fleet Server hosts - - name: Fleet service tokens - - name: Fleet uninstall tokens - - description: Machine learning - name: ml - - description: > - Export sets of saved objects that you want to import into {kib}, resolve - import errors, and rotate an encryption key for encrypted saved objects - with the saved objects APIs. - - - To manage a specific type of saved object, use the corresponding APIs. - - For example, use: - - - [Data views](../group/endpoint-data-views) - - - Warning: Do not write documents directly to the `.kibana` index. When you - write directly to the `.kibana` index, the data becomes corrupted and - permanently breaks future Kibana versions. - name: saved objects - x-displayName: Saved objects - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: >- - You can create rules that automatically turn events and external alerts - sent to Elastic Security into detection alerts. These alerts are displayed - on the Detections page. - name: Security Detections API - x-displayName: Security detections - - description: >- - Endpoint Exceptions API allows you to manage detection rule endpoint - exceptions to prevent a rule from generating an alert from incoming events - even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: >- - Exceptions API allows you to manage detection rule exceptions to prevent a - rule from generating an alert from incoming events even when the rule's - other criteria are met. - name: Security Exceptions API - x-displayName: Security exceptions - - description: 'Lists API allows you to manage lists of keywords, IPs or IP ranges items.' - name: Security Lists API - x-displayName: Security lists - - description: 'Run live queries, manage packs and saved queries.' - name: Security Osquery API - x-displayName: Security Osquery - - description: >- - You can create Timelines and Timeline templates via the API, as well as - import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: 'SLO APIs enable you to define, manage and track service-level objectives' - name: slo diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index b672704e2b053..eb652623d8340 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -55,7 +55,7 @@ info: ## Documentation source and versions - This documentation is derived from the `main` branch of the + This documentation is derived from the `8.16` branch of the [kibana](https://github.com/elastic/kibana) repository. It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 diff --git a/oas_docs/scripts/merge_serverless_oas.js b/oas_docs/scripts/merge_serverless_oas.js deleted file mode 100644 index d9d91dfb032b4..0000000000000 --- a/oas_docs/scripts/merge_serverless_oas.js +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the "Elastic License - * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side - * Public License v 1"; you may not use this file except in compliance with, at - * your election, the "Elastic License 2.0", the "GNU Affero General Public - * License v3.0 only", or the "Server Side Public License, v 1". - */ - -require('../../src/setup_node_env'); -const { merge } = require('@kbn/openapi-bundler'); -const { REPO_ROOT } = require('@kbn/repo-info'); - -(async () => { - await merge({ - sourceGlobs: [ - `${REPO_ROOT}/oas_docs/bundle.serverless.json`, - `${REPO_ROOT}/src/plugins/data_views/docs/openapi/bundled.yaml`, - `${REPO_ROOT}/x-pack/plugins/ml/common/openapi/ml_apis_serverless.yaml`, - `${REPO_ROOT}/packages/core/saved-objects/docs/openapi/bundled_serverless.yaml`, - `${REPO_ROOT}/x-pack/plugins/fleet/common/openapi/bundled.yaml`, - - // Observability Solution - `${REPO_ROOT}/x-pack/plugins/observability_solution/apm/docs/openapi/apm.yaml`, - `${REPO_ROOT}/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml`, - - // Security solution - `${REPO_ROOT}/x-pack/plugins/security_solution/docs/openapi/serverless/*.schema.yaml`, - `${REPO_ROOT}/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/*.schema.yaml`, - `${REPO_ROOT}/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/*.schema.yaml`, - `${REPO_ROOT}/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/serverless/*.schema.yaml`, - `${REPO_ROOT}/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/serverless/*.schema.yaml`, - `${REPO_ROOT}/x-pack/plugins/osquery/docs/openapi/serverless/*.schema.yaml`, - ], - outputFilePath: `${REPO_ROOT}/oas_docs/output/kibana.serverless.yaml`, - options: { - prototypeDocument: `${REPO_ROOT}/oas_docs/kibana.info.serverless.yaml`, - }, - }); -})();