{"openapi":"3.0.3","info":{"contact":{"name":"Kibana Team"},"description":"The Kibana REST APIs for Elastic serverless enable you to manage resources\nsuch as connectors, data views, and saved objects. The API calls are\nstateless. Each request that you make happens in isolation from other calls\nand must include all of the necessary information for Kibana to fulfill the\nrequest. API requests return JSON output, which is a format that is\nmachine-readable and works well for automation.\n\nTo interact with Kibana APIs, use the following operations:\n\n- GET: Fetches the information.\n- POST: Adds new information.\n- PUT: Updates the existing information.\n- DELETE: Removes the information.\n\nYou can prepend any Kibana API endpoint with `kbn:` and run the request in\n**Dev Tools \u2192 Console**. For example:\n\n```\nGET kbn:\/api\/data_views\n```\n\n## Documentation source and versions\n\nThis documentation is derived from the `main` branch of the [kibana](https:\/\/github.com\/elastic\/kibana) repository.\nIt is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/).\n","title":"Kibana Serverless APIs","version":"","x-doc-license":{"name":"Attribution-NonCommercial-NoDerivatives 4.0 International","url":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"},"x-feedbackLink":{"label":"Feedback","url":"https:\/\/github.com\/elastic\/docs-content\/issues\/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+"}},"servers":[{"url":"https:\/\/{kibana_url}","variables":{"kibana_url":{"default":""}}}],"security":[{"apiKeyAuth":[]}],"tags":[{"name":"agent builder","description":"Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data.\nMost users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs.\n","externalDocs":{"description":"Agent Builder docs","url":"https:\/\/www.elastic.co\/docs\/solutions\/search\/agent-builder\/programmatic-access"},"x-displayName":"Agent Builder"},{"name":"alerting","description":"Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.\n","externalDocs":{"description":"Alerting documentation","url":"https:\/\/www.elastic.co\/docs\/explore-analyze\/alerts-cases\/alerts"},"x-displayName":"Alerting"},{"description":"Adjust APM agent configuration without need to redeploy your application.\n","name":"APM agent configuration"},{"description":"Configure APM agent keys to authorize requests from APM agents to the APM Server.\n","name":"APM agent keys"},{"description":"Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.\n","name":"APM annotations"},{"description":"Create APM fleet server schema.","name":"APM server schema"},{"name":"connectors","description":"Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.\n","externalDocs":{"description":"Connector documentation","url":"https:\/\/www.elastic.co\/docs\/reference\/kibana\/connectors-kibana"},"x-displayName":"Connectors"},{"name":"Data streams","description":"Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data.\n","x-displayName":"Data streams"},{"description":"Data view APIs enable you to manage data views, formerly known as Kibana index patterns.","name":"data views","x-displayName":"Data views"},{"name":"Elastic Agent actions","description":"Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management.\n","x-displayName":"Elastic Agent actions"},{"name":"Elastic Agent binary download sources","description":"Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries.\n","x-displayName":"Elastic Agent binary download sources"},{"name":"Elastic Agent policies","description":"Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information.\n","x-displayName":"Elastic Agent policies"},{"name":"Elastic Agent status","description":"Enables you to retrieve status information about Elastic Agents, including health summaries and operational status.\n","x-displayName":"Elastic Agent status"},{"name":"Elastic Agents","description":"Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup.\n","x-displayName":"Elastic Agents"},{"name":"Elastic Package Manager (EPM)","description":"Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets.\n","x-displayName":"Elastic Package Manager (EPM)"},{"name":"Fleet agentless policies"},{"name":"Fleet cloud connectors","description":"Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations.\n","x-displayName":"Fleet cloud connectors"},{"name":"Fleet enrollment API keys","description":"Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment.\n","x-displayName":"Fleet enrollment API keys"},{"name":"Fleet internals","description":"Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup.\n","x-displayName":"Fleet internals"},{"name":"Fleet outputs","description":"Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health.\n","x-displayName":"Fleet outputs"},{"name":"Fleet package policies","description":"Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades.\n","x-displayName":"Fleet package policies"},{"name":"Fleet proxies","description":"Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication.\n","x-displayName":"Fleet proxies"},{"name":"Fleet Server hosts","description":"Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations.\n","x-displayName":"Fleet Server hosts"},{"name":"Fleet service tokens"},{"name":"Fleet uninstall tokens","description":"Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation.\n","x-displayName":"Fleet uninstall tokens"},{"name":"maintenance-window","description":"You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages.\n","externalDocs":{"description":"Maintenance window documentation","url":"https:\/\/www.elastic.co\/docs\/explore-analyze\/alerts-cases\/alerts\/maintenance-windows"},"x-displayName":"Maintenance windows"},{"name":"Message Signing Service","description":"Enables you to rotate message signing key pairs for secure Fleet communication.\n","x-displayName":"Fleet Message Signing Service"},{"description":"Enables you to synchronize machine learning saved objects.\n","name":"ml","x-displayName":"Machine learning"},{"description":"Interact with the Observability AI Assistant resources.","externalDocs":{"description":"Observability AI Assistant","url":"https:\/\/www.elastic.co\/docs\/solutions\/observability\/observability-ai-assistant"},"name":"observability_ai_assistant","x-displayName":"Observability AI Assistant"},{"name":"roles","x-displayName":"Roles","description":"Manage the roles that grant Elasticsearch and Kibana privileges.","externalDocs":{"description":"Kibana role management","url":"https:\/\/www.elastic.co\/docs\/deploy-manage\/users-roles\/serverless-custom-roles"}},{"name":"saved objects","x-displayName":"Saved objects","description":"Export or import sets of saved objects.\n\nTo manage a specific type of saved object, use the corresponding APIs.\nFor example, use:\n\n[Data views](..\/group\/endpoint-data-views).\n"},{"description":"Manage and interact with Security Assistant resources.","name":"Security AI Assistant API","x-displayName":"Security AI assistant"},{"description":"Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each \"discovery\" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible.","name":"Security Attack discovery API","x-displayName":"Security Attack discovery"},{"description":"Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.\n\nThis API supports both key-based authentication and basic authentication.\n\nTo use key-based authentication, create an API key, then specify the key in the header of your API calls.\n\nTo use basic authentication, provide a username and password; this automatically creates an API key that matches the current user\u2019s privileges.\n\nIn both cases, the API key is subsequently used for authorization when the rule runs.\n> warn\n> If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.\n\n> If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.\n\nTo create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https:\/\/www.elastic.co\/guide\/en\/security\/current\/detections-permissions-section.html) for a complete list of requirements.\n","name":"Security Detections API","x-displayName":"Security detections"},{"description":"Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.","name":"Security Endpoint Exceptions API","x-displayName":"Security Elastic Endpoint exceptions"},{"description":"Interact with and manage endpoints running the Elastic Defend integration.","name":"Security Endpoint Management API","x-displayName":"Security endpoint management"},{"description":"Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines.\n","name":"Security Entity Analytics API","x-displayName":"Security entity analytics"},{"name":"Security entity store"},{"description":"Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.\n\nExceptions are made up of:\n\n* **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.\n* **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert.\n\nFor detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.\n> info\n> You cannot use lists with endpoint rule exceptions.\n\n> info\n> Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.\n\n## Exceptions requirements\n\nBefore you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](..\/operation\/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https:\/\/www.elastic.co\/guide\/en\/serverless\/current\/security-detections-requirements.html#enable-detections-ui).\n","name":"Security Exceptions API","x-displayName":"Security exceptions"},{"description":"Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.\n\nLists are made up of:\n\n* **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used:\n * `boolean`\n * `byte`\n * `date`\n * `date_nanos`\n * `date_range`\n * `double`\n * `double_range`\n * `float`\n * `float_range`\n * `half_float`\n * `integer`\n * `integer_range`\n * `ip`\n * `ip_range`\n * `keyword`\n * `long`\n * `long_range`\n * `short`\n * `text`\n* **List items**: The values used to determine whether the exception prevents an alert from being generated.\n\nAll list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address:\n1. `192.168.1.1`\n2. `192.168.1.3`\n3. `192.168.1.18`\n4. `192.168.1.12`\n5. `192.168.1.7`\n\nTo use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](..\/operation\/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list.\n> info\n> Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](..\/operation\/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object.\n\n## Lists requirements\n\nBefore you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](..\/operation\/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https:\/\/www.elastic.co\/guide\/en\/serverless\/current\/security-detections-requirements.html#enable-detections-ui) for a complete list of requirements.\n","name":"Security Lists API","x-displayName":"Security lists"},{"description":"Run live queries, manage packs and saved queries.","name":"Security Osquery API","x-displayName":"Security Osquery"},{"description":"You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.","name":"Security Timeline API","x-displayName":"Security timeline"},{"description":"SLO APIs enable you to define, manage and track service-level objectives","name":"slo","x-displayName":"Service level objectives"},{"name":"spaces","x-displayName":"Spaces","description":"Manage your Kibana spaces.","externalDocs":{"url":"https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces","description":"Space overview"}},{"name":"streams","description":"Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types:\n* **Wired** streams are managed by Kibana. They route documents to child streams based on\n field conditions and support custom field mappings and processing steps.\n\n* **Classic** streams map to existing Elasticsearch data streams. You can add processing\n steps to classic streams without changing their underlying index template.\n\n* **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate\n data from multiple streams into a single logical view without duplicating documents.\n","x-displayName":"Streams","externalDocs":{"description":"Streams documentation","url":"https:\/\/www.elastic.co\/docs\/solutions\/observability\/streams"}},{"name":"system","x-displayName":"System","description":"Get information about the system status, resource usage, features, and installed plugins.\n"},{"description":"Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks.","externalDocs":{"description":"Task manager","url":"https:\/\/www.elastic.co\/docs\/deploy-manage\/distributed-architecture\/kibana-tasks-management"},"name":"task manager","x-displayName":"Task manager"},{"name":"workflows","description":"Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools.\n\nUse the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions.\n","externalDocs":{"description":"Workflows documentation","url":"https:\/\/www.elastic.co\/docs\/explore-analyze\/workflows"},"x-displayName":"Workflows"}],"paths":{"\/api\/actions\/connector_types":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/actions\/connector_types<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nYou do not need any Kibana feature privileges to run this API.","operationId":"get-actions-connector-types","parameters":[{"description":"A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).","in":"query","name":"feature_id","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_multiple_system_actions":{"description":"Indicates whether multiple instances of the same system action connector can be used in a single rule.","type":"boolean"},"enabled":{"description":"Indicates whether the connector is enabled.","type":"boolean"},"enabled_in_config":{"description":"Indicates whether the connector is enabled in the Kibana configuration.","type":"boolean"},"enabled_in_license":{"description":"Indicates whether the connector is enabled through the license.","type":"boolean"},"id":{"description":"The identifier for the connector.","type":"string"},"is_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_system_action_type":{"description":"Indicates whether the action is a system action.","type":"boolean"},"minimum_license_required":{"description":"The minimum license required to enable the connector.","enum":["basic","standard","gold","platinum","enterprise","trial"],"type":"string"},"name":{"description":"The name of the connector type.","type":"string"},"source":{"description":"The source of the connector type definition.","enum":["yml","spec","stack"],"type":"string"},"sub_feature":{"description":"Indicates the sub-feature type the connector is grouped under.","enum":["endpointSecurity"],"type":"string"},"supported_feature_ids":{"description":"The list of supported features","items":{"type":"string"},"type":"array"}},"required":["id","name","enabled","enabled_in_config","enabled_in_license","minimum_license_required","supported_feature_ids","is_system_action_type","is_deprecated","source"]},"type":"array"},"examples":{"getConnectorTypesServerlessResponse":{"$ref":"#\/components\/examples\/get_connector_types_generativeai_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Get connector types","tags":["connectors"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/actions\/connector\/_oauth_callback":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/actions\/connector\/_oauth_callback<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nHandles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.[Required authorization] Route required privileges: actions:oauth.","operationId":"get-actions-connector-oauth-callback","parameters":[{"description":"The authorization code returned by the OAuth provider.","in":"query","name":"code","required":false,"schema":{"type":"string"}},{"description":"The state parameter for CSRF protection.","in":"query","name":"state","required":false,"schema":{"type":"string"}},{"description":"Error code if the authorization failed.","in":"query","name":"error","required":false,"schema":{"type":"string"}},{"description":"Human-readable error description.","in":"query","name":"error_description","required":false,"schema":{"type":"string"}},{"description":"Session state from the OAuth provider (e.g., Microsoft).","in":"query","name":"session_state","required":false,"schema":{"type":"string"}}],"responses":{"200":{"description":"Returns an HTML callback page."},"302":{"description":"Redirects to the return URL with authorization result query parameters."},"401":{"description":"User is not authenticated."}},"summary":"Handle OAuth callback","tags":["connectors"],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/actions\/connector\/_oauth_callback_script":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/actions\/connector\/_oauth_callback_script<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns the OAuth callback script","operationId":"get-actions-connector-oauth-callback-script","parameters":[],"responses":{"200":{"description":"Returns the OAuth callback script"}},"summary":"","tags":[],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/actions\/connector\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/actions\/connector\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nWARNING: When you delete a connector, it cannot be recovered.","operationId":"delete-actions-connector-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Delete a connector","tags":["connectors"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"operationId":"get-actions-connector-id","parameters":[{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"auth_mode":{"description":"The authentication mode used for the connector.","enum":["shared","per-user"],"type":"string"},"config":{"additionalProperties":{"nullable":true},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated"]},"examples":{"getConnectorResponse":{"$ref":"#\/components\/examples\/get_connector_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Get connector information","tags":["connectors"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/actions\/connector\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."},"post":{"operationId":"post-actions-connector-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"maxLength":36,"minLength":1,"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"connector_type_id":{"description":"The type of connector.","type":"string"},"name":{"description":"The display name for the connector.","type":"string"},"config":{"additionalProperties":{},"default":{},"description":"The connector configuration details.","oneOf":[{"$ref":"#\/components\/schemas\/bedrock_config"},{"$ref":"#\/components\/schemas\/crowdstrike_config"},{"$ref":"#\/components\/schemas\/d3security_config"},{"$ref":"#\/components\/schemas\/email_config"},{"$ref":"#\/components\/schemas\/gemini_config"},{"$ref":"#\/components\/schemas\/resilient_config"},{"$ref":"#\/components\/schemas\/index_config"},{"$ref":"#\/components\/schemas\/jira_config"},{"$ref":"#\/components\/schemas\/genai_azure_config"},{"$ref":"#\/components\/schemas\/genai_openai_config"},{"$ref":"#\/components\/schemas\/genai_openai_other_config"},{"$ref":"#\/components\/schemas\/opsgenie_config"},{"$ref":"#\/components\/schemas\/pagerduty_config"},{"$ref":"#\/components\/schemas\/sentinelone_config"},{"$ref":"#\/components\/schemas\/servicenow_config"},{"$ref":"#\/components\/schemas\/servicenow_itom_config"},{"$ref":"#\/components\/schemas\/slack_api_config"},{"$ref":"#\/components\/schemas\/swimlane_config"},{"$ref":"#\/components\/schemas\/thehive_config"},{"$ref":"#\/components\/schemas\/tines_config"},{"$ref":"#\/components\/schemas\/torq_config"},{"$ref":"#\/components\/schemas\/webhook_config"},{"$ref":"#\/components\/schemas\/cases_webhook_config"},{"$ref":"#\/components\/schemas\/xmatters_config"}]},"secrets":{"additionalProperties":{},"default":{},"oneOf":[{"$ref":"#\/components\/schemas\/bedrock_secrets"},{"$ref":"#\/components\/schemas\/crowdstrike_secrets"},{"$ref":"#\/components\/schemas\/d3security_secrets"},{"$ref":"#\/components\/schemas\/email_secrets"},{"$ref":"#\/components\/schemas\/gemini_secrets"},{"$ref":"#\/components\/schemas\/resilient_secrets"},{"$ref":"#\/components\/schemas\/jira_secrets"},{"$ref":"#\/components\/schemas\/defender_secrets"},{"$ref":"#\/components\/schemas\/teams_secrets"},{"$ref":"#\/components\/schemas\/genai_secrets"},{"$ref":"#\/components\/schemas\/opsgenie_secrets"},{"$ref":"#\/components\/schemas\/pagerduty_secrets"},{"$ref":"#\/components\/schemas\/sentinelone_secrets"},{"$ref":"#\/components\/schemas\/servicenow_secrets"},{"$ref":"#\/components\/schemas\/slack_api_secrets"},{"$ref":"#\/components\/schemas\/swimlane_secrets"},{"$ref":"#\/components\/schemas\/thehive_secrets"},{"$ref":"#\/components\/schemas\/tines_secrets"},{"$ref":"#\/components\/schemas\/torq_secrets"},{"$ref":"#\/components\/schemas\/webhook_secrets"},{"$ref":"#\/components\/schemas\/cases_webhook_secrets"},{"$ref":"#\/components\/schemas\/xmatters_secrets"}]}},"required":["name","connector_type_id"]},"examples":{"createEmailConnectorRequest":{"$ref":"#\/components\/examples\/create_email_connector_request"},"createIndexConnectorRequest":{"$ref":"#\/components\/examples\/create_index_connector_request"},"createWebhookConnectorRequest":{"$ref":"#\/components\/examples\/create_webhook_connector_request"},"createXmattersConnectorRequest":{"$ref":"#\/components\/examples\/create_xmatters_connector_request"}}}}},"responses":{"200":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"auth_mode":{"description":"The authentication mode used for the connector.","enum":["shared","per-user"],"type":"string"},"config":{"additionalProperties":{"nullable":true},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated"]},"examples":{"createEmailConnectorResponse":{"$ref":"#\/components\/examples\/create_email_connector_response"},"createIndexConnectorResponse":{"$ref":"#\/components\/examples\/create_index_connector_response"},"createWebhookConnectorResponse":{"$ref":"#\/components\/examples\/create_webhook_connector_response"},"createXmattersConnectorResponse":{"$ref":"#\/components\/examples\/get_connector_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Create a connector","tags":["connectors"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/actions\/connector\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."},"put":{"operationId":"put-actions-connector-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The display name for the connector.","type":"string"},"config":{"additionalProperties":{},"default":{},"description":"The connector configuration details.","oneOf":[{"$ref":"#\/components\/schemas\/bedrock_config"},{"$ref":"#\/components\/schemas\/crowdstrike_config"},{"$ref":"#\/components\/schemas\/d3security_config"},{"$ref":"#\/components\/schemas\/email_config"},{"$ref":"#\/components\/schemas\/gemini_config"},{"$ref":"#\/components\/schemas\/resilient_config"},{"$ref":"#\/components\/schemas\/index_config"},{"$ref":"#\/components\/schemas\/jira_config"},{"$ref":"#\/components\/schemas\/defender_config"},{"$ref":"#\/components\/schemas\/genai_azure_config"},{"$ref":"#\/components\/schemas\/genai_openai_config"},{"$ref":"#\/components\/schemas\/opsgenie_config"},{"$ref":"#\/components\/schemas\/pagerduty_config"},{"$ref":"#\/components\/schemas\/sentinelone_config"},{"$ref":"#\/components\/schemas\/servicenow_config"},{"$ref":"#\/components\/schemas\/servicenow_itom_config"},{"$ref":"#\/components\/schemas\/slack_api_config"},{"$ref":"#\/components\/schemas\/swimlane_config"},{"$ref":"#\/components\/schemas\/thehive_config"},{"$ref":"#\/components\/schemas\/tines_config"},{"$ref":"#\/components\/schemas\/torq_config"},{"$ref":"#\/components\/schemas\/webhook_config"},{"$ref":"#\/components\/schemas\/cases_webhook_config"},{"$ref":"#\/components\/schemas\/xmatters_config"}]},"secrets":{"additionalProperties":{},"default":{},"oneOf":[{"$ref":"#\/components\/schemas\/bedrock_secrets"},{"$ref":"#\/components\/schemas\/crowdstrike_secrets"},{"$ref":"#\/components\/schemas\/d3security_secrets"},{"$ref":"#\/components\/schemas\/email_secrets"},{"$ref":"#\/components\/schemas\/gemini_secrets"},{"$ref":"#\/components\/schemas\/resilient_secrets"},{"$ref":"#\/components\/schemas\/jira_secrets"},{"$ref":"#\/components\/schemas\/teams_secrets"},{"$ref":"#\/components\/schemas\/genai_secrets"},{"$ref":"#\/components\/schemas\/opsgenie_secrets"},{"$ref":"#\/components\/schemas\/pagerduty_secrets"},{"$ref":"#\/components\/schemas\/sentinelone_secrets"},{"$ref":"#\/components\/schemas\/servicenow_secrets"},{"$ref":"#\/components\/schemas\/slack_api_secrets"},{"$ref":"#\/components\/schemas\/swimlane_secrets"},{"$ref":"#\/components\/schemas\/thehive_secrets"},{"$ref":"#\/components\/schemas\/tines_secrets"},{"$ref":"#\/components\/schemas\/torq_secrets"},{"$ref":"#\/components\/schemas\/webhook_secrets"},{"$ref":"#\/components\/schemas\/cases_webhook_secrets"},{"$ref":"#\/components\/schemas\/xmatters_secrets"}]}},"required":["name"]},"examples":{"updateIndexConnectorRequest":{"$ref":"#\/components\/examples\/update_index_connector_request"}}}}},"responses":{"200":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"auth_mode":{"description":"The authentication mode used for the connector.","enum":["shared","per-user"],"type":"string"},"config":{"additionalProperties":{"nullable":true},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated"]}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Update a connector","tags":["connectors"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/actions\/connector\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/actions\/connector\/{id}\/_execute":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/actions\/connector\/{id}\/_execute<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nYou can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.","operationId":"post-actions-connector-id-execute","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"An identifier for the connector.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"params":{"additionalProperties":{},"oneOf":[{"$ref":"#\/components\/schemas\/run_acknowledge_resolve_pagerduty"},{"$ref":"#\/components\/schemas\/run_documents"},{"$ref":"#\/components\/schemas\/run_message_email"},{"$ref":"#\/components\/schemas\/run_message_serverlog"},{"$ref":"#\/components\/schemas\/run_message_slack"},{"$ref":"#\/components\/schemas\/run_trigger_pagerduty"},{"$ref":"#\/components\/schemas\/run_addevent"},{"$ref":"#\/components\/schemas\/run_closealert"},{"$ref":"#\/components\/schemas\/run_closeincident"},{"$ref":"#\/components\/schemas\/run_createalert"},{"$ref":"#\/components\/schemas\/run_fieldsbyissuetype"},{"$ref":"#\/components\/schemas\/run_getagentdetails"},{"$ref":"#\/components\/schemas\/run_getagents"},{"$ref":"#\/components\/schemas\/run_getchoices"},{"$ref":"#\/components\/schemas\/run_getfields"},{"$ref":"#\/components\/schemas\/run_getincident"},{"$ref":"#\/components\/schemas\/run_issue"},{"$ref":"#\/components\/schemas\/run_issues"},{"$ref":"#\/components\/schemas\/run_issuetypes"},{"$ref":"#\/components\/schemas\/run_postmessage"},{"$ref":"#\/components\/schemas\/run_pushtoservice"},{"$ref":"#\/components\/schemas\/run_validchannelid"}]}},"required":["params"]},"examples":{"runIndexConnectorRequest":{"$ref":"#\/components\/examples\/run_index_connector_request"},"runJiraConnectorRequest":{"$ref":"#\/components\/examples\/run_jira_connector_request"},"runServerLogConnectorRequest":{"$ref":"#\/components\/examples\/run_servicenow_itom_connector_request"},"runSlackConnectorRequest":{"$ref":"#\/components\/examples\/run_slack_api_connector_request"},"runSwimlaneConnectorRequest":{"$ref":"#\/components\/examples\/run_swimlane_connector_request"}}}}},"responses":{"200":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"auth_mode":{"description":"The authentication mode used for the connector.","enum":["shared","per-user"],"type":"string"},"config":{"additionalProperties":{"nullable":true},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated"]},"examples":{"runIndexConnectorResponse":{"$ref":"#\/components\/examples\/run_index_connector_response"},"runJiraConnectorResponse":{"$ref":"#\/components\/examples\/run_jira_connector_response"},"runServerLogConnectorResponse":{"$ref":"#\/components\/examples\/run_server_log_connector_response"},"runServiceNowITOMConnectorResponse":{"$ref":"#\/components\/examples\/run_servicenow_itom_connector_response"},"runSlackConnectorResponse":{"$ref":"#\/components\/examples\/run_slack_api_connector_response"},"runSwimlaneConnectorResponse":{"$ref":"#\/components\/examples\/run_swimlane_connector_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Run a connector","tags":["connectors"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/actions\/connectors":{"get":{"operationId":"get-actions-connectors","parameters":[],"responses":{"200":{"content":{"application\/json":{"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"auth_mode":{"description":"The authentication mode used for the connector.","enum":["shared","per-user"],"type":"string"},"config":{"additionalProperties":{"nullable":true},"type":"object"},"connector_type_id":{"description":"The connector type identifier.","type":"string"},"id":{"description":"The identifier for the connector.","type":"string"},"is_connector_type_deprecated":{"description":"Indicates whether the connector type is deprecated.","type":"boolean"},"is_deprecated":{"description":"Indicates whether the connector is deprecated.","type":"boolean"},"is_missing_secrets":{"description":"Indicates whether the connector is missing secrets.","type":"boolean"},"is_preconfigured":{"description":"Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ","type":"boolean"},"is_system_action":{"description":"Indicates whether the connector is used for system actions.","type":"boolean"},"name":{"description":" The name of the connector.","type":"string"},"referenced_by_count":{"description":"The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated.","type":"number"}},"required":["id","name","connector_type_id","is_preconfigured","is_deprecated","is_system_action","is_connector_type_deprecated","referenced_by_count"]},"type":"array"},"examples":{"getConnectorsResponse":{"$ref":"#\/components\/examples\/get_connectors_response"}}}},"description":"Indicates a successful call."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Get all connectors","tags":["connectors"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/actions\/connectors<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/agent_builder\/a2a\/{agentId}":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/a2a\/{agentId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n> warn\n> This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"post-agent-builder-a2a-agentid","parameters":[{"description":"The unique identifier of the agent to send the A2A task to.","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"a2aTaskRequestExample":{"description":"WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.","value":{"id":"task-123","jsonrpc":"2.0","method":"complete","params":{"messages":[{"content":"Hello from A2A protocol","role":"user"}]}}}},"schema":{}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"a2aTaskResponseExample":{"description":"Example response from A2A Task Endpoint with results of task execution","value":{"id":"task-123","jsonrpc":"2.0","result":{"conversation_id":"conv-456","response":{"message":"Hello! How can I help you today?"},"type":"response"}}}}}},"description":"Indicates a successful response"}},"summary":"Send A2A task","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/a2a\/{agentId}.json":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/a2a\/{agentId}.json<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-a2a-agentid.json","parameters":[{"description":"The unique identifier of the agent to get A2A metadata for.","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"a2aAgentCardResponseExample":{"description":"Example response card of Elastic AI Agent","value":{"capabilities":{"pushNotifications":false,"stateTransitionHistory":false,"streaming":false},"defaultInputModes":["text\/plain"],"defaultOutputModes":["text\/plain"],"description":"Elastic AI Agent","name":"Elastic AI Agent","protocolVersion":"0.3.0","provider":{"organization":"Elastic","url":"https:\/\/elastic.co"},"securitySchemes":{"authorization":{"description":"Authentication token","in":"header","name":"Authorization","type":"apiKey"}},"skills":[{"description":"A powerful tool for searching and analyzing data within your Elasticsearch cluster.","examples":[],"id":"platform.core.search","inputModes":["text\/plain","application\/json"],"name":"platform.core.search","outputModes":["text\/plain","application\/json"],"tags":["tool"]}],"supportsAuthenticatedExtendedCard":false,"url":"http:\/\/localhost:5601\/api\/agent_builder\/a2a\/elastic-ai-agent","version":"0.1.0"}}}}},"description":"Indicates a successful response"}},"summary":"Get A2A agent card","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/agent_builder\/a2a\/{agentId}.json\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/agent_builder\/a2a\/{agentId}.json\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/agents":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/agents<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/agent-builder-agents).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-agents","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"listAgentsResponseExample":{"description":"Example response that returns one built-in Elastic agent and one created by the user","value":{"results":[{"configuration":{"tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Elastic AI Agent","id":"elastic-ai-agent","name":"Elastic AI Agent","type":"chat"},{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Hi! I can help you search the data within the indices starting with \"content-\" prefix.","id":"created-agent-id","labels":["custom-indices","department-search"],"name":"Search Index Helper","type":"chat"}]}}}}},"description":"Indicates a successful response"}},"summary":"List agents","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/agent_builder\/agents\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/agent_builder\/agents\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/agents<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/agent-builder-agents).[Required authorization] Route required privileges: agentBuilder:manageAgents.","operationId":"post-agent-builder-agents","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createAgentRequestExample":{"description":"Example request for creating a custom agent with special prompt and tools","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Hi! I can help you search the data within the indices starting with \"content-\" prefix.","id":"created-agent-id","labels":["custom-indices","department-search"],"name":"Search Index Helper"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"avatar_color":{"description":"Optional hex color code for the agent avatar.","type":"string"},"avatar_symbol":{"description":"Optional symbol\/initials for the agent avatar.","type":"string"},"configuration":{"additionalProperties":false,"description":"Configuration settings for the agent.","type":"object","properties":{"enable_elastic_capabilities":{"description":"When true, enables built-in Elastic capabilities for the agent.","type":"boolean"},"instructions":{"description":"Optional system instructions that define the agent behavior.","type":"string"},"plugin_ids":{"description":"Array of plugin IDs to assign to the agent.","items":{"description":"Plugin ID to assign to the agent.","type":"string"},"maxItems":100,"type":"array"},"skill_ids":{"description":"Array of skill IDs to be available to the agent.","items":{"description":"Skill ID to be available to the agent.","type":"string"},"maxItems":100,"type":"array"},"tools":{"items":{"additionalProperties":false,"description":"Tool selection configuration for the agent.","type":"object","properties":{"tool_ids":{"description":"Array of tool IDs that the agent can use.","items":{"description":"Tool ID to be available to the agent.","type":"string"},"type":"array"}},"required":["tool_ids"]},"type":"array"},"workflow_ids":{"items":{"description":"Optional list of workflow IDs. When set, these workflows run before every agent execution, in order.","type":"string"},"maxItems":100,"type":"array"}},"required":["tools"]},"description":{"description":"Description of what the agent does.","type":"string"},"id":{"description":"Unique identifier for the agent.","type":"string"},"labels":{"description":"Optional labels for categorizing and organizing agents.","items":{"description":"Label for categorizing the agent.","type":"string"},"type":"array"},"name":{"description":"Display name for the agent.","type":"string"},"visibility":{"description":"**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read\/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read\/write).","enum":["public","shared","private"],"type":"string"}},"required":["id","name","description","configuration"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"createAgentResponseExample":{"description":"Example response returning the definition of an agent created as a result of the request","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Hi! I can help you search the data within the indices starting with \"content-\" prefix.","id":"created-agent-id","labels":["custom-indices","department-search"],"name":"Search Index Helper","type":"chat"}}}}},"description":"Indicates a successful response"}},"summary":"Create an agent","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/agent_builder\/agents\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"id\": \"new-agent-id\",\n \"name\": \"Search Index Helper\",\n \"description\": \"Hi! I can help you search the data within the indices starting with \\\"content-\\\" prefix.\",\n \"labels\": [\"custom-indices\", \"department-search\"],\n \"avatar_color\": \"#BFDBFF\",\n \"avatar_symbol\": \"SI\",\n \"configuration\": {\n \"instructions\": \"You are a custom agent that wants to help searching data using all indices starting with prefix \\\"content-\\\".\",\n \"tools\": [\n {\n \"tool_ids\": [\n \"platform.core.search\",\n \"platform.core.list_indices\",\n \"platform.core.get_index_mapping\",\n \"platform.core.get_document_by_id\"\n ]\n }\n ]\n }\n}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/agent_builder\/agents\n{\n \"id\": \"new-agent-id\",\n \"name\": \"Search Index Helper\",\n \"description\": \"Hi! I can help you search the data within the indices starting with \\\"content-\\\" prefix.\",\n \"labels\": [\"custom-indices\", \"department-search\"],\n \"avatar_color\": \"#BFDBFF\",\n \"avatar_symbol\": \"SI\",\n \"configuration\": {\n \"instructions\": \"You are a custom agent that wants to help searching data using all indices starting with prefix \\\"content-\\\".\",\n \"tools\": [\n {\n \"tool_ids\": [\n \"platform.core.search\",\n \"platform.core.list_indices\",\n \"platform.core.get_index_mapping\",\n \"platform.core.get_document_by_id\"\n ]\n }\n ]\n }\n}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/agents\/{agent_id}\/consumption":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/agents\/{agent_id}\/consumption<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns paginated, per-conversation token consumption data for a given agent. Includes input\/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege.[Required authorization] Route required privileges: agentBuilder:manageAgents.","operationId":"post-agent-builder-agents-agent-id-consumption","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the agent.","in":"path","name":"agent_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"consumptionDefaultExample":{"description":"Get consumption data for an agent with default pagination","value":{"size":25,"sort_field":"updated_at","sort_order":"desc"}},"consumptionFilteredExample":{"description":"Get consumption data filtered by username with warnings","value":{"has_warnings":true,"size":10,"sort_field":"total_tokens","sort_order":"desc","usernames":["elastic","admin"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"has_warnings":{"description":"Filter to conversations with or without high-token warnings.","type":"boolean"},"search":{"description":"Free-text search filter on conversation title.","type":"string"},"search_after":{"description":"Cursor for pagination. Pass the search_after value from the previous response.","items":{"nullable":true},"maxItems":10000,"type":"array"},"size":{"default":25,"description":"Number of results per page.","maximum":100,"minimum":1,"type":"number"},"sort_field":{"default":"updated_at","description":"Field to sort results by.","enum":["updated_at","total_tokens","round_count"],"type":"string"},"sort_order":{"default":"desc","description":"Sort direction.","enum":["asc","desc"],"type":"string"},"usernames":{"description":"Filter results to conversations by these usernames.","items":{"type":"string"},"maxItems":10000,"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"consumptionResponseExample":{"description":"Example response with per-conversation token usage data","value":{"aggregations":{"total_with_warnings":0,"usernames":["elastic","admin"]},"results":[{"conversation_id":"conv-abc123","created_at":"2025-03-01T10:00:00Z","llm_calls":8,"round_count":5,"title":"Help me search my data","token_usage":{"input_tokens":15000,"output_tokens":3000,"total_tokens":18000},"updated_at":"2025-03-01T10:15:00Z","user":{"id":"uid-1","username":"elastic"},"warnings":[]},{"conversation_id":"conv-def456","created_at":"2025-03-02T14:00:00Z","llm_calls":20,"round_count":12,"title":"Analyze server logs","token_usage":{"input_tokens":250000,"output_tokens":8000,"total_tokens":258000},"updated_at":"2025-03-02T14:30:00Z","user":{"id":"uid-2","username":"admin"},"warnings":[{"input_tokens":250000,"round_id":"round-7","type":"high_input_tokens"}]}],"search_after":[1709391000000,"2025-03-02T14:30:00Z"],"total":2}}}}},"description":"Indicates a successful response"}},"summary":"Get agent consumption data","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/agent_builder\/agents\/elastic-ai-agent\/consumption\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -H \"elastic-api-version: 2023-10-31\" \\\n -d '{\"size\": 25, \"sort_field\": \"updated_at\", \"sort_order\": \"desc\"}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/agent_builder\/agents\/elastic-ai-agent\/consumption\n{\"size\": 25, \"sort_field\": \"updated_at\", \"sort_order\": \"desc\"}\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/agents\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/agent_builder\/agents\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/agent-builder-agents).[Required authorization] Route required privileges: agentBuilder:manageAgents.","operationId":"delete-agent-builder-agents-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the agent to delete.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteAgentResponseExample":{"description":"Example response showing that deletion of the agent has been successful","value":{"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete an agent","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/agent_builder\/agents\/{id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:\/\/api\/agent_builder\/agents\/{id}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/agents\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/agent-builder-agents).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-agents-id","parameters":[{"description":"The unique identifier of the agent to retrieve.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentByIdResponseExample":{"description":"Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions.","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Hi! I can help you search the data within the indices starting with \"content-\" prefix.","id":"created-agent-id","labels":["custom-indices","department-search"],"name":"Search Index Helper","type":"chat"}}}}},"description":"Indicates a successful response"}},"summary":"Get an agent by ID","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/agent_builder\/agents\/{id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/agent_builder\/agents\/{id}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/agent_builder\/agents\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/agent-builder-agents).[Required authorization] Route required privileges: agentBuilder:manageAgents.","operationId":"put-agent-builder-agents-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the agent to update.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createAgentRequestExample":{"description":"Example request for updating custom agent","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Updated description - Search for anything in \"content-*\" indices!","id":"created-agent-id","labels":["custom-indices","department-search","elastic-employees"],"name":"Search Index Helper"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"avatar_color":{"description":"Updated hex color code for the agent avatar.","type":"string"},"avatar_symbol":{"description":"Updated symbol\/initials for the agent avatar.","type":"string"},"configuration":{"additionalProperties":false,"description":"Updated configuration settings for the agent.","type":"object","properties":{"enable_elastic_capabilities":{"description":"When true, enables built-in Elastic capabilities for the agent.","type":"boolean"},"instructions":{"description":"Updated system instructions that define the agent behavior.","type":"string"},"plugin_ids":{"description":"Array of plugin IDs to assign to the agent.","items":{"description":"Plugin ID to assign to the agent.","type":"string"},"maxItems":100,"type":"array"},"skill_ids":{"description":"Array of skill IDs to be available to the agent.","items":{"description":"Skill ID to be available to the agent.","type":"string"},"maxItems":100,"type":"array"},"tools":{"items":{"additionalProperties":false,"description":"Tool selection configuration for the agent.","type":"object","properties":{"tool_ids":{"description":"Array of tool IDs that the agent can use.","items":{"description":"Tool ID to be available to the agent.","type":"string"},"type":"array"}},"required":["tool_ids"]},"type":"array"},"workflow_ids":{"items":{"description":"Updated list of workflow IDs. When set, these workflows run every agent execution, in order.","type":"string"},"maxItems":100,"type":"array"}}},"description":{"description":"Updated description of what the agent does.","type":"string"},"labels":{"description":"Updated labels for categorizing and organizing agents.","items":{"description":"Updated label for categorizing the agent.","type":"string"},"type":"array"},"name":{"description":"Updated display name for the agent.","type":"string"},"visibility":{"description":"**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read\/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read\/write).","enum":["public","shared","private"],"type":"string"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateAgentResponseExample":{"description":"Example response returning the agent definition with the changes applied from the request","value":{"avatar_color":"#BFDBFF","avatar_symbol":"SI","configuration":{"instructions":"You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".","tools":[{"tool_ids":["platform.core.search","platform.core.list_indices","platform.core.get_index_mapping","platform.core.get_document_by_id"]}]},"description":"Updated description - Search for anything in \"content-*\" indices!","id":"created-agent-id","labels":["custom-indices","department-search","elastic-employees"],"name":"Search Index Helper","type":"chat"}}}}},"description":"Indicates a successful response"}},"summary":"Update an agent","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X PUT \"${KIBANA_URL}\/api\/agent_builder\/agents\/{id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"name\": \"Search Index Helper\",\n \"description\": \"Updated description - Search for anything in \\\"content-*\\\" indices!\",\n \"labels\": [\"custom-indices\", \"department-search\", \"elastic-employees\"],\n \"avatar_color\": \"#BFDBFF\",\n \"avatar_symbol\": \"SI\",\n \"configuration\": {\n \"instructions\": \"You are a custom agent that wants to help searching data using all indices starting with prefix \\\"content-\\\".\",\n \"tools\": [{\n \"tool_ids\": [\n \"platform.core.search\",\n \"platform.core.list_indices\",\n \"platform.core.get_index_mapping\",\n \"platform.core.get_document_by_id\"\n ]\n }]\n }\n }'\n"},{"lang":"Console","source":"PUT kbn:\/\/api\/agent_builder\/agents\/{id}\n{\n \"name\": \"Search Index Helper\",\n \"description\": \"Updated description - Search for anything in \\\"content-*\\\" indices!\",\n \"labels\": [\"custom-indices\", \"department-search\", \"elastic-employees\"],\n \"avatar_color\": \"#BFDBFF\",\n \"avatar_symbol\": \"SI\",\n \"configuration\": {\n \"instructions\": \"You are a custom agent that wants to help searching data using all indices starting with prefix \\\"content-\\\".\",\n \"tools\": [{\n \"tool_ids\": [\n \"platform.core.search\",\n \"platform.core.list_indices\",\n \"platform.core.get_index_mapping\",\n \"platform.core.get_document_by_id\"\n ]\n }]\n }\n}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/conversations":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-conversations","parameters":[{"description":"Optional agent ID to filter conversations by a specific agent.","in":"query","name":"agent_id","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"listConversationsResponseExample":{"description":"Example response containing the list of conversations with all agents","value":{"results":[{"agent_id":"elastic-ai-agent","created_at":"2025-09-19T17:45:39.554Z","id":"bcc176c5-38f6-40be-be0c-898e34fa1480","title":"General Greeting","updated_at":"2025-09-19T17:45:39.554Z","user":{"username":"elastic"}}]}}}}},"description":"Indicates a successful response"}},"summary":"List conversations","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/agent_builder\/conversations\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/agent_builder\/conversations\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/conversations\/{conversation_id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a conversation by ID. This action cannot be undone.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"delete-agent-builder-conversations-conversation-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the conversation to delete.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteConversationResponseExample":{"description":"Example response showing that deletion of conversation has been successful","value":{"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete conversation by ID","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/agent_builder\/conversations\/{conversation_id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:\/\/api\/agent_builder\/conversations\/{conversation_id}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-conversations-conversation-id","parameters":[{"description":"The unique identifier of the conversation to retrieve.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getConversationByIdResponseExample":{"description":"Example response containing the contents of a convesation with the chat agent","value":{"agent_id":"elastic-ai-agent","created_at":"2025-09-19T17:45:39.554Z","id":"bcc176c5-38f6-40be-be0c-898e34fa1480","rounds":[{"id":"170ec3b2-0f5a-4538-8b60-549572386d2a","input":{"message":"Hello, how are you?"},"response":{"message":"Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools.\n\nHello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today?"},"steps":[]}],"title":"General Greeting","updated_at":"2025-09-19T17:45:39.554Z","user":{"username":"elastic"}}}}}},"description":"Indicates a successful response"}},"summary":"Get conversation by ID","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/agent_builder\/conversations\/{conversation_id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/agent_builder\/conversations\/{conversation_id}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/conversations\/{conversation_id}\/attachments":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}\/attachments<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-conversations-conversation-id-attachments","parameters":[{"description":"The unique identifier of the conversation.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}},{"description":"Whether to include deleted attachments in the list.","in":"query","name":"include_deleted","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"listAttachmentsResponseExample":{"description":"Example response containing active attachments for a conversation","value":{"results":[{"active":true,"current_version":2,"description":"My text file","id":"attachment-1","type":"text","versions":[{"content_hash":"abc123","created_at":"2025-01-01T10:00:00.000Z","data":"Initial content","estimated_tokens":3,"version":1},{"content_hash":"def456","created_at":"2025-01-01T11:00:00.000Z","data":"Updated content","estimated_tokens":3,"version":2}]},{"active":true,"current_version":1,"description":"Configuration data","id":"attachment-2","type":"json","versions":[{"content_hash":"ghi789","created_at":"2025-01-01T12:00:00.000Z","data":{"key":"value","nested":{"field":123}},"estimated_tokens":15,"version":1}]}],"total_token_estimate":21}}}}},"description":"Indicates a successful response"}},"summary":"List conversation attachments","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}\/attachments<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new attachment for a conversation with version tracking.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"post-agent-builder-conversations-conversation-id-attachments","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the conversation.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createHiddenAttachmentExample":{"description":"Example request for creating a hidden attachment","value":{"data":"Internal system data","description":"System context","hidden":true,"type":"text"}},"createJsonAttachmentExample":{"description":"Example request for creating a JSON attachment with custom ID","value":{"data":{"configuration":{"enabled":true,"threshold":50},"metadata":{"source":"user_input"}},"description":"Application settings","id":"custom-attachment-id","type":"json"}},"createTextAttachmentExample":{"description":"Example request for creating a text attachment","value":{"data":"This is the content of my text attachment","description":"Meeting notes","type":"text"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"data":{"description":"The attachment data\/content. Required unless origin is provided.","nullable":true},"description":{"description":"Human-readable description of the attachment.","type":"string"},"hidden":{"description":"Whether the attachment should be hidden from the user.","type":"boolean"},"id":{"description":"Optional custom ID for the attachment.","type":"string"},"origin":{"description":"Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time.","type":"string"},"type":{"description":"The type of the attachment (e.g., text, esql, visualization).","type":"string"}},"required":["type","data"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"createAttachmentResponseExample":{"description":"Example response returning the created attachment","value":{"attachment":{"active":true,"current_version":1,"description":"Meeting notes","id":"att-abc123","type":"text","versions":[{"content_hash":"sha256-xyz","created_at":"2025-01-06T10:00:00.000Z","data":"This is the content of my text attachment","estimated_tokens":12,"version":1}]}}}}}},"description":"Indicates a successful response"}},"summary":"Create conversation attachment","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/{attachment_id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/{attachment_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"delete-agent-builder-conversations-conversation-id-attachments-attachment-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the conversation.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}},{"description":"The unique identifier of the attachment to delete.","in":"path","name":"attachment_id","required":true,"schema":{"type":"string"}},{"description":"If true, permanently removes the attachment (only for unreferenced attachments).","in":"query","name":"permanent","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"permanentDeleteAttachmentResponseExample":{"description":"Example response for permanent delete (cannot be restored)","value":{"permanent":true,"success":true}},"softDeleteAttachmentResponseExample":{"description":"Example response for soft delete (can be restored)","value":{"permanent":false,"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete conversation attachment","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/{attachment_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRename an attachment without creating a new version.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"patch-agent-builder-conversations-conversation-id-attachments-attachment-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the conversation.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}},{"description":"The unique identifier of the attachment to rename.","in":"path","name":"attachment_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"renameAttachmentExample":{"description":"Example request for renaming an attachment","value":{"description":"Updated attachment name"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"The new description\/name for the attachment.","type":"string"}},"required":["description"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"renameAttachmentResponseExample":{"description":"Example response returning the renamed attachment (version unchanged)","value":{"attachment":{"active":true,"current_version":1,"description":"Updated attachment name","id":"att-abc123","type":"text","versions":[{"content_hash":"sha256-xyz","created_at":"2025-01-06T10:00:00.000Z","data":"Content remains the same","estimated_tokens":10,"version":1}]},"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Rename attachment","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/{attachment_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an attachment content. Creates a new version if content changed.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"put-agent-builder-conversations-conversation-id-attachments-attachment-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the conversation.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}},{"description":"The unique identifier of the attachment to update.","in":"path","name":"attachment_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"updateAttachmentContentExample":{"description":"Example request for updating attachment content","value":{"data":"This is the updated content"}},"updateAttachmentWithDescriptionExample":{"description":"Example request for updating both content and description","value":{"data":"New content version","description":"Updated meeting notes - v2"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"data":{"description":"The new attachment data\/content.","nullable":true},"description":{"description":"Optional new description for the attachment.","type":"string"}},"required":["data"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateAttachmentResponseExample":{"description":"Example response returning the updated attachment with new version","value":{"attachment":{"active":true,"current_version":2,"description":"Meeting notes","id":"att-abc123","type":"text","versions":[{"content_hash":"sha256-abc","created_at":"2025-01-06T10:00:00.000Z","data":"Original content","estimated_tokens":10,"version":1},{"content_hash":"sha256-def","created_at":"2025-01-06T11:00:00.000Z","data":"This is the updated content","estimated_tokens":12,"version":2}]},"new_version":2}}}}},"description":"Indicates a successful response"}},"summary":"Update conversation attachment","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/{attachment_id}\/_restore":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/{attachment_id}\/_restore<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRestore a soft-deleted attachment.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"post-agent-builder-conversations-conversation-id-attachments-attachment-id-restore","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the conversation.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}},{"description":"The unique identifier of the attachment to restore.","in":"path","name":"attachment_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"restoreAttachmentResponseExample":{"description":"Example response returning the restored attachment","value":{"attachment":{"active":true,"current_version":1,"description":"Restored attachment","id":"att-abc123","type":"text","versions":[{"content_hash":"sha256-xyz","created_at":"2025-01-06T10:00:00.000Z","data":"Restored content","estimated_tokens":10,"version":1}]},"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Restore deleted attachment","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/{attachment_id}\/origin":{"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/{attachment_id}\/origin<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the conversation.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}},{"description":"The unique identifier of the attachment to update.","in":"path","name":"attachment_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"updateOriginExample":{"description":"Example request for linking an attachment to a saved visualization","value":{"origin":"abc123"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"origin":{"description":"The origin string (e.g., saved object ID for visualizations and dashboards).","type":"string"}},"required":["origin"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateOriginResponseExample":{"description":"Example response returning the attachment with updated origin","value":{"attachment":{"active":true,"current_version":1,"description":"Sales chart","id":"att-123","origin":"abc123","type":"visualization","versions":[{"content_hash":"sha256-xyz","created_at":"2025-01-06T10:00:00.000Z","data":{"chart_type":"bar","esql":"FROM sales | STATS count=COUNT(*) BY month","query":"Show monthly sales","visualization":{}},"estimated_tokens":50,"version":1}]},"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Update attachment origin","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/stale":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/conversations\/{conversation_id}\/attachments\/stale<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nChecks staleness for the latest version of all conversation attachments against their origin snapshot.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-conversations-conversation-id-attachments-stale","parameters":[{"description":"The unique identifier of the conversation.","in":"path","name":"conversation_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"checkStaleAttachmentsResponseExample":{"description":"Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.","value":{"attachments":[{"id":"att-text-meeting-notes","is_stale":false},{"id":"att-lens-active-users","is_stale":false},{"error":"Origin could not be resolved","id":"att-query-attachment","is_stale":false},{"data":"This is the content of my text attachment","hidden":false,"id":"att-text-runbook","is_stale":true,"origin":"document:hr-onboarding-v2","type":"text"}]}}}}},"description":"Indicates a successful response"}},"summary":"Check attachment staleness","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/converse":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/converse<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSend a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/chat).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"post-agent-builder-converse","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"converseRequestExample":{"description":"Example request to send a message to the agent as a part of the conversation","value":{"agent_id":"elastic-ai-agent","connector_id":"my-connector-id","input":"What is Elasticsearch?"}},"converseRequestInferenceExample":{"description":"Example using inference_id (mutually exclusive with connector_id)","value":{"agent_id":"elastic-ai-agent","inference_id":"my-inference-endpoint-id","input":"What is Elasticsearch?"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"_execution_mode":{"description":"**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)","enum":["local","task_manager"],"type":"string"},"action":{"description":"The action to perform. \"regenerate\" re-executes the last round with the original input. Requires conversation_id.","enum":["regenerate"],"type":"string"},"agent_id":{"default":"elastic-ai-agent","description":"The ID of the agent to chat with. Defaults to the default Elastic AI agent.","type":"string"},"attachments":{"description":"**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.","items":{"additionalProperties":false,"type":"object","properties":{"data":{"additionalProperties":{"nullable":true},"description":"Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time).","type":"object"},"hidden":{"description":"When true, the attachment will not be displayed in the UI.","type":"boolean"},"id":{"description":"Optional id for the attachment.","type":"string"},"origin":{"description":"Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type\u2019s `resolve` hook.","type":"string"},"type":{"description":"Type of the attachment.","type":"string"}},"required":["type"]},"type":"array"},"browser_api_tools":{"description":"Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side.","items":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"Description of what the browser API tool does.","type":"string"},"id":{"description":"Unique identifier for the browser API tool.","type":"string"},"schema":{"description":"JSON Schema defining the tool parameters (JsonSchema7Type).","nullable":true}},"required":["id","description","schema"]},"type":"array"},"capabilities":{"additionalProperties":false,"description":"Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results.","type":"object","properties":{"visualizations":{"description":"When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses.","type":"boolean"}}},"configuration_overrides":{"additionalProperties":false,"description":"Runtime configuration overrides. These override the stored agent configuration for this execution only.","type":"object","properties":{"instructions":{"description":"Custom instructions for the agent.","type":"string"},"tools":{"description":"Tool selection to enable for this execution.","items":{"additionalProperties":false,"type":"object","properties":{"tool_ids":{"items":{"type":"string"},"type":"array"}},"required":["tool_ids"]},"type":"array"}}},"connector_id":{"description":"Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one.","nullable":true,"type":"string"},"conversation_id":{"description":"Optional existing conversation ID to continue a previous conversation.","type":"string"},"inference_id":{"description":"Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`.","nullable":true,"type":"string"},"input":{"description":"The user input message to send to the agent.","type":"string"},"prompts":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"allow":{"type":"boolean"}},"required":["allow"]},"description":"Can be used to respond to a confirmation prompt.","type":"object"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"converseResponseExample":{"description":"Example response containing the chain of events representing a conversation with the agent","value":{"conversation_id":"696ccd6d-4bff-4b26-a62e-522ccf2dcd16","response":{"message":"Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine\u2011tuned relevancy, and powerful analytics that scale with ease."},"steps":[{"reasoning":"Searching for official documentation or content that explains what Elasticsearch is","type":"reasoning"},{"params":{"query":"what is elasticsearch definition overview introduction"},"progression":[{"message":"Selecting the best target for this query"}],"results":[{"data":{"message":"Could not figure out which index to use"},"type":"error"}],"tool_call_id":"tooluse_shOdUwKIRwC9YhqGzeg0cQ","tool_id":"platform.core.search","type":"tool_call"}]}}}}},"description":"Indicates a successful response"}},"summary":"Send chat message","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/agent_builder\/converse\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"input\": \"What is Elasticsearch?\",\n \"agent_id\": \"elastic-ai-agent\"}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/agent_builder\/converse\n{\n \"input\": \"What is Elasticsearch?\",\n \"agent_id\": \"elastic-ai-agent\"\n}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/converse\/async":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/converse\/async<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSend a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process.\n\n## Event types\n\nThe endpoint emits Server-Sent Events (SSE) with the following custom event types:\n\n`conversation_id_set`\n\nSets the conversation ID.\n\nSchema:\n```json\n{\n \"conversation_id\": \"uuid\"\n}\n```\n\n---\n\n`conversation_created`\n\nFires when a new conversation is persisted and assigned an ID.\n\nSchema:\n```json\n{\n \"conversation_id\": \"uuid\",\n \"title\": \"conversation title\"\n}\n```\n\n---\n\n`conversation_updated`\n\nFires when a conversation is updated.\n\nSchema:\n```json\n{\n \"conversation_id\": \"uuid\",\n \"title\": \"updated conversation title\"\n}\n```\n\n---\n\n`reasoning`\n\nHandles reasoning-related data.\n\nSchema:\n```json\n{\n \"reasoning\": \"plain text reasoning content\",\n \"transient\": false\n}\n```\n\n---\n\n`tool_call`\n\nTriggers when a tool is invoked.\n\nSchema:\n```json\n{\n \"tool_call_id\": \"uuid\",\n \"tool_id\": \"tool_name\",\n \"params\": {}\n}\n```\n\n---\n\n`tool_progress`\n\nReports progress of a running tool.\n\nSchema:\n```json\n{\n \"tool_call_id\": \"uuid\",\n \"message\": \"progress message\"\n}\n```\n\n---\n\n`tool_result`\n\nReturns results from a completed tool call.\n\nSchema:\n```json\n{\n \"tool_call_id\": \"uuid\",\n \"tool_id\": \"tool_name\",\n \"results\": []\n}\n```\n\n**Note:** `results` is an array of `ToolResult` objects.\n\n---\n\n`message_chunk`\n\nStreams partial text chunks.\n\nSchema:\n```json\n{\n \"message_id\": \"uuid\",\n \"text_chunk\": \"partial text\"\n}\n```\n\n---\n\n`message_complete`\n\nIndicates message stream is finished.\n\nSchema:\n```json\n{\n \"message_id\": \"uuid\",\n \"message_content\": \"full text content of the message\"\n}\n```\n\n---\n\n`thinking_complete`\n\nMarks the end of the thinking\/reasoning phase.\n\nSchema:\n```json\n{\n \"time_to_first_token\": 0\n}\n```\n\n**Note:** `time_to_first_token` is in milliseconds.\n\n---\n\n`round_complete`\n\nMarks end of one conversation round.\n\nSchema:\n```json\n{\n \"round\": {}\n}\n```\n\n**Note:** `round` contains the full round json object.\n\n---\n\n## Event flow\n\nA typical conversation round emits events in this sequence:\n\n1. `reasoning` (potentially multiple, some transient)\n2. `tool_call` (if tools are used)\n3. `tool_progress` (zero or more progress updates)\n4. `tool_result` (when tool completes)\n5. `thinking_complete`\n6. `message_chunk` (multiple, as text streams)\n7. `message_complete`\n8. `round_complete`\n\n[Required authorization] Route required privileges: agentBuilder:read.","operationId":"post-agent-builder-converse-async","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"converseAsyncRequestExample":{"description":"Example request to send a message to the agent as a part of the conversation","value":{"agent_id":"elastic-ai-agent","conversation_id":"c250305b-1929-4248-b568-b9e3f065fda5","input":"Hello"}},"converseAsyncRequestInferenceExample":{"description":"Example using inference_id (mutually exclusive with connector_id)","value":{"agent_id":"elastic-ai-agent","inference_id":"my-inference-endpoint-id","input":"Hello"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"_execution_mode":{"description":"**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)","enum":["local","task_manager"],"type":"string"},"action":{"description":"The action to perform. \"regenerate\" re-executes the last round with the original input. Requires conversation_id.","enum":["regenerate"],"type":"string"},"agent_id":{"default":"elastic-ai-agent","description":"The ID of the agent to chat with. Defaults to the default Elastic AI agent.","type":"string"},"attachments":{"description":"**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.","items":{"additionalProperties":false,"type":"object","properties":{"data":{"additionalProperties":{"nullable":true},"description":"Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time).","type":"object"},"hidden":{"description":"When true, the attachment will not be displayed in the UI.","type":"boolean"},"id":{"description":"Optional id for the attachment.","type":"string"},"origin":{"description":"Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type\u2019s `resolve` hook.","type":"string"},"type":{"description":"Type of the attachment.","type":"string"}},"required":["type"]},"type":"array"},"browser_api_tools":{"description":"Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side.","items":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"Description of what the browser API tool does.","type":"string"},"id":{"description":"Unique identifier for the browser API tool.","type":"string"},"schema":{"description":"JSON Schema defining the tool parameters (JsonSchema7Type).","nullable":true}},"required":["id","description","schema"]},"type":"array"},"capabilities":{"additionalProperties":false,"description":"Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results.","type":"object","properties":{"visualizations":{"description":"When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses.","type":"boolean"}}},"configuration_overrides":{"additionalProperties":false,"description":"Runtime configuration overrides. These override the stored agent configuration for this execution only.","type":"object","properties":{"instructions":{"description":"Custom instructions for the agent.","type":"string"},"tools":{"description":"Tool selection to enable for this execution.","items":{"additionalProperties":false,"type":"object","properties":{"tool_ids":{"items":{"type":"string"},"type":"array"}},"required":["tool_ids"]},"type":"array"}}},"connector_id":{"description":"Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one.","nullable":true,"type":"string"},"conversation_id":{"description":"Optional existing conversation ID to continue a previous conversation.","type":"string"},"inference_id":{"description":"Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`.","nullable":true,"type":"string"},"input":{"description":"The user input message to send to the agent.","type":"string"},"prompts":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"allow":{"type":"boolean"}},"required":["allow"]},"description":"Can be used to respond to a confirmation prompt.","type":"object"}}}}}},"responses":{"200":{"content":{"text\/event-stream":{"examples":{"converseAsyncResponseExample":{"description":"Example stream containing the chain of events representing a conversation with the agent","value":[{"data":{"data":{"conversation_id":"c250305b-1929-4248-b568-b9e3f065fda5"}},"event":"conversation_id_set"},{"data":{"data":{"reasoning":"Starting with a general search to understand what content is available."}},"event":"reasoning"},{"data":{"data":{"params":{"query":"latest documents"},"tool_call_id":"tooluse__2aJELgyRYqD8SDOKSiwtg","tool_id":"platform.core.search"}},"event":"tool_call"},{"data":{"data":{"results":[{"data":{"message":"Could not figure out which index to use"},"type":"error"}],"tool_call_id":"tooluse__2aJELgyRYqD8SDOKSiwtg"}},"event":"tool_result"},{"data":{"data":{"round":{"id":"a5692d54-bc06-4a6e-aea1-412779c73f66","input":{"message":"Hello"},"response":{"message":"Hello! How can I help you today?"}}}},"event":"round_complete"}]}}}},"description":"Indicates a successful response"}},"summary":"Send chat message (streaming)","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/agent_builder\/converse\/async\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"input\": \"Hello again let us have an async chat\",\n \"agent_id\": \"elastic-ai-agent\",\n \"conversation_id\": \"\"\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/agent_builder\/converse\/async\n{\n \"input\": \"Hello again let's have an async chat\",\n \"agent_id\": \"elastic-ai-agent\",\n \"conversation_id\": \"\"\n}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/mcp":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/mcp<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n> warn\n> This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead.\nTo learn more, refer to the [MCP documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/mcp-server).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"post-agent-builder-mcp","parameters":[{"description":"Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned.","in":"query","name":"namespace","required":false,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"mcpInitializeRequestExample":{"description":"WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.","value":{"id":1,"jsonrpc":"2.0","method":"initialize","params":{"capabilities":{},"clientInfo":{"name":"test-client","version":"1.0.0"},"protocolVersion":"2024-11-05"}}}},"schema":{}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"mcpInitializeResponseExample":{"description":"Example response showing the successful result of communication initialisation over MCP protocol","value":{"id":1,"jsonrpc":"2.0","result":{"capabilities":{"tools":{"listChanged":true}},"protocolVersion":"2024-11-05","serverInfo":{"name":"elastic-mcp-server","version":"0.0.1"}}}}}}},"description":"Indicates a successful response"}},"summary":"MCP server","tags":["agent builder"],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/plugins":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/plugins<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https:\/\/code.claude.com\/docs\/en\/plugins).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-plugins","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"listPluginsResponseExample":{"description":"Example response that returns one installed plugin","value":{"results":[{"created_at":"2025-01-01T00:00:00.000Z","description":"Financial analysis tools and skills for Claude","id":"financial-analysis","manifest":{"author":{"name":"Anthropic","url":"https:\/\/www.anthropic.com"},"keywords":["finance","analysis"],"repository":"https:\/\/github.com\/anthropics\/financial-services-plugins"},"name":"financial-analysis","skill_ids":["financial-analysis-analyze-portfolio"],"source_url":"https:\/\/github.com\/anthropics\/financial-services-plugins\/tree\/main\/financial-analysis","unmanaged_assets":{"agents":[],"hooks":[],"lsp_servers":[],"mcp_servers":[],"output_styles":[]},"updated_at":"2025-01-01T00:00:00.000Z","version":"1.0.0"}]}}}}},"description":"Indicates a successful response"}},"summary":"List plugins","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/agent_builder\/plugins\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/agent_builder\/plugins\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/plugins\/{pluginId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/agent_builder\/plugins\/{pluginId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an installed plugin by ID. This action cannot be undone.[Required authorization] Route required privileges: agentBuilder:write.","operationId":"delete-agent-builder-plugins-pluginid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the plugin.","in":"path","name":"pluginId","required":true,"schema":{"type":"string"}},{"description":"If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents.","in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deletePluginResponseExample":{"description":"Example response showing that deletion of the plugin has been successful","value":{"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete a plugin","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/agent_builder\/plugins\/{id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:\/\/api\/agent_builder\/plugins\/{id}\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/plugins\/{pluginId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a specific plugin by ID.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-plugins-pluginid","parameters":[{"description":"The unique identifier of the plugin.","in":"path","name":"pluginId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getPluginByIdResponseExample":{"description":"Example response returning a single installed plugin","value":{"created_at":"2025-01-01T00:00:00.000Z","description":"Financial analysis tools and skills for Claude","id":"financial-analysis","manifest":{"author":{"name":"Anthropic","url":"https:\/\/www.anthropic.com"},"keywords":["finance","analysis"],"repository":"https:\/\/github.com\/anthropics\/financial-services-plugins"},"name":"financial-analysis","skill_ids":["financial-analysis-analyze-portfolio"],"source_url":"https:\/\/github.com\/anthropics\/financial-services-plugins\/tree\/main\/financial-analysis","unmanaged_assets":{"agents":[],"hooks":[],"lsp_servers":[],"mcp_servers":[],"output_styles":[]},"updated_at":"2025-01-01T00:00:00.000Z","version":"1.0.0"}}}}},"description":"Indicates a successful response"}},"summary":"Get a plugin by id","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/agent_builder\/plugins\/{id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/agent_builder\/plugins\/{id}\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/plugins\/install":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/plugins\/install<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall a plugin from a [GitHub Claude plugin URL](https:\/\/code.claude.com\/docs\/en\/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills.[Required authorization] Route required privileges: agentBuilder:write.","operationId":"post-agent-builder-plugins-install","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"installPluginFromGithubExample":{"description":"Example request for installing a plugin from a GitHub URL","value":{"url":"https:\/\/github.com\/anthropics\/financial-services-plugins\/tree\/main\/financial-analysis"}},"installPluginFromZipExample":{"description":"Example request for installing a plugin from a direct zip URL","value":{"url":"https:\/\/my-server.example.com\/my-plugin.zip"}},"installPluginWithNameOverrideExample":{"description":"Example request for installing a plugin with a custom name","value":{"plugin_name":"my-custom-plugin-name","url":"https:\/\/github.com\/anthropics\/financial-services-plugins\/tree\/main\/financial-analysis"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"plugin_name":{"description":"Optional name override for the plugin. Defaults to the manifest name.","type":"string"},"url":{"description":"URL to install the plugin from (GitHub URL or direct zip URL).","type":"string"}},"required":["url"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"installPluginResponseExample":{"description":"Example response returning the definition of the installed plugin","value":{"created_at":"2025-01-01T00:00:00.000Z","description":"Financial analysis tools and skills for Claude","id":"financial-analysis","manifest":{"author":{"name":"Anthropic","url":"https:\/\/www.anthropic.com"},"keywords":["finance","analysis"],"repository":"https:\/\/github.com\/anthropics\/financial-services-plugins"},"name":"financial-analysis","skill_ids":["financial-analysis-analyze-portfolio"],"source_url":"https:\/\/github.com\/anthropics\/financial-services-plugins\/tree\/main\/financial-analysis","unmanaged_assets":{"agents":[],"hooks":[],"lsp_servers":[],"mcp_servers":[],"output_styles":[]},"updated_at":"2025-01-01T00:00:00.000Z","version":"1.0.0"}}}}},"description":"Indicates a successful response"}},"summary":"Install a plugin","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/agent_builder\/plugins\/install\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"url\": \"https:\/\/github.com\/anthropics\/financial-services-plugins\/tree\/main\/financial-analysis\"\n}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/agent_builder\/plugins\/install\n{\n \"url\": \"https:\/\/github.com\/anthropics\/financial-services-plugins\/tree\/main\/financial-analysis\"\n}\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/skills":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/skills<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all available skills (built-in and user-created).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-skills","parameters":[{"description":"Set to true to include skills from plugins.","in":"query","name":"include_plugins","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{},"summary":"List skills","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/skills<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new user-defined skill.[Required authorization] Route required privileges: agentBuilder:manageSkills.","operationId":"post-agent-builder-skills","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"content":{"description":"Skill instructions content (markdown).","type":"string"},"description":{"description":"Description of what the skill does.","type":"string"},"id":{"description":"Unique identifier for the skill.","type":"string"},"name":{"description":"Human-readable name for the skill.","type":"string"},"referenced_content":{"items":{"additionalProperties":false,"type":"object","properties":{"content":{"description":"Content of the reference.","type":"string"},"name":{"description":"Name of the referenced content.","type":"string"},"relativePath":{"description":"Relative path of the referenced content.","type":"string"}},"required":["name","relativePath","content"]},"maxItems":100,"type":"array"},"tool_ids":{"default":[],"description":"Tool IDs from the tool registry that this skill references.","items":{"description":"Tool ID from the tool registry.","type":"string"},"maxItems":100,"type":"array"}},"required":["id","name","description","content"]}}}},"responses":{},"summary":"Create a skill","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/skills\/{skillId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/agent_builder\/skills\/{skillId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted.[Required authorization] Route required privileges: agentBuilder:manageSkills.","operationId":"delete-agent-builder-skills-skillid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the skill.","in":"path","name":"skillId","required":true,"schema":{"maxLength":512,"minLength":1,"type":"string"}},{"description":"If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents.","in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteSkillResponseExample":{"description":"Example response showing that the deletion operation was successful","value":{"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete a skill","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X DELETE \"https:\/\/${KIBANA_URL}\/api\/agent_builder\/skills\/{skillId}?force=false\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:\/api\/agent_builder\/skills\/{skillId}\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/skills\/{skillId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a specific skill by ID.[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-skills-skillid","parameters":[{"description":"The unique identifier of the skill.","in":"path","name":"skillId","required":true,"schema":{"maxLength":512,"minLength":1,"type":"string"}}],"responses":{},"summary":"Get a skill by id","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/agent_builder\/skills\/{skillId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing user-created skill.[Required authorization] Route required privileges: agentBuilder:manageSkills.","operationId":"put-agent-builder-skills-skillid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the skill.","in":"path","name":"skillId","required":true,"schema":{"maxLength":512,"minLength":1,"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"content":{"description":"Updated skill instructions content.","type":"string"},"description":{"description":"Updated description.","type":"string"},"name":{"description":"Updated name for the skill.","type":"string"},"referenced_content":{"items":{"additionalProperties":false,"type":"object","properties":{"content":{"description":"Content of the reference.","type":"string"},"name":{"description":"Name of the referenced content.","type":"string"},"relativePath":{"description":"Relative path of the referenced content.","type":"string"}},"required":["name","relativePath","content"]},"maxItems":100,"type":"array"},"tool_ids":{"description":"Updated tool IDs from the tool registry.","items":{"description":"Updated tool ID.","type":"string"},"maxItems":100,"type":"array"}}}}}},"responses":{},"summary":"Update a skill","tags":["agent builder"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/tools":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/tools<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/tools).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-tools","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"listToolsResponseExample":{"description":"Example response returning a list of existing tools","value":{"results":[{"configuration":{},"description":"A powerful tool for searching and analyzing data within your Elasticsearch cluster.\nIt supports both full-text relevance searches and structured analytical queries.\n\nUse this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index.\n\nExamples of queries:\n- \"find articles about serverless architecture\"\n- \"search for support tickets mentioning 'billing issue' or 'refund request'\"\n- \"what is our policy on parental leave?\"\n- \"list all products where the category is 'electronics'\"\n- \"show me the last 5 documents from that index\"\n- \"show me the sales over the last year break down by month\"\n\nNote:\n- The 'index' parameter can be used to specify which index to search against.\n If not provided, the tool will decide itself which is the best index to use.\n- It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already\n know about the index and fields you want to search on, e.g. if the user explicitly specified it.","id":"platform.core.search","readonly":true,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"type":"object","properties":{"index":{"description":"(optional) Index to search against. If not provided, will automatically select the best index to use based on the query.","type":"string"},"query":{"description":"A natural language query expressing the search request","type":"string"}},"required":["query"]},"tags":[],"type":"builtin"},{"configuration":{},"description":"Retrieve the full content (source) of an Elasticsearch document based on its ID and index name.","id":"platform.core.get_document_by_id","readonly":true,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"type":"object","properties":{"id":{"description":"ID of the document to retrieve","type":"string"},"index":{"description":"Name of the index to retrieve the document from","type":"string"}},"required":["id","index"]},"tags":[],"type":"builtin"},{"configuration":{},"description":"Execute an ES|QL query and return the results in a tabular format.\n\n**IMPORTANT**: This tool only **runs** queries; it does not write them.\nThink of this as the final step after a query has been prepared.\n\nYou **must** get the query from one of two sources before calling this tool:\n1. The output of the `platform.core.generate_esql` tool (if the tool is available).\n2. A verbatim query provided directly by the user.\n\nUnder no circumstances should you invent, guess, or modify a query yourself for this tool.\nIf you need a query, use the `platform.core.generate_esql` tool first.","id":"platform.core.execute_esql","readonly":true,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"type":"object","properties":{"query":{"description":"The ES|QL query to execute","type":"string"}},"required":["query"]},"tags":[],"type":"builtin"},{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"}},"query":"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Example ES|QL query tool for analyzing financial trades with time filtering","id":"example-esql-tool","readonly":false,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"description":"Parameters needed to execute the query","type":"object","properties":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","format":"date-time","type":"string"}},"required":["startTime","limit"]},"tags":["analytics","finance"],"type":"esql"},{"configuration":{"pattern":"financial_*"},"description":"Search tool specifically for financial data analysis and reporting","id":"example-index-search-tool","readonly":false,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"type":"object","properties":{"nlQuery":{"description":"A natural language query expressing the search request","type":"string"}},"required":["nlQuery"]},"tags":["search","finance"],"type":"index_search"}]}}}}},"description":"Indicates a successful response"}},"summary":"List tools","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"https:\/\/${KIBANA_URL}\/api\/agent_builder\/tools\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/api\/agent_builder\/tools\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/tools<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/tools).[Required authorization] Route required privileges: agentBuilder:manageTools.","operationId":"post-agent-builder-tools","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createEsqlToolRequest":{"description":"Example request to create an ESQL query tool with a pre-defined query","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"}},"query":"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Example ES|QL query tool for analyzing financial trades with time filtering","id":"example-esql-tool","tags":["analytics","finance"],"type":"esql"}},"createIndexSearchToolRequest":{"description":"Example request to create an index_search tool with a pre-defined index pattern","value":{"configuration":{"pattern":"financial_*"},"description":"Search tool specifically for financial data analysis and reporting","id":"example-index-search-tool","tags":["search","finance"],"type":"index_search"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"configuration":{"additionalProperties":{"nullable":true},"description":"Tool-specific configuration parameters. See examples for details.","type":"object"},"description":{"default":"","description":"Description of what the tool does.","type":"string"},"id":{"description":"Unique identifier for the tool.","type":"string"},"tags":{"default":[],"description":"Optional tags for categorizing and organizing tools.","items":{"description":"Tag for categorizing the tool.","type":"string"},"type":"array"},"type":{"description":"The type of tool to create (e.g., esql, index_search).","enum":["esql","index_search","workflow","mcp"],"type":"string"}},"required":["id","type","configuration"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"createEsqlToolExample":{"description":"Example response returning a definition of ESQL tool created","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"}},"query":"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Example ES|QL query tool for analyzing financial trades with time filtering","id":"example-esql-tool","readonly":false,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"description":"Parameters needed to execute the query","type":"object","properties":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","format":"date-time","type":"string"}},"required":["startTime","limit"]},"tags":["analytics","finance"],"type":"esql"}},"createIndexSearchToolExample":{"description":"Example response returning a definition of search tool tool created","value":{"configuration":{"pattern":"financial_*"},"description":"Search tool specifically for financial data analysis and reporting","id":"example-index-search-tool","readonly":false,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"type":"object","properties":{"nlQuery":{"description":"A natural language query expressing the search request","type":"string"}},"required":["nlQuery"]},"tags":["search","finance"],"type":"index_search"}}}}},"description":"Indicates a successful response"}},"summary":"Create a tool","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"https:\/\/${KIBANA_URL}\/api\/agent_builder\/tools\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"id\": \"example-esql-tool\",\n \"type\": \"esql\",\n \"description\": \"Example ES|QL query tool for analyzing financial trades with time filtering\",\n \"tags\": [\"analytics\", \"finance\"],\n \"configuration\": {\n \"query\": \"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit\",\n \"params\": {\n \"startTime\": {\n \"type\": \"date\",\n \"description\": \"Start time for the analysis in ISO format\"\n },\n \"limit\": {\n \"type\": \"integer\",\n \"description\": \"Maximum number of results to return\"\n }\n }\n }\n }'\n"},{"lang":"Console","source":"POST kbn:\/api\/agent_builder\/tools\n{\n \"id\": \"example-esql-tool\",\n \"type\": \"esql\",\n \"description\": \"An ES|QL query tool for analyzing financial trades with time filtering\",\n \"tags\": [\"analytics\", \"finance\", \"updated\"],\n \"configuration\": {\n \"query\": \"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit\",\n \"params\": {\n \"startTime\": {\n \"type\": \"date\",\n \"description\": \"Start time for the analysis in ISO format\"\n },\n \"limit\": {\n \"type\": \"integer\",\n \"description\": \"Maximum number of results to return\"\n }\n }\n }\n}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/tools\/_execute":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/agent_builder\/tools\/_execute<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRun a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/tools).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"post-agent-builder-tools-execute","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"executeBuiltinEsqlToolRequest":{"description":"Example request executing platform.core.execute_esql tool","value":{"tool_id":"platform.core.execute_esql","tool_params":{"query":"FROM financial_trades | LIMIT 3"}}},"executeBuiltinToolRequest":{"description":"Example request executing platform.core.get_document_by_id tool","value":{"tool_id":"platform.core.get_document_by_id","tool_params":{"id":"TRD-20250805-0820a89f","index":"financial_trades"}}},"executeCustomEsqlToolRequest":{"description":"Example request executing custom example-esql-tool tool","value":{"tool_id":"example-esql-tool","tool_params":{"limit":3,"startTime":"2024-01-01T00:00:00Z"}}},"executeIndexSearchToolRequest":{"description":"Example request executing custom example-index-search-tool tool","value":{"tool_id":"example-index-search-tool","tool_params":{"nlQuery":"find trades with high execution prices above 100"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"connector_id":{"description":"Optional connector ID for tools that require external integrations.","type":"string"},"tool_id":{"description":"The ID of the tool to execute.","type":"string"},"tool_params":{"additionalProperties":{"nullable":true},"description":"Parameters to pass to the tool execution. See examples for details","type":"object"}},"required":["tool_id","tool_params"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"executeBuiltinEsqlToolExample":{"description":"Example response calling built-in platform.core.execute_esql tool","value":{"results":[{"data":{"esql":"FROM financial_trades | LIMIT 3"},"type":"query"},{"data":{"columns":[{"name":"account_id","type":"keyword"},{"name":"execution_price","type":"double"},{"name":"symbol","type":"keyword"},{"name":"trade_type","type":"keyword"}],"query":"FROM financial_trades | LIMIT 3","source":"esql","values":[["ACC00179-1f91",43.77000045776367,"CVX","sell"],["ACC00407-0bbb",660.4199829101562,"V","buy"],["ACC00179-1f91",440.3599853515625,"KO","buy"]]},"tool_result_id":"xTpT","type":"esql_results"}]}},"executeBuiltinToolExample":{"description":"Example response calling built-in platform.core.get_document_by_id tool","value":{"results":[{"data":{"content":{"account_id":"ACC00271-fb5c","execution_price":488.54,"execution_timestamp":"2025-08-05T08:04:11.649855","last_updated":"2025-09-15T13:23:36","order_status":"executed","order_type":"market","quantity":131,"status_reason":"fully_filled","symbol":"EWL","trade_cost":63998.74,"trade_id":"TRD-20250805-0820a89f","trade_type":"sell"},"partial":false,"reference":{"id":"TRD-20250805-0820a89f","index":"financial_trades"}},"type":"resource"}]}},"executeCustomEsqlToolExample":{"description":"Example response calling custom example-esql-tool tool","value":{"results":[{"data":{"columns":[{"name":"trade_count","type":"long"},{"name":"avg_price","type":"double"},{"name":"symbol","type":"keyword"}],"query":"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit","source":"esql","values":[[2115,89.33911587329621,"US_T_BOND_20YR"],[2112,104.2085415594506,"INTL_CORP_ASIA_D"],[2105,89.93244177666526,"INTL_CORP_EU_B"]]},"tool_result_id":"Voy8","type":"esql_results"}]}},"executeIndexSearchToolExample":{"description":"Example response calling custom example-index-search-tool tool","value":{"results":[{"data":{"esql":"FROM financial_trades\n| WHERE execution_price > 100\n| LIMIT 100"},"type":"query"},{"data":{"columns":[{"name":"account_id","type":"keyword"},{"name":"execution_price","type":"double"},{"name":"execution_timestamp","type":"date"},{"name":"symbol","type":"keyword"},{"name":"trade_type","type":"keyword"}],"query":"FROM financial_trades\n| WHERE execution_price > 100\n| LIMIT 100","source":"esql","values":[["ACC00407-0bbb",660.4199829101562,"2020-09-25T11:06:08.687Z","V","buy"],["ACC00179-1f91",440.3599853515625,"2025-08-07T21:56:45.377Z","KO","buy"],["ACC00407-0bbb",132.8800048828125,"2020-11-19T04:39:13.655Z","JAP_JGB_10YR","sell"]]},"tool_result_id":"uE8y","type":"esql_results"}]}}}}},"description":"Indicates a successful response"}},"summary":"Run a tool","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"https:\/\/${KIBANA_URL}\/api\/agent_builder\/tools\/_execute\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"tool_id\": \"platform.core.search\",\n \"tool_params\": {\n \"query\": \"can you find john doe's email from the employee index?\"}\n }\n }'\n"},{"lang":"Console","source":"POST kbn:\/api\/agent_builder\/tools\/_execute\n{\n \"tool_id\": \"platform.core.search\",\n \"tool_params\": {\n \"query\": \"can you find john doe's email from the employee index?\"\n }\n}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/agent_builder\/tools\/{toolId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/agent_builder\/tools\/{toolId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/tools).[Required authorization] Route required privileges: agentBuilder:manageTools.","operationId":"delete-agent-builder-tools-toolid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the tool to delete.","in":"path","name":"toolId","required":true,"schema":{"type":"string"}},{"description":"If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents.","in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteAgentResponseExample":{"description":"Example response showing that the deletion operation was successful","value":{"success":true}}}}},"description":"Indicates a successful response"}},"summary":"Delete a tool","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X DELETE \"https:\/\/${KIBANA_URL}\/api\/agent_builder\/tools\/{toolId}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:\/api\/agent_builder\/tools\/{toolId}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/agent_builder\/tools\/{toolId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/tools).[Required authorization] Route required privileges: agentBuilder:read.","operationId":"get-agent-builder-tools-toolid","parameters":[{"description":"The unique identifier of the tool to retrieve.","in":"path","name":"toolId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getBuiltinToolExample":{"description":"Example response returning built-in platform.core.search tool","value":{"configuration":{},"description":"A powerful tool for searching and analyzing data within your Elasticsearch cluster.\nIt supports both full-text relevance searches and structured analytical queries.\n\nUse this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index.\n\nExamples of queries:\n- \"find articles about serverless architecture\"\n- \"search for support tickets mentioning 'billing issue' or 'refund request'\"\n- \"what is our policy on parental leave?\"\n- \"list all products where the category is 'electronics'\"\n- \"show me the last 5 documents from that index\"\n- \"show me the sales over the last year break down by month\"\n\nNote:\n- The 'index' parameter can be used to specify which index to search against.\n If not provided, the tool will decide itself which is the best index to use.\n- It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already\n know about the index and fields you want to search on, e.g. if the user explicitly specified it.","id":"platform.core.search","readonly":true,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"type":"object","properties":{"index":{"description":"(optional) Index to search against. If not provided, will automatically select the best index to use based on the query.","type":"string"},"query":{"description":"A natural language query expressing the search request","type":"string"}},"required":["query"]},"tags":[],"type":"builtin"}},"getEsqlToolExample":{"description":"Example response returning custom example-esql-tool tool","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"}},"query":"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Example ES|QL query tool for analyzing financial trades with time filtering","id":"example-esql-tool","readonly":false,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"description":"Parameters needed to execute the query","type":"object","properties":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","format":"date-time","type":"string"}},"required":["startTime","limit"]},"tags":["analytics","finance"],"type":"esql"}},"getIndexSearchToolExample":{"description":"Example response returning custom example-index-search-tool tool","value":{"configuration":{"pattern":"financial_*"},"description":"Search tool specifically for financial data analysis and reporting","id":"example-index-search-tool","readonly":false,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"type":"object","properties":{"nlQuery":{"description":"A natural language query expressing the search request","type":"string"}},"required":["nlQuery"]},"tags":["search","finance"],"type":"index_search"}}}}},"description":"Indicates a successful response"}},"summary":"Get a tool by id","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"https:\/\/${KIBANA_URL}\/api\/agent_builder\/tools\/{toolId}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/api\/agent_builder\/tools\/{toolId}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/agent_builder\/tools\/{toolId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/ai-features\/agent-builder\/tools).[Required authorization] Route required privileges: agentBuilder:manageTools.","operationId":"put-agent-builder-tools-toolid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the tool to update.","in":"path","name":"toolId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"updateEsqlToolRequest":{"description":"Example request to update the custom ESQL tool","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"},"symbolPattern":{"description":"Pattern to filter symbols (e.g., 'US_*' for US instruments)","type":"keyword"}},"query":"FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering","tags":["analytics","finance","reporting"]}},"updateIndexSearchToolRequest":{"description":"Example request to update the custom Search tool","value":{"description":"Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring","tags":["search","finance","compliance","reporting"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"configuration":{"additionalProperties":{"nullable":true},"description":"Updated tool-specific configuration parameters. See examples for details.","type":"object"},"description":{"description":"Updated description of what the tool does.","type":"string"},"tags":{"description":"Updated tags for categorizing and organizing tools.","items":{"description":"Updated tag for categorizing the tool.","type":"string"},"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateEsqlToolExample":{"description":"Example response showing the updated ESQL tool","value":{"configuration":{"params":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","type":"date"},"symbolPattern":{"description":"Pattern to filter symbols (e.g., 'US_*' for US instruments)","type":"keyword"}},"query":"FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit"},"description":"Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering","id":"example-esql-tool","readonly":false,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"description":"Parameters needed to execute the enhanced query","type":"object","properties":{"limit":{"description":"Maximum number of results to return","type":"integer"},"startTime":{"description":"Start time for the analysis in ISO format","format":"date-time","type":"string"},"symbolPattern":{"description":"Pattern to filter symbols (e.g., 'US_*' for US instruments)","type":"string"}},"required":["startTime","symbolPattern","limit"]},"tags":["analytics","finance","reporting"],"type":"esql"}},"updateIndexSearchToolExample":{"description":"Example response showing the updated Search tool","value":{"configuration":{"pattern":"financial_*"},"description":"Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring","id":"example-index-search-tool","readonly":false,"schema":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","additionalProperties":false,"type":"object","properties":{"nlQuery":{"description":"A natural language query expressing the search request","type":"string"}},"required":["nlQuery"]},"tags":["search","finance","compliance","reporting"],"type":"index_search"}}}}},"description":"Indicates a successful response"}},"summary":"Update a tool","tags":["agent builder"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X PUT \"https:\/\/${KIBANA_URL}\/api\/agent_builder\/tools\/{toolId}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"description\": \"Updated ES|QL query tool for analyzing financial trades with time filtering\",\n \"tags\": [\"analytics\", \"finance\", \"updated\"],\n \"configuration\": {\n \"query\": \"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit\",\n \"params\": {\n \"startTime\": {\n \"type\": \"date\",\n \"description\": \"Start time for the analysis in ISO format\"\n },\n \"limit\": {\n \"type\": \"integer\",\n \"description\": \"Maximum number of results to return\"\n }\n }\n }\n }'\n"},{"lang":"Console","source":"PUT kbn:\/api\/agent_builder\/tools\/{toolId}\n{\n \"description\": \"Updated ES|QL query tool for analyzing financial trades with time filtering\",\n \"tags\": [\"analytics\", \"finance\", \"updated\"],\n \"configuration\": {\n \"query\": \"FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit\",\n \"params\": {\n \"startTime\": {\n \"type\": \"date\",\n \"description\": \"Start time for the analysis in ISO format\"\n },\n \"limit\": {\n \"type\": \"integer\",\n \"description\": \"Maximum number of results to return\"\n }\n }\n }\n}\n"}],"x-state":"","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/alerting\/rule\/{id}":{"delete":{"operationId":"delete-alerting-rule-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Delete a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."},"get":{"operationId":"get-alerting-rule-id","parameters":[{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getRuleResponse":{"description":"A response that contains information about an index threshold rule.","summary":"Get an index threshold rule","value":{"actions":[],"api_key_owner":"elastic","consumer":"alerts","created_at":"2022-12-05T23:40:33.132Z","created_by":"elastic","enabled":true,"id":"3583a470-74f6-11ed-9801-35303b735aef","mute_all":false,"muted_alert_ids":[],"name":"my alert","notify_when":"onActionGroupChange","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":["test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":0,"rule_type_id":".index-threshold","schedule":{"interval":"1m"},"tags":["cpu"],"throttle":null,"updated_at":"2022-12-05T23:40:33.132Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"items":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"connector_type_id":{"description":"The type of connector. This property appears in responses but cannot be set in requests.","type":"string"},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id","connector_type_id","params"]},"type":"array"},"active_snoozes":{"items":{"description":"List of active snoozes for the rule.","type":"string"},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"api_key_created_by_user":{"description":"Indicates whether the API key that is associated with the rule was created by the user.","nullable":true,"type":"boolean"},"api_key_owner":{"description":"The owner of the API key that is associated with the rule and used to run background tasks.","nullable":true,"type":"string"},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"description":"User-created content that describes alert causes and remdiation.","type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"created_at":{"description":"The date and time that the rule was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the rule.","nullable":true,"type":"string"},"enabled":{"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"execution_status":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Error message.","type":"string"},"reason":{"description":"Reason for error.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate"],"type":"string"}},"required":["reason","message"]},"last_duration":{"description":"Duration of last execution of the rule.","type":"number"},"last_execution_date":{"description":"The date and time when rule was executed last.","type":"string"},"status":{"description":"Status of rule execution.","enum":["ok","active","error","warning","pending","unknown"],"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Warning message.","type":"string"},"reason":{"description":"Reason for warning.","enum":["maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"type":"string"}},"required":["reason","message"]}},"required":["status","last_execution_date"]},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"id":{"description":"The identifier for the rule.","type":"string"},"is_snoozed_until":{"description":"The date when the rule will no longer be snoozed.","nullable":true,"type":"string"},"last_run":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"alerts_count":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"Number of active alerts during last run.","nullable":true,"type":"number"},"ignored":{"description":"Number of ignored alerts during last run.","nullable":true,"type":"number"},"new":{"description":"Number of new alerts during last run.","nullable":true,"type":"number"},"recovered":{"description":"Number of recovered alerts during last run.","nullable":true,"type":"number"}}},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"outcome_msg":{"items":{"description":"Outcome message generated during last rule run.","type":"string"},"nullable":true,"type":"array"},"outcome_order":{"description":"Order of the outcome.","type":"number"},"warning":{"description":"Warning of last rule execution.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate","maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"nullable":true,"type":"string"}},"required":["outcome","alerts_count"]},"mapped_params":{"additionalProperties":{"nullable":true},"type":"object"},"monitoring":{"additionalProperties":false,"description":"Monitoring details of the rule.","type":"object","properties":{"run":{"additionalProperties":false,"description":"Rule run details.","type":"object","properties":{"calculated_metrics":{"additionalProperties":false,"description":"Calculation of different percentiles and success ratio.","type":"object","properties":{"p50":{"type":"number"},"p95":{"type":"number"},"p99":{"type":"number"},"success_ratio":{"type":"number"}},"required":["success_ratio"]},"history":{"description":"History of the rule run.","items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule run.","type":"number"},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"success":{"description":"Indicates whether the rule run was successful.","type":"boolean"},"timestamp":{"description":"Time of rule run.","type":"number"}},"required":["success","timestamp"]},"type":"array"},"last_run":{"additionalProperties":false,"type":"object","properties":{"metrics":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of most recent rule run.","type":"number"},"gap_duration_s":{"description":"Duration in seconds of rule run gap.","nullable":true,"type":"number"},"gap_range":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"gte":{"description":"End of the gap range.","type":"string"},"lte":{"description":"Start of the gap range.","type":"string"}},"required":["lte","gte"]},"total_alerts_created":{"description":"Total number of alerts created during last rule run.","nullable":true,"type":"number"},"total_alerts_detected":{"description":"Total number of alerts detected during last rule run.","nullable":true,"type":"number"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during last rule run in milliseconds.","nullable":true,"type":"number"},"total_search_duration_ms":{"description":"Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.","nullable":true,"type":"number"}}},"timestamp":{"description":"Time of the most recent rule run.","type":"string"}},"required":["timestamp","metrics"]}},"required":["history","calculated_metrics","last_run"]}},"required":["run"]},"mute_all":{"description":"Indicates whether all alerts are muted.","type":"boolean"},"muted_alert_ids":{"items":{"description":"List of identifiers of muted alerts. ","type":"string"},"type":"array"},"name":{"description":" The name of the rule.","type":"string"},"next_run":{"description":"Date and time of the next run of the rule.","nullable":true,"type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the rule.","type":"object"},"revision":{"description":"The rule revision number.","type":"number"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"running":{"description":"Indicates whether the rule is running.","nullable":true,"type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"scheduled_task_id":{"description":"Identifier of the scheduled task.","type":"string"},"snooze_schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule snooze schedule.","type":"number"},"id":{"description":"Identifier of the rule snooze schedule.","type":"string"},"rRule":{"additionalProperties":false,"type":"object","properties":{"byhour":{"items":{"description":"Indicates hours of the day to recur.","type":"number"},"nullable":true,"type":"array"},"byminute":{"items":{"description":"Indicates minutes of the hour to recur.","type":"number"},"nullable":true,"type":"array"},"bymonth":{"items":{"description":"Indicates months of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"bymonthday":{"items":{"description":"Indicates the days of the month to recur.","type":"number"},"nullable":true,"type":"array"},"bysecond":{"items":{"description":"Indicates seconds of the day to recur.","type":"number"},"nullable":true,"type":"array"},"bysetpos":{"items":{"description":"A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.","type":"number"},"nullable":true,"type":"array"},"byweekday":{"items":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday\/bysetpos` combination."},"nullable":true,"type":"array"},"byweekno":{"items":{"description":"Indicates number of the week hours to recur.","type":"number"},"nullable":true,"type":"array"},"byyearday":{"items":{"description":"Indicates the days of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"count":{"description":"Number of times the rule should recur until it stops.","type":"number"},"dtstart":{"description":"Rule start date in Coordinated Universal Time (UTC).","type":"string"},"freq":{"description":"Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.","enum":[0,1,2,3,4,5,6],"type":"integer"},"interval":{"description":"Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.","type":"number"},"tzid":{"description":"Indicates timezone abbreviation.","type":"string"},"until":{"description":"Recur the rule until this date.","type":"string"},"wkst":{"description":"Indicates the start of week, defaults to Monday.","enum":["MO","TU","WE","TH","FR","SA","SU"],"type":"string"}},"required":["dtstart","tzid"]},"skipRecurrences":{"items":{"description":"Skips recurrence of rule on this date.","type":"string"},"type":"array"}},"required":["duration","rRule"]},"type":"array"},"tags":{"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"deprecated":true,"description":"Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"updated_at":{"description":"The date and time that the rule was updated most recently.","type":"string"},"updated_by":{"description":"The identifier for the user that updated this rule most recently.","nullable":true,"type":"string"},"view_in_app_relative_url":{"description":"Relative URL to view rule in the app.","nullable":true,"type":"string"}},"required":["id","enabled","name","tags","rule_type_id","consumer","schedule","actions","params","created_by","updated_by","created_at","updated_at","api_key_owner","mute_all","muted_alert_ids","execution_status","revision"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Get rule details","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."},"post":{"operationId":"post-alerting-rule-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule. If it is omitted, an ID is randomly generated.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createEsQueryEsqlRuleRequest":{"description":"Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.\n","summary":"Elasticsearch query rule (ES|QL)","value":{"actions":[{"frequency":{"notify_when":"onActiveAlert","summary":false},"group":"query matched","id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"}}],"consumer":"stackAlerts","name":"my Elasticsearch query ESQL rule","params":{"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"},"searchType":"esqlQuery","size":0,"threshold":[0],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"rule_type_id":".es-query","schedule":{"interval":"1d"}}},"createEsQueryKqlRuleRequest":{"description":"Create an Elasticsearch query rule that uses Kibana query language (KQL).","summary":"Elasticsearch query rule (KQL)","value":{"consumer":"alerts","name":"my Elasticsearch query KQL rule","params":{"aggType":"count","excludeHitsFromPreviousRun":true,"groupBy":"all","searchConfiguration":{"index":"90943e30-9a47-11e8-b64d-95841ca0b247","query":{"language":"kuery","query":"\"\"geo.src : \"US\" \"\""}},"searchType":"searchSource","size":100,"threshold":[1000],"thresholdComparator":">","timeWindowSize":5,"timeWindowUnit":"m"},"rule_type_id":".es-query","schedule":{"interval":"1m"}}},"createEsQueryRuleRequest":{"description":"Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.\n","summary":"Elasticsearch query rule (DSL)","value":{"actions":[{"frequency":{"notify_when":"onThrottleInterval","summary":true,"throttle":"1d"},"group":"query matched","id":"fdbece50-406c-11ee-850e-c71febc4ca7f","params":{"level":"info","message":"The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."}},{"frequency":{"notify_when":"onActionGroupChange","summary":false},"group":"recovered","id":"fdbece50-406c-11ee-850e-c71febc4ca7f","params":{"level":"info","message":"Recovered"}}],"consumer":"alerts","name":"my Elasticsearch query rule","params":{"esQuery":"\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"","index":["kibana_sample_data_logs"],"size":100,"threshold":[100],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"rule_type_id":".es-query","schedule":{"interval":"1d"}}},"createIndexThresholdRuleRequest":{"description":"Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.\n","summary":"Index threshold rule","value":{"actions":[{"frequency":{"notify_when":"onActionGroupChange","summary":false},"group":"threshold met","id":"48de3460-f401-11ed-9f8e-399c75a2deeb","params":{"level":"info","message":"Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"}}],"alert_delay":{"active":3},"consumer":"alerts","name":"my rule","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":[".test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"rule_type_id":".index-threshold","schedule":{"interval":"1m"},"tags":["cpu"]}},"createTrackingContainmentRuleRequest":{"description":"Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.\n","summary":"Tracking containment rule","value":{"consumer":"alerts","name":"my tracking rule","params":{"boundaryGeoField":"location","boundaryIndexId":"0cd90abf-abe7-44c7-909a-f621bbbcfefc","boundaryIndexTitle":"boundary*","boundaryNameField":"name","boundaryType":"entireIndex","dateField\"":"@timestamp","entity":"agent.keyword","geoField":"geo.coordinates","index":"kibana_sample_data_logs","indexId":"90943e30-9a47-11e8-b64d-95841ca0b247"},"rule_type_id":".geo-containment","schedule":{"interval":"1h"}}}},"schema":{"anyOf":[{"discriminator":{"propertyName":"rule_type_id"},"oneOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_es-query-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting"}]},{"additionalProperties":false,"type":"object","properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the rule.","type":"object"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id"]}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"createEsQueryEsqlRuleResponse":{"description":"The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).","summary":"Elasticsearch query rule (ES|QL)","value":{"actions":[{"connector_type_id":".server-log","frequency":{"notify_when":"onActiveAlert","summary":false,"throttle":null},"group":"query matched","id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"uuid":"bfe370a3-531b-4855-bbe6-ad739f578844"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"stackAlerts","created_at":"2023-11-01T19:00:10.453Z","created_by":"elastic","enabled":true,"execution_status":{"last_execution_date":"2023-11-01T19:00:10.453Z","status":"pending"},"id":"e0d62360-78e8-11ee-9177-f7d404c8c945","mute_all":false,"muted_alert_ids":[],"name":"my Elasticsearch query ESQL rule","notify_when":null,"params":{"aggType":"count","esqlQuery":{"esql":"FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"},"excludeHitsFromPreviousRun\"":"true,","groupBy":"all","searchType":"esqlQuery","size":0,"threshold":[0],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"revision":0,"rule_type_id":".es-query","running":false,"schedule":{"interval":"1d"},"scheduled_task_id":"e0d62360-78e8-11ee-9177-f7d404c8c945","tags":[],"throttle":null,"updated_at":"2023-11-01T19:00:10.453Z","updated_by":"elastic\","}},"createEsQueryKqlRuleResponse":{"description":"The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).","summary":"Elasticsearch query rule (KQL)","value":{"actions":[],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2023-07-14T20:24:50.729Z","created_by":"elastic","enabled":true,"execution_status":{"last_execution_date":"2023-07-14T20:24:50.729Z","status":"pending"},"id":"7bd506d0-2284-11ee-8fad-6101956ced88","mute_all":false,"muted_alert_ids":[],"name":"my Elasticsearch query KQL rule\"","notify_when":null,"params":{"aggType":"count","excludeHitsFromPreviousRun":true,"groupBy":"all","searchConfiguration":{"index":"90943e30-9a47-11e8-b64d-95841ca0b247","query":{"language":"kuery","query":"\"\"geo.src : \"US\" \"\""}},"searchType":"searchSource","size":100,"threshold":[1000],"thresholdComparator":">","timeWindowSize":5,"timeWindowUnit":"m"},"revision":0,"rule_type_id":".es-query","running":false,"schedule":{"interval":"1m"},"scheduled_task_id":"7bd506d0-2284-11ee-8fad-6101956ced88","tags":[],"throttle":null,"updated_at":"2023-07-14T20:24:50.729Z","updated_by":"elastic"}},"createEsQueryRuleResponse":{"description":"The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).","summary":"Elasticsearch query rule (DSL)","value":{"actions":[{"connector_type_id":".server-log","frequency":{"notify_when":"onThrottleInterval","summary":true,"throttle":"1d"},"group":"query matched","id":"fdbece50-406c-11ee-850e-c71febc4ca7f","params":{"level":"info","message":"The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."},"uuid":"53f3c2a3-e5d0-4cfa-af3b-6f0881385e78"},{"connector_type_id":".server-log","frequency":{"notify_when":"onActionGroupChange","summary":false,"throttle":null},"group":"recovered","id":"fdbece50-406c-11ee-850e-c71febc4ca7f","params":{"level":"info","message":"Recovered"},"uuid":"2324e45b-c0df-45c7-9d70-4993e30be758"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2023-08-22T00:03:38.263Z","created_by":"elastic","enabled":true,"execution_status":{"last_execution_date":"2023-08-22T00:03:38.263Z","status":"pending"},"id":"58148c70-407f-11ee-850e-c71febc4ca7f","mute_all":false,"muted_alert_ids":[],"name":"my Elasticsearch query rule","notify_when":null,"params":{"aggType":"count","esQuery":"\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"","excludeHitsFromPreviousRun":true,"groupBy":"all","index":["kibana_sample_data_logs"],"searchType":"esQuery","size":100,"threshold":[100],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"revision":0,"rule_type_id":".es-query","running":false,"schedule":{"interval":"1d"},"scheduled_task_id":"58148c70-407f-11ee-850e-c71febc4ca7f","tags":[],"throttle":null,"updated_at":"2023-08-22T00:03:38.263Z","updated_by":"elastic"}},"createIndexThresholdRuleResponse":{"description":"The response for successfully creating an index threshold rule.","summary":"Index threshold rule","value":{"actions":[{"connector_type_id":".server-log","frequency":{"notify_when":"onActionGroupChange","summary":false,"throttle":null},"group":"threshold met","id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"uuid":"07aef2a0-9eed-4ef9-94ec-39ba58eb609d"}],"alert_delay":{"active":3},"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2022-06-08T17:20:31.632Z","created_by":"elastic","enabled":true,"execution_status":{"last_execution_date":"2022-06-08T17:20:31.632Z","status":"pending"},"id":"41893910-6bca-11eb-9e0d-85d233e3ee35","mute_all":false,"muted_alert_ids":[],"name":"my rule","notify_when":null,"params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":[".test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":0,"rule_type_id":".index-threshold","running":false,"schedule":{"interval":"1m"},"scheduled_task_id":"425b0800-6bca-11eb-9e0d-85d233e3ee35","tags":["cpu"],"throttle":null,"updated_at":"2022-06-08T17:20:31.632Z","updated_by":"elastic"}},"createTrackingContainmentRuleResponse":{"description":"The response for successfully creating a tracking containment rule.","summary":"Tracking containment rule","value":{"actions":[],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2024-02-14T19:52:55.920Z","created_by":"elastic","enabled":true,"execution_status":{"last_duration":74,"last_execution_date":"2024-02-15T03:25:38.125Z","status":"ok"},"id":"b6883f9d-5f70-4758-a66e-369d7c26012f","last_run":{"alerts_count":{"active":0,"ignored":0,"new":0,"recovered":0},"outcome":"succeeded","outcome_msg":null,"outcome_order":0,"warning":null},"mute_all":false,"muted_alert_ids":[],"name":"my tracking rule","next_run":"2024-02-15T03:26:38.033Z","notify_when":null,"params":{"boundaryGeoField":"location","boundaryIndexId":"0cd90abf-abe7-44c7-909a-f621bbbcfefc","boundaryIndexTitle":"boundary*","boundaryNameField":"name","boundaryType":"entireIndex","dateField":"@timestamp","entity":"agent.keyword","geoField":"geo.coordinates","index":"kibana_sample_data_logs","indexId":"90943e30-9a47-11e8-b64d-95841ca0b247"},"revision":1,"rule_type_id":".geo-containment","running":false,"schedule":{"interval":"1h"},"scheduled_task_id":"b6883f9d-5f70-4758-a66e-369d7c26012f","tags":[],"throttle":null,"updated_at":"2024-02-15T03:24:32.574Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"items":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"connector_type_id":{"description":"The type of connector. This property appears in responses but cannot be set in requests.","type":"string"},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id","connector_type_id","params"]},"type":"array"},"active_snoozes":{"items":{"description":"List of active snoozes for the rule.","type":"string"},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"api_key_created_by_user":{"description":"Indicates whether the API key that is associated with the rule was created by the user.","nullable":true,"type":"boolean"},"api_key_owner":{"description":"The owner of the API key that is associated with the rule and used to run background tasks.","nullable":true,"type":"string"},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"description":"User-created content that describes alert causes and remdiation.","type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"created_at":{"description":"The date and time that the rule was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the rule.","nullable":true,"type":"string"},"enabled":{"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"execution_status":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Error message.","type":"string"},"reason":{"description":"Reason for error.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate"],"type":"string"}},"required":["reason","message"]},"last_duration":{"description":"Duration of last execution of the rule.","type":"number"},"last_execution_date":{"description":"The date and time when rule was executed last.","type":"string"},"status":{"description":"Status of rule execution.","enum":["ok","active","error","warning","pending","unknown"],"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Warning message.","type":"string"},"reason":{"description":"Reason for warning.","enum":["maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"type":"string"}},"required":["reason","message"]}},"required":["status","last_execution_date"]},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"id":{"description":"The identifier for the rule.","type":"string"},"is_snoozed_until":{"description":"The date when the rule will no longer be snoozed.","nullable":true,"type":"string"},"last_run":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"alerts_count":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"Number of active alerts during last run.","nullable":true,"type":"number"},"ignored":{"description":"Number of ignored alerts during last run.","nullable":true,"type":"number"},"new":{"description":"Number of new alerts during last run.","nullable":true,"type":"number"},"recovered":{"description":"Number of recovered alerts during last run.","nullable":true,"type":"number"}}},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"outcome_msg":{"items":{"description":"Outcome message generated during last rule run.","type":"string"},"nullable":true,"type":"array"},"outcome_order":{"description":"Order of the outcome.","type":"number"},"warning":{"description":"Warning of last rule execution.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate","maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"nullable":true,"type":"string"}},"required":["outcome","alerts_count"]},"mapped_params":{"additionalProperties":{"nullable":true},"type":"object"},"monitoring":{"additionalProperties":false,"description":"Monitoring details of the rule.","type":"object","properties":{"run":{"additionalProperties":false,"description":"Rule run details.","type":"object","properties":{"calculated_metrics":{"additionalProperties":false,"description":"Calculation of different percentiles and success ratio.","type":"object","properties":{"p50":{"type":"number"},"p95":{"type":"number"},"p99":{"type":"number"},"success_ratio":{"type":"number"}},"required":["success_ratio"]},"history":{"description":"History of the rule run.","items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule run.","type":"number"},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"success":{"description":"Indicates whether the rule run was successful.","type":"boolean"},"timestamp":{"description":"Time of rule run.","type":"number"}},"required":["success","timestamp"]},"type":"array"},"last_run":{"additionalProperties":false,"type":"object","properties":{"metrics":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of most recent rule run.","type":"number"},"gap_duration_s":{"description":"Duration in seconds of rule run gap.","nullable":true,"type":"number"},"gap_range":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"gte":{"description":"End of the gap range.","type":"string"},"lte":{"description":"Start of the gap range.","type":"string"}},"required":["lte","gte"]},"total_alerts_created":{"description":"Total number of alerts created during last rule run.","nullable":true,"type":"number"},"total_alerts_detected":{"description":"Total number of alerts detected during last rule run.","nullable":true,"type":"number"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during last rule run in milliseconds.","nullable":true,"type":"number"},"total_search_duration_ms":{"description":"Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.","nullable":true,"type":"number"}}},"timestamp":{"description":"Time of the most recent rule run.","type":"string"}},"required":["timestamp","metrics"]}},"required":["history","calculated_metrics","last_run"]}},"required":["run"]},"mute_all":{"description":"Indicates whether all alerts are muted.","type":"boolean"},"muted_alert_ids":{"items":{"description":"List of identifiers of muted alerts. ","type":"string"},"type":"array"},"name":{"description":" The name of the rule.","type":"string"},"next_run":{"description":"Date and time of the next run of the rule.","nullable":true,"type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the rule.","type":"object"},"revision":{"description":"The rule revision number.","type":"number"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"running":{"description":"Indicates whether the rule is running.","nullable":true,"type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"scheduled_task_id":{"description":"Identifier of the scheduled task.","type":"string"},"snooze_schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule snooze schedule.","type":"number"},"id":{"description":"Identifier of the rule snooze schedule.","type":"string"},"rRule":{"additionalProperties":false,"type":"object","properties":{"byhour":{"items":{"description":"Indicates hours of the day to recur.","type":"number"},"nullable":true,"type":"array"},"byminute":{"items":{"description":"Indicates minutes of the hour to recur.","type":"number"},"nullable":true,"type":"array"},"bymonth":{"items":{"description":"Indicates months of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"bymonthday":{"items":{"description":"Indicates the days of the month to recur.","type":"number"},"nullable":true,"type":"array"},"bysecond":{"items":{"description":"Indicates seconds of the day to recur.","type":"number"},"nullable":true,"type":"array"},"bysetpos":{"items":{"description":"A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.","type":"number"},"nullable":true,"type":"array"},"byweekday":{"items":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday\/bysetpos` combination."},"nullable":true,"type":"array"},"byweekno":{"items":{"description":"Indicates number of the week hours to recur.","type":"number"},"nullable":true,"type":"array"},"byyearday":{"items":{"description":"Indicates the days of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"count":{"description":"Number of times the rule should recur until it stops.","type":"number"},"dtstart":{"description":"Rule start date in Coordinated Universal Time (UTC).","type":"string"},"freq":{"description":"Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.","enum":[0,1,2,3,4,5,6],"type":"integer"},"interval":{"description":"Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.","type":"number"},"tzid":{"description":"Indicates timezone abbreviation.","type":"string"},"until":{"description":"Recur the rule until this date.","type":"string"},"wkst":{"description":"Indicates the start of week, defaults to Monday.","enum":["MO","TU","WE","TH","FR","SA","SU"],"type":"string"}},"required":["dtstart","tzid"]},"skipRecurrences":{"items":{"description":"Skips recurrence of rule on this date.","type":"string"},"type":"array"}},"required":["duration","rRule"]},"type":"array"},"tags":{"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"deprecated":true,"description":"Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"updated_at":{"description":"The date and time that the rule was updated most recently.","type":"string"},"updated_by":{"description":"The identifier for the user that updated this rule most recently.","nullable":true,"type":"string"},"view_in_app_relative_url":{"description":"Relative URL to view rule in the app.","nullable":true,"type":"string"}},"required":["id","enabled","name","tags","rule_type_id","consumer","schedule","actions","params","created_by","updated_by","created_at","updated_at","api_key_owner","mute_all","muted_alert_ids","execution_status","revision"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"409":{"description":"Indicates that the rule id is already in use."}},"summary":"Create a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."},"put":{"operationId":"put-alerting-rule-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"updateRuleRequest":{"description":"Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.","summary":"Index threshold rule","value":{"actions":[{"frequency":{"notify_when":"onActionGroupChange","summary":false},"group":"threshold met","id":"96b668d0-a1b6-11ed-afdf-d39a49596974","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"}}],"name":"new name","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":[".updated-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"schedule":{"interval":"1m"},"tags":[]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the rule.","type":"object"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","schedule"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateRuleResponse":{"description":"The response for successfully updating an index threshold rule.","summary":"Index threshold rule","value":{"actions":[{"connector_type_id":".server-log","frequency":{"notify_when":"onActionGroupChange","summary":false,"throttle":null},"group":"threshold met","id":"96b668d0-a1b6-11ed-afdf-d39a49596974","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"},"uuid":"07aef2a0-9eed-4ef9-94ec-39ba58eb609d"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2024-03-26T23:13:20.985Z","created_by":"elastic","enabled":true,"execution_status":{"last_duration":52,"last_execution_date":"2024-03-26T23:22:51.390Z","status":"ok"},"id":"ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74","last_run":{"alerts_count":{"active":0,"ignored":0,"new":0,"recovered":0},"outcome":"succeeded","outcome_msg":null,"warning":null},"mute_all":false,"muted_alert_ids":[],"name":"new name","next_run":"2024-03-26T23:23:51.316Z","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":[".updated-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":1,"rule_type_id":".index-threshold","running":false,"schedule":{"interval":"1m"},"scheduled_task_id":"4c5eda00-e74f-11ec-b72f-5b18752ff9ea","tags":[],"throttle":null,"updated_at":"2024-03-26T23:22:59.949Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"items":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"connector_type_id":{"description":"The type of connector. This property appears in responses but cannot be set in requests.","type":"string"},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id","connector_type_id","params"]},"type":"array"},"active_snoozes":{"items":{"description":"List of active snoozes for the rule.","type":"string"},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"api_key_created_by_user":{"description":"Indicates whether the API key that is associated with the rule was created by the user.","nullable":true,"type":"boolean"},"api_key_owner":{"description":"The owner of the API key that is associated with the rule and used to run background tasks.","nullable":true,"type":"string"},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"description":"User-created content that describes alert causes and remdiation.","type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"created_at":{"description":"The date and time that the rule was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the rule.","nullable":true,"type":"string"},"enabled":{"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"execution_status":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Error message.","type":"string"},"reason":{"description":"Reason for error.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate"],"type":"string"}},"required":["reason","message"]},"last_duration":{"description":"Duration of last execution of the rule.","type":"number"},"last_execution_date":{"description":"The date and time when rule was executed last.","type":"string"},"status":{"description":"Status of rule execution.","enum":["ok","active","error","warning","pending","unknown"],"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Warning message.","type":"string"},"reason":{"description":"Reason for warning.","enum":["maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"type":"string"}},"required":["reason","message"]}},"required":["status","last_execution_date"]},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"id":{"description":"The identifier for the rule.","type":"string"},"is_snoozed_until":{"description":"The date when the rule will no longer be snoozed.","nullable":true,"type":"string"},"last_run":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"alerts_count":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"Number of active alerts during last run.","nullable":true,"type":"number"},"ignored":{"description":"Number of ignored alerts during last run.","nullable":true,"type":"number"},"new":{"description":"Number of new alerts during last run.","nullable":true,"type":"number"},"recovered":{"description":"Number of recovered alerts during last run.","nullable":true,"type":"number"}}},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"outcome_msg":{"items":{"description":"Outcome message generated during last rule run.","type":"string"},"nullable":true,"type":"array"},"outcome_order":{"description":"Order of the outcome.","type":"number"},"warning":{"description":"Warning of last rule execution.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate","maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"nullable":true,"type":"string"}},"required":["outcome","alerts_count"]},"mapped_params":{"additionalProperties":{"nullable":true},"type":"object"},"monitoring":{"additionalProperties":false,"description":"Monitoring details of the rule.","type":"object","properties":{"run":{"additionalProperties":false,"description":"Rule run details.","type":"object","properties":{"calculated_metrics":{"additionalProperties":false,"description":"Calculation of different percentiles and success ratio.","type":"object","properties":{"p50":{"type":"number"},"p95":{"type":"number"},"p99":{"type":"number"},"success_ratio":{"type":"number"}},"required":["success_ratio"]},"history":{"description":"History of the rule run.","items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule run.","type":"number"},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"success":{"description":"Indicates whether the rule run was successful.","type":"boolean"},"timestamp":{"description":"Time of rule run.","type":"number"}},"required":["success","timestamp"]},"type":"array"},"last_run":{"additionalProperties":false,"type":"object","properties":{"metrics":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of most recent rule run.","type":"number"},"gap_duration_s":{"description":"Duration in seconds of rule run gap.","nullable":true,"type":"number"},"gap_range":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"gte":{"description":"End of the gap range.","type":"string"},"lte":{"description":"Start of the gap range.","type":"string"}},"required":["lte","gte"]},"total_alerts_created":{"description":"Total number of alerts created during last rule run.","nullable":true,"type":"number"},"total_alerts_detected":{"description":"Total number of alerts detected during last rule run.","nullable":true,"type":"number"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during last rule run in milliseconds.","nullable":true,"type":"number"},"total_search_duration_ms":{"description":"Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.","nullable":true,"type":"number"}}},"timestamp":{"description":"Time of the most recent rule run.","type":"string"}},"required":["timestamp","metrics"]}},"required":["history","calculated_metrics","last_run"]}},"required":["run"]},"mute_all":{"description":"Indicates whether all alerts are muted.","type":"boolean"},"muted_alert_ids":{"items":{"description":"List of identifiers of muted alerts. ","type":"string"},"type":"array"},"name":{"description":" The name of the rule.","type":"string"},"next_run":{"description":"Date and time of the next run of the rule.","nullable":true,"type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the rule.","type":"object"},"revision":{"description":"The rule revision number.","type":"number"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"running":{"description":"Indicates whether the rule is running.","nullable":true,"type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"scheduled_task_id":{"description":"Identifier of the scheduled task.","type":"string"},"snooze_schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule snooze schedule.","type":"number"},"id":{"description":"Identifier of the rule snooze schedule.","type":"string"},"rRule":{"additionalProperties":false,"type":"object","properties":{"byhour":{"items":{"description":"Indicates hours of the day to recur.","type":"number"},"nullable":true,"type":"array"},"byminute":{"items":{"description":"Indicates minutes of the hour to recur.","type":"number"},"nullable":true,"type":"array"},"bymonth":{"items":{"description":"Indicates months of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"bymonthday":{"items":{"description":"Indicates the days of the month to recur.","type":"number"},"nullable":true,"type":"array"},"bysecond":{"items":{"description":"Indicates seconds of the day to recur.","type":"number"},"nullable":true,"type":"array"},"bysetpos":{"items":{"description":"A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.","type":"number"},"nullable":true,"type":"array"},"byweekday":{"items":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday\/bysetpos` combination."},"nullable":true,"type":"array"},"byweekno":{"items":{"description":"Indicates number of the week hours to recur.","type":"number"},"nullable":true,"type":"array"},"byyearday":{"items":{"description":"Indicates the days of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"count":{"description":"Number of times the rule should recur until it stops.","type":"number"},"dtstart":{"description":"Rule start date in Coordinated Universal Time (UTC).","type":"string"},"freq":{"description":"Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.","enum":[0,1,2,3,4,5,6],"type":"integer"},"interval":{"description":"Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.","type":"number"},"tzid":{"description":"Indicates timezone abbreviation.","type":"string"},"until":{"description":"Recur the rule until this date.","type":"string"},"wkst":{"description":"Indicates the start of week, defaults to Monday.","enum":["MO","TU","WE","TH","FR","SA","SU"],"type":"string"}},"required":["dtstart","tzid"]},"skipRecurrences":{"items":{"description":"Skips recurrence of rule on this date.","type":"string"},"type":"array"}},"required":["duration","rRule"]},"type":"array"},"tags":{"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"deprecated":true,"description":"Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"updated_at":{"description":"The date and time that the rule was updated most recently.","type":"string"},"updated_by":{"description":"The identifier for the user that updated this rule most recently.","nullable":true,"type":"string"},"view_in_app_relative_url":{"description":"Relative URL to view rule in the app.","nullable":true,"type":"string"}},"required":["id","enabled","name","tags","rule_type_id","consumer","schedule","actions","params","created_by","updated_by","created_at","updated_at","api_key_owner","mute_all","muted_alert_ids","execution_status","revision"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."},"409":{"description":"Indicates that the rule has already been updated by another user."}},"summary":"Update a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rule\/{id}\/_disable":{"post":{"operationId":"post-alerting-rule-id-disable","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"disableRuleRequest":{"description":"A request that disables a rule and untracks all alerts that were generated by the rule.","summary":"Disable a rule and untrack its alerts","value":{"untrack":true}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"untrack":{"description":"Defines whether this rule's alerts should be untracked.","type":"boolean"}},"x-oas-optional":true}}}},"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Disable a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}\/_disable<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rule\/{id}\/_enable":{"post":{"operationId":"post-alerting-rule-id-enable","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Enable a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}\/_enable<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rule\/{id}\/_mute_all":{"post":{"operationId":"post-alerting-rule-id-mute-all","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Mute all alerts","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}\/_mute_all<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rule\/{id}\/_unmute_all":{"post":{"operationId":"post-alerting-rule-id-unmute-all","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Unmute all alerts","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}\/_unmute_all<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rule\/{id}\/_update_api_key":{"post":{"operationId":"post-alerting-rule-id-update-api-key","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."},"409":{"description":"Indicates that the rule has already been updated by another user."}},"summary":"Update the API key for a rule","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}\/_update_api_key<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rule\/{id}\/snooze_schedule":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{id}\/snooze_schedule<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nWhen you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes.","operationId":"post-alerting-rule-id-snooze-schedule","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Identifier of the rule.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"snoozeRuleRecurringRequest":{"description":"A request that snoozes a rule every Monday for 8 hours, for 4 occurrences.","summary":"Snooze a rule on a recurring weekly schedule","value":{"schedule":{"custom":{"duration":"8h","recurring":{"every":"1w","occurrences":4,"onWeekDay":["MO"]},"start":"2025-03-17T09:00:00.000Z","timezone":"UTC"}}}},"snoozeRuleRequest":{"description":"A request that snoozes a rule for 24 hours starting now.","summary":"Snooze a rule for 24 hours","value":{"schedule":{"custom":{"duration":"24h","start":"2025-03-12T12:00:00.000Z","timezone":"UTC"}}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","minimum":1,"type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"maximum":12,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"maximum":31,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"minItems":1,"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}}}},"required":["schedule"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"snoozeRuleResponse":{"description":"A response that contains the created snooze schedule.","summary":"Snooze schedule response","value":{"schedule":{"custom":{"duration":"24h","start":"2025-03-12T12:00:00.000Z","timezone":"UTC"},"id":"9ac67950-6737-11ec-8ded-d7f6e1581b26"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"body":{"additionalProperties":false,"type":"object","properties":{"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","minimum":1,"type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"maximum":12,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"maximum":31,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"minItems":1,"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]},"id":{"description":"Identifier of the snooze schedule.","type":"string"}},"required":["id"]}},"required":["schedule"]}},"required":["body"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given id does not exist."}},"summary":"Schedule a snooze for the rule","tags":["alerting"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/alerting\/rule\/{rule_id}\/alert\/{alert_id}\/_mute":{"post":{"operationId":"post-alerting-rule-rule-id-alert-alert-id-mute","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"rule_id","required":true,"schema":{"type":"string"}},{"description":"The identifier for the alert.","in":"path","name":"alert_id","required":true,"schema":{"type":"string"}},{"description":"Whether to validate the existence of the alert.","in":"query","name":"validate_alerts_existence","required":false,"schema":{"type":"boolean"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule or alert with the given ID does not exist."}},"summary":"Mute an alert","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{rule_id}\/alert\/{alert_id}\/_mute<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rule\/{rule_id}\/alert\/{alert_id}\/_unmute":{"post":{"operationId":"post-alerting-rule-rule-id-alert-alert-id-unmute","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"rule_id","required":true,"schema":{"type":"string"}},{"description":"The identifier for the alert.","in":"path","name":"alert_id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule or alert with the given ID does not exist."}},"summary":"Unmute an alert","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{rule_id}\/alert\/{alert_id}\/_unmute<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rule\/{ruleId}\/snooze_schedule\/{scheduleId}":{"delete":{"operationId":"delete-alerting-rule-ruleid-snooze-schedule-scheduleid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the rule.","in":"path","name":"ruleId","required":true,"schema":{"type":"string"}},{"description":"The identifier for the snooze schedule.","in":"path","name":"scheduleId","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given id does not exist."}},"summary":"Delete a snooze schedule for a rule","tags":["alerting"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/alerting\/rule\/{ruleId}\/snooze_schedule\/{scheduleId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rules\/_find":{"get":{"operationId":"get-alerting-rules-find","parameters":[{"description":"The number of rules to return per page.","in":"query","name":"per_page","required":false,"schema":{"default":10,"minimum":0,"type":"number"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"number"}},{"description":"An Elasticsearch simple_query_string query that filters the objects in the response.","in":"query","name":"search","required":false,"schema":{"type":"string"}},{"description":"The default operator to use for the simple_query_string.","in":"query","name":"default_search_operator","required":false,"schema":{"default":"OR","enum":["OR","AND"],"type":"string"}},{"description":"The fields to perform the simple_query_string parsed query against.","in":"query","name":"search_fields","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Determines which field is used to sort the results. The field must exist in the `attributes` key of the response.","in":"query","name":"sort_field","required":false,"schema":{"type":"string"}},{"description":"Determines the sort order.","in":"query","name":"sort_order","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"description":"Filters the rules that have a relation with the reference objects with a specific type and identifier.","in":"query","name":"has_reference","required":false,"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]}},{"description":"The fields to return in the `attributes` key of the response.","in":"query","name":"fields","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: \"myTitle\"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.","in":"query","name":"filter","required":false,"schema":{"type":"string"}},{"in":"query","name":"filter_consumers","required":false,"schema":{"items":{"description":"List of consumers to filter.","type":"string"},"type":"array"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"findConditionalActionRulesResponse":{"description":"A response that contains information about an index threshold rule.","summary":"Index threshold rule","value":{"data":[{"actions":[{"frequency":{"notify_when":"onActionGroupChange","summary":false,"throttle":null},"group":"threshold met","id":"9dca3e00-74f5-11ed-9801-35303b735aef","params":{"connector_type_id":".server-log","level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"uuid":"1c7a1280-f28c-4e06-96b2-e4e5f05d1d61"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"alerts","created_at":"2022-12-05T23:40:33.132Z","created_by":"elastic","enabled":true,"execution_status":{"last_duration":48,"last_execution_date":"2022-12-06T01:44:23.983Z","status":"ok"},"id":"3583a470-74f6-11ed-9801-35303b735aef","last_run":{"alerts_count":{"active":0,"ignored":0,"new":0,"recovered":0},"outcome":"succeeded","outcome_msg":null,"warning":null},"mute_all":false,"muted_alert_ids":[],"name":"my alert","next_run":"2022-12-06T01:45:23.912Z","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":["test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":1,"rule_type_id":".index-threshold","schedule":{"interval":"1m"},"scheduled_task_id":"3583a470-74f6-11ed-9801-35303b735aef","tags":["cpu"],"throttle":null,"updated_at":"2022-12-05T23:40:33.132Z","updated_by":"elastic"}],"page":1,"per_page":10,"total":1}},"findRulesResponse":{"description":"A response that contains information about a security rule that has conditional actions.","summary":"Security rule","value":{"data":[{"actions":[{"alerts_filter":{"query":{"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"field":"client.geo.region_iso_code","index":"c4bdca79-e69e-4d80-82a1-e5192c621bea","key":"client.geo.region_iso_code","negate":false,"params":{"query":"CA-QC","type":"phrase"}},"query":{"match_phrase":{"client.geo.region_iso_code":"CA-QC"}}}],"kql":""},"timeframe":{"days":[7],"hours":{"end":"17:00","start":"08:00"},"timezone":"UTC"}},"connector_type_id":".index","frequency":{"notify_when":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"49eae970-f401-11ed-9f8e-399c75a2deeb","params":{"documents":[{"alert_id":{"[object Object]":null},"context_message":{"[object Object]":null},"rule_id":{"[object Object]":null},"rule_name":{"[object Object]":null}}]},"uuid":"1c7a1280-f28c-4e06-96b2-e4e5f05d1d61"}],"api_key_created_by_user":false,"api_key_owner":"elastic","consumer":"siem","created_at":"2023-05-16T15:50:28.358Z","created_by":"elastic","enabled":true,"execution_status":{"last_duration":166,"last_execution_date":"2023-05-16T20:26:49.590Z","status":"ok"},"id":"6107a8f0-f401-11ed-9f8e-399c75a2deeb","last_run":{"alerts_count":{"active":0,"ignored":0,"new":0,"recovered":0},"outcome":"succeeded","outcome_msg":["Rule execution completed successfully"],"outcome_order":0,"warning":null},"mute_all":false,"muted_alert_ids":[],"name":"security_rule","next_run":"2023-05-16T20:27:49.507Z","notify_when":null,"params":{"author":[],"description":"A security threshold rule.","exceptionsList":[],"falsePositives":[],"filters":[],"from":"now-3660s","immutable":false,"index":["kibana_sample_data_logs"],"language":"kuery","license":"","maxSignals":100,"meta":{"from":"1h","kibana_siem_app_url":"https:\/\/localhost:5601\/app\/security"},"outputIndex":"","query":"*","references":[],"riskScore":21,"riskScoreMapping":[],"ruleId":"an_internal_rule_id","severity":"low","severityMapping":[],"threat":[],"threshold":{"cardinality":[],"field":["bytes"],"value":1},"to":"now","type":"threshold","version":1},"revision":1,"rule_type_id":"siem.thresholdRule","running":false,"schedule":{"interval":"1m"},"scheduled_task_id":"6107a8f0-f401-11ed-9f8e-399c75a2deeb","tags":[],"throttle":null,"updated_at":"2023-05-16T20:25:42.559Z","updated_by":"elastic"}],"page":1,"per_page":10,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actions":{"items":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"connector_type_id":{"description":"The type of connector. This property appears in responses but cannot be set in requests.","type":"string"},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id","connector_type_id","params"]},"type":"array"},"active_snoozes":{"items":{"description":"List of active snoozes for the rule.","type":"string"},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"api_key_created_by_user":{"description":"Indicates whether the API key that is associated with the rule was created by the user.","nullable":true,"type":"boolean"},"api_key_owner":{"description":"The owner of the API key that is associated with the rule and used to run background tasks.","nullable":true,"type":"string"},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"description":"User-created content that describes alert causes and remdiation.","type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"created_at":{"description":"The date and time that the rule was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the rule.","nullable":true,"type":"string"},"enabled":{"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"execution_status":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Error message.","type":"string"},"reason":{"description":"Reason for error.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate"],"type":"string"}},"required":["reason","message"]},"last_duration":{"description":"Duration of last execution of the rule.","type":"number"},"last_execution_date":{"description":"The date and time when rule was executed last.","type":"string"},"status":{"description":"Status of rule execution.","enum":["ok","active","error","warning","pending","unknown"],"type":"string"},"warning":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"Warning message.","type":"string"},"reason":{"description":"Reason for warning.","enum":["maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"type":"string"}},"required":["reason","message"]}},"required":["status","last_execution_date"]},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"id":{"description":"The identifier for the rule.","type":"string"},"is_snoozed_until":{"description":"The date when the rule will no longer be snoozed.","nullable":true,"type":"string"},"last_run":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"alerts_count":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"Number of active alerts during last run.","nullable":true,"type":"number"},"ignored":{"description":"Number of ignored alerts during last run.","nullable":true,"type":"number"},"new":{"description":"Number of new alerts during last run.","nullable":true,"type":"number"},"recovered":{"description":"Number of recovered alerts during last run.","nullable":true,"type":"number"}}},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"outcome_msg":{"items":{"description":"Outcome message generated during last rule run.","type":"string"},"nullable":true,"type":"array"},"outcome_order":{"description":"Order of the outcome.","type":"number"},"warning":{"description":"Warning of last rule execution.","enum":["read","decrypt","execute","unknown","license","timeout","disabled","validate","maxExecutableActions","maxAlerts","maxQueuedActions","ruleExecution"],"nullable":true,"type":"string"}},"required":["outcome","alerts_count"]},"mapped_params":{"additionalProperties":{"nullable":true},"type":"object"},"monitoring":{"additionalProperties":false,"description":"Monitoring details of the rule.","type":"object","properties":{"run":{"additionalProperties":false,"description":"Rule run details.","type":"object","properties":{"calculated_metrics":{"additionalProperties":false,"description":"Calculation of different percentiles and success ratio.","type":"object","properties":{"p50":{"type":"number"},"p95":{"type":"number"},"p99":{"type":"number"},"success_ratio":{"type":"number"}},"required":["success_ratio"]},"history":{"description":"History of the rule run.","items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule run.","type":"number"},"outcome":{"description":"Outcome of last run of the rule. Value could be succeeded, warning or failed.","enum":["succeeded","warning","failed"],"type":"string"},"success":{"description":"Indicates whether the rule run was successful.","type":"boolean"},"timestamp":{"description":"Time of rule run.","type":"number"}},"required":["success","timestamp"]},"type":"array"},"last_run":{"additionalProperties":false,"type":"object","properties":{"metrics":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of most recent rule run.","type":"number"},"gap_duration_s":{"description":"Duration in seconds of rule run gap.","nullable":true,"type":"number"},"gap_range":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"gte":{"description":"End of the gap range.","type":"string"},"lte":{"description":"Start of the gap range.","type":"string"}},"required":["lte","gte"]},"total_alerts_created":{"description":"Total number of alerts created during last rule run.","nullable":true,"type":"number"},"total_alerts_detected":{"description":"Total number of alerts detected during last rule run.","nullable":true,"type":"number"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during last rule run in milliseconds.","nullable":true,"type":"number"},"total_search_duration_ms":{"description":"Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.","nullable":true,"type":"number"}}},"timestamp":{"description":"Time of the most recent rule run.","type":"string"}},"required":["timestamp","metrics"]}},"required":["history","calculated_metrics","last_run"]}},"required":["run"]},"mute_all":{"description":"Indicates whether all alerts are muted.","type":"boolean"},"muted_alert_ids":{"items":{"description":"List of identifiers of muted alerts. ","type":"string"},"type":"array"},"name":{"description":" The name of the rule.","type":"string"},"next_run":{"description":"Date and time of the next run of the rule.","nullable":true,"type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the rule.","type":"object"},"revision":{"description":"The rule revision number.","type":"number"},"rule_type_id":{"description":"The rule type identifier.","type":"string"},"running":{"description":"Indicates whether the rule is running.","nullable":true,"type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"scheduled_task_id":{"description":"Identifier of the scheduled task.","type":"string"},"snooze_schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"Duration of the rule snooze schedule.","type":"number"},"id":{"description":"Identifier of the rule snooze schedule.","type":"string"},"rRule":{"additionalProperties":false,"type":"object","properties":{"byhour":{"items":{"description":"Indicates hours of the day to recur.","type":"number"},"nullable":true,"type":"array"},"byminute":{"items":{"description":"Indicates minutes of the hour to recur.","type":"number"},"nullable":true,"type":"array"},"bymonth":{"items":{"description":"Indicates months of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"bymonthday":{"items":{"description":"Indicates the days of the month to recur.","type":"number"},"nullable":true,"type":"array"},"bysecond":{"items":{"description":"Indicates seconds of the day to recur.","type":"number"},"nullable":true,"type":"array"},"bysetpos":{"items":{"description":"A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.","type":"number"},"nullable":true,"type":"array"},"byweekday":{"items":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday\/bysetpos` combination."},"nullable":true,"type":"array"},"byweekno":{"items":{"description":"Indicates number of the week hours to recur.","type":"number"},"nullable":true,"type":"array"},"byyearday":{"items":{"description":"Indicates the days of the year that this rule should recur.","type":"number"},"nullable":true,"type":"array"},"count":{"description":"Number of times the rule should recur until it stops.","type":"number"},"dtstart":{"description":"Rule start date in Coordinated Universal Time (UTC).","type":"string"},"freq":{"description":"Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.","enum":[0,1,2,3,4,5,6],"type":"integer"},"interval":{"description":"Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.","type":"number"},"tzid":{"description":"Indicates timezone abbreviation.","type":"string"},"until":{"description":"Recur the rule until this date.","type":"string"},"wkst":{"description":"Indicates the start of week, defaults to Monday.","enum":["MO","TU","WE","TH","FR","SA","SU"],"type":"string"}},"required":["dtstart","tzid"]},"skipRecurrences":{"items":{"description":"Skips recurrence of rule on this date.","type":"string"},"type":"array"}},"required":["duration","rRule"]},"type":"array"},"tags":{"items":{"description":"The tags for the rule.","type":"string"},"type":"array"},"throttle":{"deprecated":true,"description":"Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"},"updated_at":{"description":"The date and time that the rule was updated most recently.","type":"string"},"updated_by":{"description":"The identifier for the user that updated this rule most recently.","nullable":true,"type":"string"},"view_in_app_relative_url":{"description":"Relative URL to view rule in the app.","nullable":true,"type":"string"}},"required":["id","enabled","name","tags","rule_type_id","consumer","schedule","actions","params","created_by","updated_by","created_at","updated_at","api_key_owner","mute_all","muted_alert_ids","execution_status","revision"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Get information about rules","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/alerting\/rules\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rules\/backfill\/_find":{"post":{"operationId":"post-alerting-rules-backfill-find","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The end date for filtering backfills.","in":"query","name":"end","required":false,"schema":{"type":"string"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"number"}},{"description":"The number of backfills to return per page.","in":"query","name":"per_page","required":false,"schema":{"default":10,"minimum":0,"type":"number"}},{"description":"A comma-separated list of rule identifiers.","in":"query","name":"rule_ids","required":false,"schema":{"type":"string"}},{"description":"The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills.","in":"query","name":"initiator","required":false,"schema":{"enum":["user","system"],"type":"string"}},{"description":"The start date for filtering backfills.","in":"query","name":"start","required":false,"schema":{"type":"string"}},{"description":"The field to sort backfills by.","in":"query","name":"sort_field","required":false,"schema":{"enum":["createdAt","start"],"type":"string"}},{"description":"The sort order.","in":"query","name":"sort_order","required":false,"schema":{"enum":["asc","desc"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"findBackfillResponse":{"summary":"Find backfills response","value":{"data":[{"created_at":"2024-01-30T00:00:00.000Z","duration":"12h","enabled":true,"id":"85bdf571-f4fb-4666-a8d2-e05e1220ebc6","initiator":"user","rule":{"api_key_owner":"elastic","consumer":"alerts","created_at":"2022-12-05T23:40:33.132Z","created_by":"elastic","enabled":true,"id":"3583a470-74f6-11ed-9801-35303b735aef","name":"my alert","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":["test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":0,"rule_type_id":".index-threshold","schedule":{"interval":"1m"},"tags":["cpu"],"updated_at":"2022-12-05T23:40:33.132Z","updated_by":"elastic"},"schedule":[{"interval":"12h","run_at":"2024-01-01T12:00:00.000Z","status":"pending"},{"interval":"12h","run_at":"2024-01-02T00:00:00.000Z","status":"pending"}],"space_id":"default","start":"2024-01-01T00:00:00.000Z","status":"pending"}],"page":1,"per_page":10,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"data":{"items":{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"duration":{"type":"string"},"enabled":{"type":"boolean"},"end":{"type":"string"},"id":{"type":"string"},"initiator":{"enum":["user","system"],"type":"string"},"initiator_id":{"type":"string"},"rule":{"additionalProperties":false,"type":"object","properties":{"api_key_created_by_user":{"nullable":true,"type":"boolean"},"api_key_owner":{"nullable":true,"type":"string"},"consumer":{"type":"string"},"created_at":{"type":"string"},"created_by":{"nullable":true,"type":"string"},"enabled":{"type":"boolean"},"id":{"type":"string"},"name":{"type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the rule.","type":"object"},"revision":{"type":"number"},"rule_type_id":{"type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"type":"string"}},"required":["interval"]},"tags":{"items":{"type":"string"},"type":"array"},"updated_at":{"type":"string"},"updated_by":{"nullable":true,"type":"string"}},"required":["id","name","tags","rule_type_id","params","api_key_owner","consumer","enabled","schedule","created_by","updated_by","created_at","updated_at","revision"]},"schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"interval":{"type":"string"},"run_at":{"type":"string"},"status":{"enum":["complete","pending","running","error","timeout"],"type":"string"}},"required":["run_at","status","interval"]},"type":"array"},"space_id":{"type":"string"},"start":{"type":"string"},"status":{"enum":["complete","pending","running","error","timeout"],"type":"string"}},"required":["id","created_at","duration","enabled","rule","space_id","initiator","start","status","schedule"]},"type":"array"},"page":{"type":"number"},"per_page":{"type":"number"},"total":{"type":"number"}},"required":["page","per_page","total","data"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Find backfills for rules","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rules\/backfill\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rules\/backfill\/_schedule":{"post":{"operationId":"post-alerting-rules-backfill-schedule","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"scheduleBackfillRequest":{"summary":"Schedule a backfill for an index threshold rule","value":[{"ranges":[{"end":"2024-01-02T00:00:00.000Z","start":"2024-01-01T00:00:00.000Z"}],"rule_id":"3583a470-74f6-11ed-9801-35303b735aef"}]}},"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"ranges":{"items":{"additionalProperties":false,"type":"object","properties":{"end":{"type":"string"},"start":{"type":"string"}},"required":["start","end"]},"type":"array"},"rule_id":{"type":"string"},"run_actions":{"type":"boolean"}},"required":["rule_id","ranges"]},"maxItems":100,"minItems":1,"type":"array"}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"scheduleBackfillResponse":{"summary":"Schedule backfill response","value":[{"created_at":"2024-01-30T00:00:00.000Z","duration":"12h","enabled":true,"id":"85bdf571-f4fb-4666-a8d2-e05e1220ebc6","initiator":"user","rule":{"api_key_owner":"elastic","consumer":"alerts","created_at":"2022-12-05T23:40:33.132Z","created_by":"elastic","enabled":true,"id":"3583a470-74f6-11ed-9801-35303b735aef","name":"my alert","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":["test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":0,"rule_type_id":".index-threshold","schedule":{"interval":"1m"},"tags":["cpu"],"updated_at":"2022-12-05T23:40:33.132Z","updated_by":"elastic"},"schedule":[{"interval":"12h","run_at":"2024-01-01T12:00:00.000Z","status":"pending"},{"interval":"12h","run_at":"2024-01-02T00:00:00.000Z","status":"pending"}],"space_id":"default","start":"2024-01-01T00:00:00.000Z","status":"pending"}]}},"schema":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"duration":{"type":"string"},"enabled":{"type":"boolean"},"end":{"type":"string"},"id":{"type":"string"},"initiator":{"enum":["user","system"],"type":"string"},"initiator_id":{"type":"string"},"rule":{"additionalProperties":false,"type":"object","properties":{"api_key_created_by_user":{"nullable":true,"type":"boolean"},"api_key_owner":{"nullable":true,"type":"string"},"consumer":{"type":"string"},"created_at":{"type":"string"},"created_by":{"nullable":true,"type":"string"},"enabled":{"type":"boolean"},"id":{"type":"string"},"name":{"type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the rule.","type":"object"},"revision":{"type":"number"},"rule_type_id":{"type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"type":"string"}},"required":["interval"]},"tags":{"items":{"type":"string"},"type":"array"},"updated_at":{"type":"string"},"updated_by":{"nullable":true,"type":"string"}},"required":["id","name","tags","rule_type_id","params","api_key_owner","consumer","enabled","schedule","created_by","updated_by","created_at","updated_at","revision"]},"schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"interval":{"type":"string"},"run_at":{"type":"string"},"status":{"enum":["complete","pending","running","error","timeout"],"type":"string"}},"required":["run_at","status","interval"]},"type":"array"},"space_id":{"type":"string"},"start":{"type":"string"},"status":{"enum":["complete","pending","running","error","timeout"],"type":"string"}},"required":["id","created_at","duration","enabled","rule","space_id","initiator","start","status","schedule"]},{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"rule":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id"]},"status":{"type":"number"}},"required":["message","rule"]}},"required":["error"]}]},"type":"array"}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a rule with the given ID does not exist."}},"summary":"Schedule a backfill for rules","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/alerting\/rules\/backfill\/_schedule<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/alerting\/rules\/backfill\/{id}":{"delete":{"operationId":"delete-alerting-rules-backfill-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the backfill.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a backfill with the given ID does not exist."}},"summary":"Delete a backfill by ID","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/alerting\/rules\/backfill\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."},"get":{"operationId":"get-alerting-rules-backfill-id","parameters":[{"description":"The identifier for the backfill.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getBackfillResponse":{"summary":"Get a backfill for an index threshold rule","value":{"created_at":"2024-01-30T00:00:00.000Z","duration":"12h","enabled":true,"id":"85bdf571-f4fb-4666-a8d2-e05e1220ebc6","initiator":"user","rule":{"api_key_owner":"elastic","consumer":"alerts","created_at":"2022-12-05T23:40:33.132Z","created_by":"elastic","enabled":true,"id":"3583a470-74f6-11ed-9801-35303b735aef","name":"my alert","params":{"aggField":"sheet.version","aggType":"avg","groupBy":"top","index":["test-index"],"termField":"name.keyword","termSize":6,"threshold":[1000],"thresholdComparator":">","timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m"},"revision":0,"rule_type_id":".index-threshold","schedule":{"interval":"1m"},"tags":["cpu"],"updated_at":"2022-12-05T23:40:33.132Z","updated_by":"elastic"},"schedule":[{"interval":"12h","run_at":"2024-01-01T12:00:00.000Z","status":"pending"},{"interval":"12h","run_at":"2024-01-02T00:00:00.000Z","status":"pending"}],"space_id":"default","start":"2024-01-01T00:00:00.000Z","status":"pending"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"duration":{"type":"string"},"enabled":{"type":"boolean"},"end":{"type":"string"},"id":{"type":"string"},"initiator":{"enum":["user","system"],"type":"string"},"initiator_id":{"type":"string"},"rule":{"additionalProperties":false,"type":"object","properties":{"api_key_created_by_user":{"nullable":true,"type":"boolean"},"api_key_owner":{"nullable":true,"type":"string"},"consumer":{"type":"string"},"created_at":{"type":"string"},"created_by":{"nullable":true,"type":"string"},"enabled":{"type":"boolean"},"id":{"type":"string"},"name":{"type":"string"},"params":{"additionalProperties":{"nullable":true},"description":"The parameters for the rule.","type":"object"},"revision":{"type":"number"},"rule_type_id":{"type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"interval":{"type":"string"}},"required":["interval"]},"tags":{"items":{"type":"string"},"type":"array"},"updated_at":{"type":"string"},"updated_by":{"nullable":true,"type":"string"}},"required":["id","name","tags","rule_type_id","params","api_key_owner","consumer","enabled","schedule","created_by","updated_by","created_at","updated_at","revision"]},"schedule":{"items":{"additionalProperties":false,"type":"object","properties":{"interval":{"type":"string"},"run_at":{"type":"string"},"status":{"enum":["complete","pending","running","error","timeout"],"type":"string"}},"required":["run_at","status","interval"]},"type":"array"},"space_id":{"type":"string"},"start":{"type":"string"},"status":{"enum":["complete","pending","running","error","timeout"],"type":"string"}},"required":["id","created_at","duration","enabled","rule","space_id","initiator","start","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a backfill with the given ID does not exist."}},"summary":"Get a backfill by ID","tags":["alerting"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/alerting\/rules\/backfill\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."}},"\/api\/apm\/agent_keys":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/apm\/agent_keys<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new agent key for APM.\nThe user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant.\nAfter it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server.\n","operationId":"createAgentKey","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"$ref":"#\/components\/parameters\/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"application\/json":{"examples":{"createAgentKeyRequest1":{"$ref":"#\/components\/examples\/APM_UI_agent_keys_object_post_request1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_agent_keys_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"createAgentKeyResponse1":{"$ref":"#\/components\/examples\/APM_UI_agent_keys_object_post_200_response1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_agent_keys_response"}}},"description":"Agent key created successfully"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_403_response"}}},"description":"Forbidden response"},"500":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_500_response"}}},"description":"Internal Server Error response"}},"summary":"Create an APM agent key","tags":["APM agent keys"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/apm\/fleet\/apm_server_schema":{"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/apm\/fleet\/apm_server_schema<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404.\n","operationId":"saveApmServerSchema","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"$ref":"#\/components\/parameters\/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"application\/json":{"schema":{"type":"object","properties":{"schema":{"additionalProperties":true,"description":"Schema object","example":{"foo":"bar"},"type":"object"}}}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"saveApmServerSchemaResponseExample1":{"$ref":"#\/components\/examples\/APM_UI_fleet_apm_server_schema_200_response1"}},"schema":{"additionalProperties":false,"description":"The response body is intentionally empty for this endpoint.","type":"object"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Save APM server schema","tags":["APM server schema"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/apm\/services\/{serviceName}\/annotation":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/apm\/services\/{serviceName}\/annotation<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new annotation for a specific service.","operationId":"createAnnotation","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"$ref":"#\/components\/parameters\/APM_UI_kbn_xsrf"},{"description":"The name of the service","in":"path","name":"serviceName","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createAnnotationRequest1":{"$ref":"#\/components\/examples\/APM_UI_annotation_object_post_request1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_create_annotation_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"createAnnotationResponse1":{"$ref":"#\/components\/examples\/APM_UI_annotation_object_post_200_response1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_create_annotation_response"}}},"description":"Annotation created successfully"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Create a service annotation","tags":["APM annotations"],"x-codeSamples":[{"lang":"Curl","source":"curl -X POST \\\nhttp:\/\/localhost:5601\/api\/apm\/services\/opbeans-java\/annotation \\\n-H 'Content-Type: application\/json' \\\n-H 'kbn-xsrf: true' \\\n-H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \\\n-d '{\n \"@timestamp\": \"2020-05-08T10:31:30.452Z\",\n \"service\": {\n \"version\": \"1.2\"\n },\n \"message\": \"Deployment 1.2\"\n }'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/apm\/services\/{serviceName}\/annotation\/search":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/apm\/services\/{serviceName}\/annotation\/search<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSearch for annotations related to a specific service.","operationId":"getAnnotation","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"description":"The name of the service","in":"path","name":"serviceName","required":true,"schema":{"type":"string"}},{"description":"The environment to filter annotations by","in":"query","name":"environment","required":false,"schema":{"type":"string"}},{"description":"The start date for the search","example":"2024-01-01T00:00:00.000Z","in":"query","name":"start","required":false,"schema":{"format":"date-time","type":"string"}},{"description":"The end date for the search","example":"2024-01-31T23:59:59.999Z","in":"query","name":"end","required":false,"schema":{"format":"date-time","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_annotation_search_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"500":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_500_response"}}},"description":"Internal Server Error response"}},"summary":"Search for annotations","tags":["APM annotations"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/apm\/settings\/agent-configuration":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/apm\/settings\/agent-configuration<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an existing agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When successful, the configuration is removed and, if Fleet is enabled, APM package policies are synchronized accordingly.\n","operationId":"deleteAgentConfiguration","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"$ref":"#\/components\/parameters\/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"application\/json":{"examples":{"deleteAgentConfigurationRequest1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_intake_object_delete_request1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_delete_service_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"deleteAgentConfigurationResponseExample1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_intake_object_delete_200_response1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_delete_agent_configurations_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Delete agent configuration","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/apm\/settings\/agent-configuration<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404.\n","operationId":"getAgentConfigurations","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentConfigurationsResponseExample1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_intake_object_get_200_response1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_agent_configurations_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Get a list of agent configurations","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/apm\/settings\/agent-configuration<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly.\n","operationId":"createUpdateAgentConfiguration","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"$ref":"#\/components\/parameters\/APM_UI_kbn_xsrf"},{"description":"If the config exists ?overwrite=true is required","in":"query","name":"overwrite","schema":{"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"createUpdateAgentConfigurationRequestExample1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_intake_object_put_request1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_agent_configuration_intake_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"createUpdateAgentConfigurationResponseExample1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_intake_object_put_200_response1"}},"schema":{"additionalProperties":false,"description":"The response body is intentionally empty for this endpoint.","type":"object"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Create or update agent configuration","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/apm\/settings\/agent-configuration\/agent_name":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/apm\/settings\/agent-configuration\/agent_name<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve `agentName` for a service.","operationId":"getAgentNameForService","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"description":"The name of the service","example":"node","in":"query","name":"serviceName","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_service_agent_name_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Get agent name for service","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/apm\/settings\/agent-configuration\/environments":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/apm\/settings\/agent-configuration\/environments<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned.\n","operationId":"getEnvironmentsForService","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"description":"The name of the service. If omitted, environments across all services are returned.","example":"opbeans-node","in":"query","name":"serviceName","schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getEnvironmentsForServiceResponseExample1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_environments_200_response1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_service_environments_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Get environments for service","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/apm\/settings\/agent-configuration\/search":{"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/apm\/settings\/agent-configuration\/search<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration.\n","operationId":"searchSingleConfiguration","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"$ref":"#\/components\/parameters\/APM_UI_kbn_xsrf"}],"requestBody":{"content":{"application\/json":{"examples":{"searchSingleConfigurationRequest1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_intake_object_search_request1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_search_agent_configuration_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"searchSingleConfigurationResponse1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_intake_object_search_200_response1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_search_agent_configuration_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Lookup single agent configuration","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/apm\/settings\/agent-configuration\/view":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/apm\/settings\/agent-configuration\/view<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404.\n","operationId":"getSingleAgentConfiguration","parameters":[{"$ref":"#\/components\/parameters\/APM_UI_elastic_api_version"},{"description":"Service name","example":"node","in":"query","name":"name","schema":{"type":"string"}},{"description":"Service environment","example":"prod","in":"query","name":"environment","schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getSingleAgentConfigurationResponseExample1":{"$ref":"#\/components\/examples\/APM_UI_agent_configuration_intake_object_view_200_response1"}},"schema":{"$ref":"#\/components\/schemas\/APM_UI_single_agent_configuration_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_400_response"}}},"description":"Bad Request response"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_401_response"}}},"description":"Unauthorized response"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/APM_UI_404_response"}}},"description":"Not found response"}},"summary":"Get single agent configuration","tags":["APM agent configuration"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/asset_criticality":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/asset_criticality<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete the asset criticality record for a specific entity.","operationId":"DeleteAssetCriticalityRecord","parameters":[{"description":"The ID value of the asset.","example":"my_host","in":"query","name":"id_value","required":true,"schema":{"type":"string"}},{"description":"The field representing the ID.","example":"host.name","in":"query","name":"id_field","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_IdField"}},{"description":"If 'wait_for' the request will wait for the index refresh.","in":"query","name":"refresh","required":false,"schema":{"enum":["wait_for"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"type":"object","properties":{"deleted":{"description":"True if the record was deleted or false if the record did not exist.","type":"boolean"},"record":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityRecord","description":"The deleted record if it existed."}},"required":["deleted"]}}},"description":"Successful response"},"400":{"description":"Invalid request"}},"summary":"Delete an asset criticality record","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/asset_criticality<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the asset criticality record for a specific entity.","operationId":"GetAssetCriticalityRecord","parameters":[{"description":"The ID value of the asset.","example":"my_host","in":"query","name":"id_value","required":true,"schema":{"type":"string"}},{"description":"The field representing the ID.","example":"host.name","in":"query","name":"id_field","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_IdField"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityRecord"}}},"description":"Successful response"},"400":{"description":"Invalid request"},"404":{"description":"Criticality record not found"}},"summary":"Get an asset criticality record","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/asset_criticality<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate or update an asset criticality record for a specific entity.\n\nIf a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.\n","operationId":"CreateAssetCriticalityRecord","requestBody":{"content":{"application\/json":{"schema":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_CreateAssetCriticalityRecord"},{"type":"object","properties":{"refresh":{"description":"If 'wait_for' the request will wait for the index refresh.","enum":["wait_for"],"type":"string"}}}],"example":{"criticality_level":"high_impact","id_field":"host.name","id_value":"my_host"}}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityRecord"}}},"description":"Successful response"},"400":{"description":"Invalid request"}},"summary":"Upsert an asset criticality record","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/asset_criticality\/bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/asset_criticality\/bulk<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nBulk upsert up to 1000 asset criticality records.\n\nIf asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created.\n","operationId":"BulkUpsertAssetCriticalityRecords","requestBody":{"content":{"application\/json":{"schema":{"example":{"records":[{"criticality_level":"low_impact","id_field":"host.name","id_value":"host-1"},{"criticality_level":"medium_impact","id_field":"host.name","id_value":"host-2"}]},"type":"object","properties":{"records":{"items":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts"},{"type":"object","properties":{"criticality_level":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload"}},"required":["criticality_level"]}]},"maxItems":1000,"minItems":1,"type":"array"}},"required":["records"]}}}},"responses":{"200":{"content":{"application\/json":{"schema":{"example":{"errors":[{"index":0,"message":"Invalid ID field"}],"stats":{"failed":1,"successful":1,"total":2}},"type":"object","properties":{"errors":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem"},"type":"array"},"stats":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats"}},"required":["errors","stats"]}}},"description":"Bulk upload successful"},"413":{"description":"File too large"}},"summary":"Bulk upsert asset criticality records","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/asset_criticality\/list":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/asset_criticality\/list<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList asset criticality records, paging, sorting and filtering as needed.","operationId":"FindAssetCriticalityRecords","parameters":[{"description":"The field to sort by.","in":"query","name":"sort_field","required":false,"schema":{"enum":["id_value","id_field","criticality_level","@timestamp"],"type":"string"}},{"description":"The order to sort by.","in":"query","name":"sort_direction","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"integer"}},{"description":"The number of records to return per page.","in":"query","name":"per_page","required":false,"schema":{"maximum":1000,"minimum":1,"type":"integer"}},{"description":"The kuery to filter by.","in":"query","name":"kuery","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"example":{"page":1,"per_page":10,"records":[{"@timestamp":"2024-08-02T14:40:35.705Z","asset":{"criticality":"medium_impact"},"criticality_level":"medium_impact","host":{"asset":{"criticality":"medium_impact"},"name":"my_other_host"},"id_field":"host.name","id_value":"my_other_host"},{"@timestamp":"2024-08-02T11:15:34.290Z","asset":{"criticality":"high_impact"},"criticality_level":"high_impact","host":{"asset":{"criticality":"high_impact"},"name":"my_host"},"id_field":"host.name","id_value":"my_host"}],"total":2},"type":"object","properties":{"page":{"minimum":1,"type":"integer"},"per_page":{"maximum":1000,"minimum":1,"type":"integer"},"records":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityRecord"},"type":"array"},"total":{"minimum":0,"type":"integer"}},"required":["records","page","per_page","total"]}}},"description":"Successfully retrieved asset criticality records"}},"summary":"List asset criticality records","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/_bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/attack_discovery\/_bulk<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nPerforms bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert.","operationId":"PostAttackDiscoveryBulk","requestBody":{"content":{"application\/json":{"examples":{"PostAttackDiscoveryBulkRequestBodyExample":{"summary":"Acknowledge two Attack discoveries in bulk.","value":{"update":{"enable_field_rendering":false,"ids":["c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f","5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7"],"kibana_alert_workflow_status":"acknowledged","with_replacements":true}}}},"schema":{"type":"object","properties":{"update":{"description":"Configuration object containing all parameters for the bulk update operation","type":"object","properties":{"enable_field_rendering":{"default":false,"description":"Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`.","example":false,"type":"boolean"},"ids":{"description":"Array of Attack Discovery IDs to update","example":["c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f","5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7"],"items":{"type":"string"},"type":"array"},"kibana_alert_workflow_status":{"description":"When provided, update the kibana.alert.workflow_status of the attack discovery alerts","enum":["open","acknowledged","closed"],"example":"acknowledged","type":"string"},"visibility":{"description":"When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field","enum":["not_shared","shared"],"example":"shared","type":"string"},"with_replacements":{"default":true,"description":"When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`.","example":true,"type":"boolean"}},"required":["ids"]}},"required":["update"]}}},"description":"Bulk update parameters for Attack discoveries","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"PostAttackDiscoveryBulkResponse200Example":{"summary":"A successful bulk update response containing the modified Attack discoveries.","value":{"data":[{"alert_ids":["alert-abc-1"],"alert_workflow_status":"acknowledged","connector_id":"gen-ai-connector","connector_name":"OpenAI GPT-4","details_markdown":"- **Host** `workstation-01` showed credential access patterns consistent with mimikatz.","generation_uuid":"550e8400-e29b-41d4-a716-446655440000","id":"c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f","summary_markdown":"A user account was compromised using mimikatz to dump credentials.","timestamp":"2024-01-15T10:00:00.000Z","title":"Credential theft via mimikatz"}]}}},"schema":{"type":"object","properties":{"data":{"description":"Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request.","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiAlert"},"type":"array"}},"required":["data"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"PostAttackDiscoveryBulkResponse400Example":{"summary":"Bad Request error returned when the bulk update payload is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong with the bulk update request","example":"Invalid request parameters.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}},"required":["status_code","error","message"]}}},"description":"Bad Request response."}},"summary":"Bulk update Attack discoveries","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/attack_discovery\/_bulk' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data-raw '{\n \"update\": {\n \"ids\": [\n \"c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f\",\n \"5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7\"\n ],\n \"kibana_alert_workflow_status\": \"acknowledged\"\n }\n }'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/attack_discovery\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFind Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting.","operationId":"AttackDiscoveryFind","parameters":[{"description":"Filter results to Attack discoveries that include any of the provided alert IDs","in":"query","name":"alert_ids","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. \"GPT-5 Chat\", which are distinct from `connector_id` values used to generate Attack discoveries.","in":"query","name":"connector_names","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`.","example":false,"in":"query","name":"enable_field_rendering","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. \"now\", \"now-24h\").","example":"now","in":"query","name":"end","required":false,"schema":{"type":"string"}},{"description":"Filter results to the Attack discoveries with the specified IDs","in":"query","name":"ids","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries","example":false,"in":"query","name":"include_unique_alert_ids","required":false,"schema":{"type":"boolean"}},{"description":"Page number to return (used for pagination). Defaults to 1.","example":1,"in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"integer"}},{"description":"Number of Attack discoveries to return per page (used for pagination). Defaults to 10.","example":10,"in":"query","name":"per_page","required":false,"schema":{"default":10,"minimum":1,"type":"integer"}},{"description":"Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.)","example":"","in":"query","name":"search","required":false,"schema":{"type":"string"}},{"description":"Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user.","in":"query","name":"shared","required":false,"schema":{"type":"boolean"}},{"description":"Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries.","in":"query","name":"scheduled","required":false,"schema":{"type":"boolean"}},{"description":"Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values.","example":"@timestamp","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryFindSortField","default":"@timestamp"}},{"description":"Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`.","example":"desc","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_SortOrder","default":"desc"}},{"description":"Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. \"now-7d\").","example":"now-24h","in":"query","name":"start","required":false,"schema":{"type":"string"}},{"description":"Filter by alert workflow status. Provide one or more of the allowed workflow states.","example":["open","acknowledged"],"in":"query","name":"status","required":false,"schema":{"items":{"enum":["acknowledged","closed","open"],"type":"string"},"type":"array"}},{"description":"When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`.","example":true,"in":"query","name":"with_replacements","required":false,"schema":{"default":true,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"AttackDiscoveryFindResponse200Example":{"summary":"Paginated list of Attack discoveries matching the search criteria.","value":{"connector_names":["GPT-5 Chat"],"data":[{"connector_name":"GPT-5 Chat","id":"c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f","title":"Suspicious process execution on host-01"}],"page":1,"per_page":10,"total":1,"unique_alert_ids_count":0}}},"schema":{"type":"object","properties":{"connector_names":{"description":"List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries.","items":{"type":"string"},"type":"array"},"data":{"description":"Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema.","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiAlert"},"type":"array"},"page":{"description":"Current page number of the paginated result set.","type":"integer"},"per_page":{"description":"Number of items requested per page.","type":"integer"},"total":{"description":"Total number of Attack discoveries matching the query (across all pages).","type":"integer"},"unique_alert_ids":{"description":"List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request.","items":{"type":"string"},"type":"array"},"unique_alert_ids_count":{"description":"Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request.","type":"integer"}},"required":["connector_names","data","page","per_page","total","unique_alert_ids_count"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"AttackDiscoveryFindResponse400Example":{"summary":"Bad Request error returned when find query parameters are invalid.","value":{"error":"Bad Request","message":"Invalid request payload.","status_code":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message","example":"Invalid request payload.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Find Attack discoveries that match the search criteria","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/attack_discovery\/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/_generate":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/attack_discovery\/_generate<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInitiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint.","operationId":"PostAttackDiscoveryGenerate","requestBody":{"content":{"application\/json":{"examples":{"PostAttackDiscoveryGenerateRequestBodyExample":{"summary":"Generate Attack discoveries from alerts in the last 24 hours.","value":{"alertsIndexPattern":".alerts-security.alerts-default","anonymizationFields":[{"allowed":true,"anonymized":true,"field":"host.name"},{"allowed":true,"anonymized":true,"field":"user.name"},{"allowed":true,"anonymized":false,"field":"process.name"}],"apiConfig":{"actionTypeId":".gen-ai","connectorId":"12345678-1234-1234-1234-123456789012"},"connectorName":"GPT-5 Chat","end":"now","replacements":{},"size":100,"start":"now-24h","subAction":"invokeAI"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"PostAttackDiscoveryGenerateResponse200Example":{"summary":"Generation started; use the returned execution UUID to track progress.","value":{"execution_uuid":"edd26039-0990-4d9f-9829-2a1fcacb77b5"}}},"schema":{"type":"object","properties":{"execution_uuid":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString","description":"The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint.","example":"edd26039-0990-4d9f-9829-2a1fcacb77b5"}},"required":["execution_uuid"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"PostAttackDiscoveryGenerateResponse400Example":{"summary":"Bad Request error returned when the generate payload is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong","example":"Invalid request parameters.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}},"required":["status_code","error","message"]}}},"description":"Bad Request response."}},"summary":"Generate attack discoveries from alerts","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/attack_discovery\/_generate' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\n \"alertsIndexPattern\": \".alerts-security.alerts-default\",\n \"anonymizationFields\": [\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"@timestamp\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"aKiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.feature\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"saiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.files.data\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"sqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.files.entropy\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"s6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.files.extension\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"tKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.files.metrics\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"taiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.files.operation\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"tqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.files.path\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"t6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.files.score\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"uKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"Ransomware.version\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"uaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"_id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"Z6iJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"agent.id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"aaiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"cloud.availability_zone\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"aqiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"cloud.provider\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"a6iJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"cloud.region\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"bKiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"destination.ip\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"baiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"dns.question.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"bqiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"dns.question.type\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"b6iJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"event.category\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"cKiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"event.dataset\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"caiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"event.module\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"cqiJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"event.outcome\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"c6iJW5gB4U27o8XO8oLf\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"file.Ext.original.path\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"dKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"file.hash.sha256\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"daiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"file.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"dqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"file.path\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"d6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"group.id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"eKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"group.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"eaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"host.asset.criticality\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"eqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"host.name\",\n \"allowed\": true,\n \"anonymized\": true,\n \"namespace\": \"default\",\n \"id\": \"e6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"host.os.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"fKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"host.os.version\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"faiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"host.risk.calculated_level\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"fqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"host.risk.calculated_score_norm\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"f6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.original_time\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"gKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.risk_score\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"gaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.description\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"gqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"g6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.references\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"hKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.framework\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"haiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.tactic.id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"hqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.tactic.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"h6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.tactic.reference\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"iKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.technique.id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"iaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.technique.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"iqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.technique.reference\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"i6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.technique.subtechnique.id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"jKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.technique.subtechnique.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"jaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.rule.threat.technique.subtechnique.reference\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"jqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.severity\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"j6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"kibana.alert.workflow_status\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"kKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"message\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"kaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"network.protocol\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"kqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.Ext.memory_region.bytes_compressed_present\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"nKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.Ext.memory_region.malware_signature.all_names\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"naiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.Ext.memory_region.malware_signature.primary.matches\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"nqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.Ext.memory_region.malware_signature.primary.signature.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"n6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.Ext.token.integrity_level_name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"oKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.args\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"k6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.code_signature.exists\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"lKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.code_signature.signing_id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"laiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.code_signature.status\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"lqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.code_signature.subject_name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"l6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.code_signature.trusted\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"mKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.command_line\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"maiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.executable\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"mqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.exit_code\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"m6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.hash.md5\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"oaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.hash.sha1\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"oqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.hash.sha256\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"o6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"pKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.args\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"paiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.args_count\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"pqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.code_signature.exists\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"p6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.code_signature.status\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"qKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.code_signature.subject_name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"qaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.code_signature.trusted\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"qqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.command_line\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"q6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.executable\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"rKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.parent.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"raiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.pe.original_file_name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"rqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.pid\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"r6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"process.working_directory\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"sKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"rule.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"uqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"rule.reference\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"u6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"source.ip\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"vKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.framework\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"vaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.tactic.id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"vqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.tactic.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"v6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.tactic.reference\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"wKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.technique.id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"waiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.technique.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"wqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.technique.reference\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"w6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.technique.subtechnique.id\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"xKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.technique.subtechnique.name\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"xaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"threat.technique.subtechnique.reference\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"xqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"user.asset.criticality\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"x6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"user.domain\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"yKiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"user.name\",\n \"allowed\": true,\n \"anonymized\": true,\n \"namespace\": \"default\",\n \"id\": \"yaiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"user.risk.calculated_level\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"yqiJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"user.risk.calculated_score_norm\",\n \"allowed\": true,\n \"anonymized\": false,\n \"namespace\": \"default\",\n \"id\": \"y6iJW5gB4U27o8XO8oLg\"\n },\n {\n \"timestamp\": \"2025-07-30T13:33:44.029Z\",\n \"createdAt\": \"2025-07-30T13:33:44.029Z\",\n \"field\": \"user.target.name\",\n \"allowed\": true,\n \"anonymized\": true,\n \"namespace\": \"default\",\n \"id\": \"zKiJW5gB4U27o8XO8oLg\"\n }\n ],\n \"replacements\": {},\n \"size\": 100,\n \"subAction\": \"invokeAI\",\n \"apiConfig\": {\n \"connectorId\": \"12345678-1234-1234-1234-123456789012\",\n \"actionTypeId\": \".gen-ai\"\n },\n \"connectorName\": \"GPT-5 Chat\",\n \"end\": \"now\",\n \"start\": \"now-24h\"\n }'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/generations":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/attack_discovery\/generations<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations.","operationId":"GetAttackDiscoveryGenerations","parameters":[{"description":"End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. \"now\", \"now-24h\").","example":"now","in":"query","name":"end","required":false,"schema":{"type":"string"}},{"description":"The maximum number of generations to retrieve","example":50,"in":"query","name":"size","required":false,"schema":{"default":50,"minimum":1,"type":"number"}},{"description":"Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. \"now-7d\").","example":"now-24h","in":"query","name":"start","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"GetAttackDiscoveryGenerationsResponse200Example":{"summary":"Latest Attack Discovery generation metadata for the current user.","value":{"generations":[{"alerts_context_count":75,"connector_id":"chatGpt5_0ChatAzure","discoveries":3,"end":"2025-09-29T06:42:44.810Z","execution_uuid":"46b218d5-535d-4329-be56-d0f6af6986b7","loading_message":"AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries.","start":"2025-09-29T06:42:08.962Z","status":"succeeded"}]}}},"schema":{"type":"object","properties":{"generations":{"description":"List of Attack Discovery generations","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGeneration"},"type":"array"}},"required":["generations"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"GetAttackDiscoveryGenerationsResponse400Example":{"summary":"Bad Request error returned when the size parameter is invalid.","value":{"error":"Bad Request","message":"Invalid size parameter. Must be a positive number.","status_code":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message","example":"Invalid size parameter. Must be a positive number.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Get the latest Attack Discovery generations metadata for the current user","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/attack_discovery\/generations?size=50&start=now-24h&end=now' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/generations\/{execution_uuid}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/attack_discovery\/generations\/{execution_uuid}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics.","operationId":"GetAttackDiscoveryGeneration","parameters":[{"description":"The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation.","example":"2e13f386-46cf-4d65-9e2b-68609e132ba5","in":"path","name":"execution_uuid","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}},{"description":"Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`.","example":false,"in":"query","name":"enable_field_rendering","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`.","example":true,"in":"query","name":"with_replacements","required":false,"schema":{"default":true,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"GetAttackDiscoveryGenerationResponse200Example":{"summary":"Single Attack Discovery generation with its discoveries and metadata.","value":{"data":[{"id":"c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f","title":"Suspicious process execution on host-01"}],"generation":{"alerts_context_count":50,"discoveries":1,"end":"2025-09-29T06:42:44.810Z","execution_uuid":"2e13f386-46cf-4d65-9e2b-68609e132ba5","start":"2025-09-29T06:42:08.962Z","status":"succeeded"}}}},"schema":{"type":"object","properties":{"data":{"description":"Array of Attack discoveries generated during this execution.","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiAlert"},"type":"array"},"generation":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGeneration","description":"Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations."}},"required":["data"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"GetAttackDiscoveryGenerationResponse400Example":{"summary":"Bad Request error returned when the get-generation request is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong with the request","example":"Invalid request parameters.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}},"required":["status_code","error","message"]}}},"description":"Bad Request response."}},"summary":"Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/attack_discovery\/generations\/2e13f386-46cf-4d65-9e2b-68609e132ba5' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/generations\/{execution_uuid}\/_dismiss":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/attack_discovery\/generations\/{execution_uuid}\/_dismiss<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to \"dismissed\" and affects how the generation appears in subsequent queries.","operationId":"PostAttackDiscoveryGenerationsDismiss","parameters":[{"description":"The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses.","example":"46b218d5-535d-4329-be56-d0f6af6986b7","in":"path","name":"execution_uuid","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"PostAttackDiscoveryGenerationsDismissResponse200Example":{"summary":"Successfully dismissed an Attack Discovery generation.","value":{"alerts_context_count":75,"connector_id":"chatGpt5_0ChatAzure","discoveries":3,"end":"2025-09-29T06:42:44.810Z","execution_uuid":"46b218d5-535d-4329-be56-d0f6af6986b7","loading_message":"AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries.","start":"2025-09-29T06:42:08.962Z","status":"dismissed"}}},"schema":{"type":"object","properties":{"alerts_context_count":{"description":"The number of alerts that were sent as context to the LLM for this generation.","example":75,"type":"number"},"connector_id":{"description":"The unique identifier of the connector used to generate the attack discoveries.","example":"chatGpt5_0ChatAzure","type":"string"},"connector_stats":{"description":"Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates.","type":"object","properties":{"average_successful_duration_nanoseconds":{"description":"The average duration in nanoseconds for successful generations using this connector by the current user.","example":47958500000,"type":"number"},"successful_generations":{"description":"The total number of Attack discoveries successfully created for this generation","example":2,"type":"number"}}},"discoveries":{"description":"The number of attack discoveries that were generated during this execution.","example":3,"type":"number"},"end":{"description":"The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished.","example":"2025-09-29T06:42:44.810Z","type":"string"},"execution_uuid":{"description":"The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls.","example":"46b218d5-535d-4329-be56-d0f6af6986b7","type":"string"},"loading_message":{"description":"A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing.","example":"AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries.","type":"string"},"reason":{"description":"Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process.","example":"Connection timeout to AI service","type":"string"},"start":{"description":"The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis.","example":"2025-09-29T06:42:08.962Z","type":"string"},"status":{"description":"The current status of the attack discovery generation. After dismissing, this will be set to \"dismissed\".","enum":["canceled","dismissed","failed","started","succeeded"],"example":"dismissed","type":"string"}},"required":["connector_id","discoveries","execution_uuid","loading_message","start","status"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"PostAttackDiscoveryGenerationsDismissResponse400Example":{"summary":"Bad Request error returned when the dismiss request is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type or category","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong with the request.","example":"Invalid request parameters.","type":"string"},"status_code":{"description":"HTTP status code indicating the type of client error","example":400,"type":"number"}},"required":["status_code","error","message"]}}},"description":"Bad Request response."}},"summary":"Dismiss an Attack Discovery generation","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/attack_discovery\/generations\/46b218d5-535d-4329-be56-d0f6af6986b7\/_dismiss' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/schedules":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/attack_discovery\/schedules<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found.","operationId":"CreateAttackDiscoverySchedules","requestBody":{"content":{"application\/json":{"examples":{"CreateAttackDiscoverySchedulesRequestBodyExample":{"summary":"Create a daily Attack Discovery schedule that runs every 24 hours.","value":{"actions":[],"enabled":true,"name":"Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":100,"start":"now-24h"},"schedule":{"interval":"24h"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps"}}},"description":"Attack Discovery schedule configuration including name, parameters, schedule interval, and actions","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"CreateAttackDiscoverySchedulesResponse200Example":{"summary":"A newly created Attack Discovery schedule.","value":{"actions":[],"created_at":"2023-10-31T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"12345678-1234-1234-1234-123456789012","name":"Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":100,"start":"now-24h"},"schedule":{"interval":"24h"},"updated_at":"2023-10-31T10:00:00.000Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiSchedule"}}},"description":"The Attack Discovery schedule was successfully created."},"400":{"content":{"application\/json":{"examples":{"CreateAttackDiscoverySchedulesResponse400Example":{"summary":"Bad Request error returned when the create schedule payload is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Bad Request response."}},"summary":"Create Attack Discovery schedule","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Create an Attack Discovery schedule","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/attack_discovery\/schedules' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\n \"name\": \"Daily Security Analysis\",\n \"enabled\": true,\n \"params\": {\n \"alerts_index_pattern\": \".alerts-security.alerts-default\",\n \"api_config\": {\n \"actionTypeId\": \"bedrock\",\n \"connectorId\": \"my-bedrock-connector\",\n \"name\": \"Claude 3.5 Sonnet\"\n },\n \"size\": 100,\n \"start\": \"now-24h\",\n \"end\": \"now\"\n },\n \"schedule\": {\n \"interval\": \"24h\"\n },\n \"actions\": [\n {\n \"action_type_id\": \".cases\",\n \"id\": \"system-connector-.cases\",\n \"params\": {\n \"subAction\": \"run\",\n \"subActionParams\": {\n \"timeWindow\": \"7d\",\n \"reopenClosedCases\": false,\n \"groupingBy\": [],\n \"templateId\": null\n }\n },\n \"uuid\": \"12345678-1234-1234-1234-123456789012\"\n }\n ]\n }'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/schedules\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/attack_discovery\/schedules\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFind Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields.","operationId":"FindAttackDiscoverySchedules","parameters":[{"description":"Page number to return (used for pagination). Defaults to 1.","example":1,"in":"query","name":"page","required":false,"schema":{"type":"number"}},{"description":"Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10.","example":10,"in":"query","name":"per_page","required":false,"schema":{"type":"number"}},{"description":"Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'.","example":"name","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}},{"description":"Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'.","example":"asc","in":"query","name":"sort_direction","required":false,"schema":{"enum":["asc","desc"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"FindAttackDiscoverySchedulesResponse200Example":{"summary":"Paginated list of Attack Discovery schedules matching the search criteria.","value":{"data":[{"actions":[],"created_at":"2023-10-31T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"12345678-1234-1234-1234-123456789012","name":"Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":100,"start":"now-24h"},"schedule":{"interval":"24h"},"updated_at":"2023-10-31T10:00:00.000Z","updated_by":"elastic"}],"page":1,"per_page":10,"total":1}}},"schema":{"type":"object","properties":{"data":{"description":"Array of matched Attack Discovery schedule objects.","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiSchedule"},"type":"array"},"page":{"description":"Current page number of the paginated result set.","type":"number"},"per_page":{"description":"Number of items requested per page.","type":"number"},"total":{"description":"Total number of Attack Discovery schedules matching the query (across all pages).","type":"number"}},"required":["page","per_page","total","data"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"FindAttackDiscoverySchedulesResponse400Example":{"summary":"Bad Request error returned when find-schedules query parameters are invalid.","value":{"error":"Bad Request","message":"Invalid request payload.","status_code":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message","example":"Invalid request payload.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Find Attack Discovery schedules that match the search criteria","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/attack_discovery\/schedules\/_find' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/schedules\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/attack_discovery\/schedules\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nPermanently deletes an Attack Discovery schedule and all associated configuration.","operationId":"DeleteAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"DeleteAttackDiscoverySchedulesResponse200Example":{"summary":"Confirmation returned after deleting an Attack Discovery schedule.","value":{"id":"12345678-1234-1234-1234-123456789012"}}},"schema":{"type":"object","properties":{"id":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString","description":"The unique identifier of the deleted Attack Discovery schedule"}},"required":["id"]}}},"description":"Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation"},"400":{"content":{"application\/json":{"examples":{"DeleteAttackDiscoverySchedulesResponse400Example":{"summary":"Bad Request error returned when the delete schedule request is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Bad Request response."}},"summary":"Delete Attack Discovery schedule","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Delete an Attack Discovery schedule","lang":"curl","source":"curl \\\n --request DELETE 'http:\/\/localhost:5601\/api\/attack_discovery\/schedules\/12345678-1234-1234-1234-123456789012' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/attack_discovery\/schedules\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history.","operationId":"GetAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"GetAttackDiscoverySchedulesResponse200Example":{"summary":"An Attack Discovery schedule retrieved by ID, including last execution metadata.","value":{"actions":[],"created_at":"2023-10-31T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"12345678-1234-1234-1234-123456789012","last_execution":{"date":"2023-10-31T10:00:00.000Z","last_duration":45.2,"status":"ok"},"name":"Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":100,"start":"now-24h"},"schedule":{"interval":"24h"},"updated_at":"2023-10-31T10:00:00.000Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiSchedule"}}},"description":"Successfully retrieved Attack Discovery schedule with complete configuration and metadata"},"400":{"content":{"application\/json":{"examples":{"GetAttackDiscoverySchedulesResponse400Example":{"summary":"Bad Request error returned when the get-schedule request is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Bad Request response."}},"summary":"Get Attack Discovery schedule by ID","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Get an Attack Discovery schedule by ID","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/attack_discovery\/schedules\/12345678-1234-1234-1234-123456789012' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/attack_discovery\/schedules\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdates an existing Attack Discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values.","operationId":"UpdateAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}}],"requestBody":{"content":{"application\/json":{"examples":{"UpdateAttackDiscoverySchedulesRequestBodyExample":{"summary":"Update an Attack Discovery schedule to run every 12 hours over a 48-hour window.","value":{"actions":[],"name":"Updated Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":200,"start":"now-48h"},"schedule":{"interval":"12h"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps"}}},"description":"Updated Attack Discovery schedule configuration. All fields are required as this replaces the entire schedule configuration.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"UpdateAttackDiscoverySchedulesResponse200Example":{"summary":"An Attack Discovery schedule after being updated.","value":{"actions":[],"created_at":"2023-10-31T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"12345678-1234-1234-1234-123456789012","name":"Updated Daily Security Analysis","params":{"alerts_index_pattern":".alerts-security.alerts-default","api_config":{"actionTypeId":"bedrock","connectorId":"my-bedrock-connector","name":"Claude 3.5 Sonnet"},"end":"now","size":200,"start":"now-48h"},"schedule":{"interval":"12h"},"updated_at":"2023-10-31T12:00:00.000Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiSchedule"}}},"description":"Successfully updated Attack Discovery schedule with the new configuration and metadata"},"400":{"content":{"application\/json":{"examples":{"UpdateAttackDiscoverySchedulesResponse400Example":{"summary":"Bad Request error returned when the update schedule payload is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Bad Request response."}},"summary":"Update Attack Discovery schedule","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Update an Attack Discovery schedule","lang":"curl","source":"curl \\\n --request PUT 'http:\/\/localhost:5601\/api\/attack_discovery\/schedules\/12345678-1234-1234-1234-123456789012' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\n \"name\": \"Updated Daily Security Analysis\",\n \"params\": {\n \"alerts_index_pattern\": \".alerts-security.alerts-default\",\n \"api_config\": {\n \"actionTypeId\": \"bedrock\",\n \"connectorId\": \"my-bedrock-connector\",\n \"name\": \"Claude 3.5 Sonnet\"\n },\n \"size\": 200,\n \"start\": \"now-48h\",\n \"end\": \"now\"\n },\n \"schedule\": {\n \"interval\": \"12h\"\n },\n \"actions\": []\n }'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/schedules\/{id}\/_disable":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/attack_discovery\/schedules\/{id}\/_disable<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDisables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started.","operationId":"DisableAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"DisableAttackDiscoverySchedulesResponse200Example":{"summary":"Confirmation returned after disabling an Attack Discovery schedule.","value":{"id":"12345678-1234-1234-1234-123456789012"}}},"schema":{"type":"object","properties":{"id":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString","description":"The unique identifier of the disabled Attack Discovery schedule"}},"required":["id"]}}},"description":"Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation"},"400":{"content":{"application\/json":{"examples":{"DisableAttackDiscoverySchedulesResponse400Example":{"summary":"Bad Request error returned when the disable schedule request is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Bad Request response."}},"summary":"Disable Attack Discovery schedule","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Disable an Attack Discovery schedule","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/attack_discovery\/schedules\/12345678-1234-1234-1234-123456789012\/_disable' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/attack_discovery\/schedules\/{id}\/_enable":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/attack_discovery\/schedules\/{id}\/_enable<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nEnables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration.","operationId":"EnableAttackDiscoverySchedules","parameters":[{"description":"The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings.","example":"12345678-1234-1234-1234-123456789012","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"EnableAttackDiscoverySchedulesResponse200Example":{"summary":"Confirmation returned after enabling an Attack Discovery schedule.","value":{"id":"12345678-1234-1234-1234-123456789012"}}},"schema":{"type":"object","properties":{"id":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString","description":"The unique identifier of the enabled Attack Discovery schedule"}},"required":["id"]}}},"description":"Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation"},"400":{"content":{"application\/json":{"examples":{"EnableAttackDiscoverySchedulesResponse400Example":{"summary":"Bad Request error returned when the enable schedule request is invalid.","value":{"error":"Bad Request","message":"Invalid request parameters.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryGenericError"}}},"description":"Bad Request response."}},"summary":"Enable Attack Discovery schedule","tags":["Security Attack discovery API"],"x-codeSamples":[{"label":"Enable an Attack Discovery schedule","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/attack_discovery\/schedules\/12345678-1234-1234-1234-123456789012\/_enable' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/data_views<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a list of all data views. Use this endpoint to identify available data views in the current Kibana space.\n","operationId":"getAllDataViewsDefault","responses":{"200":{"content":{"application\/json":{"examples":{"getAllDataViewsResponse":{"$ref":"#\/components\/examples\/Data_views_get_data_views_response"}},"schema":{"type":"object","properties":{"data_view":{"items":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"type":"array"},"title":{"type":"string"},"typeMeta":{"type":"object"}}},"type":"array"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Get all data views","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/data_views\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/data_views\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views\/data_view":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/data_views\/data_view<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a data view. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/find-and-organize\/data-views).\n","operationId":"createDataViewDefaultw","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"}],"requestBody":{"content":{"application\/json":{"examples":{"createDataViewRequest":{"$ref":"#\/components\/examples\/Data_views_create_data_view_request"}},"schema":{"$ref":"#\/components\/schemas\/Data_views_create_data_view_request_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_data_view_response_object"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Create a data view","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/data_views\/data_view\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"data_view\":{\"title\":\"logstash-*\",\"name\":\"My Logstash data view\"}}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/data_views\/data_view\n{\"data_view\":{\"title\":\"logstash-*\",\"name\":\"My Logstash data view\"}}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views\/data_view\/{viewId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a data view by its identifier. WARNING: When you delete a data view, it cannot be recovered.\n","operationId":"deleteDataViewDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"},{"$ref":"#\/components\/parameters\/Data_views_view_id"}],"responses":{"204":{"description":"Indicates a successful call."},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_404_response"}}},"description":"Object is not found."}},"summary":"Delete a data view","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:\/\/api\/data_views\/data_view\/{viewId}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a single data view by its identifier. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https:\/\/www.elastic.co\/docs\/explore-analyze\/find-and-organize\/data-views).\n","operationId":"getDataViewDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_view_id"}],"responses":{"200":{"content":{"application\/json":{"examples":{"getDataViewResponse":{"$ref":"#\/components\/examples\/Data_views_get_data_view_response"}},"schema":{"$ref":"#\/components\/schemas\/Data_views_data_view_response_object"}}},"description":"Indicates a successful call."},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_404_response"}}},"description":"Object is not found."}},"summary":"Get a data view","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/data_views\/data_view\/{viewId}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing data view. Only the fields provided in the request body are updated.\n","operationId":"updateDataViewDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"},{"$ref":"#\/components\/parameters\/Data_views_view_id"}],"requestBody":{"content":{"application\/json":{"examples":{"updateDataViewRequest":{"$ref":"#\/components\/examples\/Data_views_update_data_view_request"}},"schema":{"$ref":"#\/components\/schemas\/Data_views_update_data_view_request_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_data_view_response_object"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Update a data view","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"data_view\":{\"name\":\"Updated data view name\"}}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/data_views\/data_view\/{viewId}\n{\"data_view\":{\"name\":\"Updated data view name\"}}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views\/data_view\/{viewId}\/fields":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}\/fields<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate field metadata for a data view. Use this endpoint to set custom labels, custom descriptions, and format overrides for individual fields.\n","operationId":"updateFieldsMetadataDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"},{"$ref":"#\/components\/parameters\/Data_views_view_id"}],"requestBody":{"content":{"application\/json":{"examples":{"updateFieldsMetadataRequest":{"$ref":"#\/components\/examples\/Data_views_update_field_metadata_request"}},"schema":{"type":"object","properties":{"fields":{"description":"The field object.","type":"object"}},"required":["fields"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Update field metadata","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\/fields\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"fields\":{\"field_name\":{\"customLabel\":\"My custom label\"}}}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/data_views\/data_view\/{viewId}\/fields\n{\"fields\":{\"field_name\":{\"customLabel\":\"My custom label\"}}}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views\/data_view\/{viewId}\/runtime_field":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}\/runtime_field<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a runtime field for a data view. Runtime fields are computed at query time using a [Painless script](https:\/\/www.elastic.co\/docs\/explore-analyze\/scripting\/modules-scripting-painless) and do not require reindexing. If no `script` is provided, the runtime field returns the corresponding value from the document `_source`.\n","operationId":"createRuntimeFieldDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"},{"$ref":"#\/components\/parameters\/Data_views_view_id"}],"requestBody":{"content":{"application\/json":{"examples":{"createRuntimeFieldRequest":{"$ref":"#\/components\/examples\/Data_views_create_runtime_field_request"}},"schema":{"type":"object","properties":{"name":{"description":"The name for a runtime field.\n","type":"string"},"runtimeField":{"description":"The runtime field definition object.\n","type":"object"}},"required":["name","runtimeField"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"type":"object"}}},"description":"Indicates a successful call."}},"summary":"Create a runtime field","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\/runtime_field\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"name\":\"hour_of_day\",\"runtimeField\":{\"type\":\"long\",\"script\":{\"source\":\"emit(doc['\"'\"'timestamp'\"'\"'].value.getHour())\"}}}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/data_views\/data_view\/{viewId}\/runtime_field\n{\"name\":\"hour_of_day\",\"runtimeField\":{\"type\":\"long\",\"script\":{\"source\":\"emit(doc['timestamp'].value.getHour())\"}}}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}\/runtime_field<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate or update a runtime field for a data view. If the runtime field already exists, it is replaced with the new definition.\n","operationId":"createUpdateRuntimeFieldDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"},{"description":"The ID of the data view fields you want to update.\n","in":"path","name":"viewId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"updateRuntimeFieldRequest":{"$ref":"#\/components\/examples\/Data_views_create_runtime_field_request"}},"schema":{"type":"object","properties":{"name":{"description":"The name for a runtime field.\n","type":"string"},"runtimeField":{"description":"The runtime field definition object.\n","type":"object"}},"required":["name","runtimeField"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"type":"object","properties":{"data_view":{"type":"object"},"fields":{"items":{"type":"object"},"type":"array"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Create or update a runtime field","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X PUT \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\/runtime_field\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"name\":\"hour_of_day\",\"runtimeField\":{\"type\":\"long\",\"script\":{\"source\":\"emit(doc['\"'\"'timestamp'\"'\"'].value.getHour())\"}}}'\n"},{"lang":"Console","source":"PUT kbn:\/\/api\/data_views\/data_view\/{viewId}\/runtime_field\n{\"name\":\"hour_of_day\",\"runtimeField\":{\"type\":\"long\",\"script\":{\"source\":\"emit(doc['timestamp'].value.getHour())\"}}}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views\/data_view\/{viewId}\/runtime_field\/{fieldName}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}\/runtime_field\/{fieldName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a runtime field from a data view.\n","operationId":"deleteRuntimeFieldDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_field_name"},{"$ref":"#\/components\/parameters\/Data_views_view_id"}],"responses":{"200":{"description":"Indicates a successful call."},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_404_response"}}},"description":"Object is not found."}},"summary":"Delete a runtime field","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\/runtime_field\/${FIELD_NAME}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:\/\/api\/data_views\/data_view\/{viewId}\/runtime_field\/{fieldName}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}\/runtime_field\/{fieldName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a single runtime field by name from a data view.\n","operationId":"getRuntimeFieldDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_field_name"},{"$ref":"#\/components\/parameters\/Data_views_view_id"}],"responses":{"200":{"content":{"application\/json":{"examples":{"getRuntimeFieldResponse":{"$ref":"#\/components\/examples\/Data_views_get_runtime_field_response"}},"schema":{"type":"object","properties":{"data_view":{"type":"object"},"fields":{"items":{"type":"object"},"type":"array"}}}}},"description":"Indicates a successful call."},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_404_response"}}},"description":"Object is not found."}},"summary":"Get a runtime field","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\/runtime_field\/${FIELD_NAME}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/data_views\/data_view\/{viewId}\/runtime_field\/{fieldName}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/data_views\/data_view\/{viewId}\/runtime_field\/{fieldName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing runtime field in a data view. Only the fields provided in the request body are updated.\n","operationId":"updateRuntimeFieldDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_field_name"},{"$ref":"#\/components\/parameters\/Data_views_view_id"}],"requestBody":{"content":{"application\/json":{"examples":{"updateRuntimeFieldRequest":{"$ref":"#\/components\/examples\/Data_views_update_runtime_field_request"}},"schema":{"type":"object","properties":{"runtimeField":{"description":"The runtime field definition object.\n\nYou can update following fields:\n\n- `type`\n- `script`\n","type":"object"}},"required":["runtimeField"]}}},"required":true},"responses":{"200":{"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Update a runtime field","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/data_views\/data_view\/${DATA_VIEW_ID}\/runtime_field\/${FIELD_NAME}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"runtimeField\":{\"type\":\"long\",\"script\":{\"source\":\"emit(doc['\"'\"'timestamp'\"'\"'].value.getHour())\"}}}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/data_views\/data_view\/{viewId}\/runtime_field\/{fieldName}\n{\"runtimeField\":{\"type\":\"long\",\"script\":{\"source\":\"emit(doc['timestamp'].value.getHour())\"}}}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views\/default":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/data_views\/default<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve the identifier of the default data view for the current Kibana space.\n","operationId":"getDefaultDataViewDefault","responses":{"200":{"content":{"application\/json":{"examples":{"getDefaultDataViewResponse":{"$ref":"#\/components\/examples\/Data_views_get_default_data_view_response"}},"schema":{"type":"object","properties":{"data_view_id":{"type":"string"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Get the default data view","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/data_views\/default\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/data_views\/default\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/data_views\/default<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSet the default data view for the current Kibana space. The default data view is used as a fallback when no specific data view is selected.\n","operationId":"setDefaultDatailViewDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"}],"requestBody":{"content":{"application\/json":{"examples":{"setDefaultDataViewRequest":{"$ref":"#\/components\/examples\/Data_views_set_default_data_view_request"}},"schema":{"type":"object","properties":{"data_view_id":{"description":"The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view.\n","nullable":true,"type":"string"},"force":{"default":false,"description":"Update an existing default data view identifier.","type":"boolean"}},"required":["data_view_id"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}}}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Data_views_400_response"}}},"description":"Bad request"}},"summary":"Set the default data view","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/data_views\/default\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"data_view_id\":\"ff959d40-b880-11e8-a6d9-e546fe2bba5f\",\"force\":true}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/data_views\/default\n{\"data_view_id\":\"ff959d40-b880-11e8-a6d9-e546fe2bba5f\",\"force\":true}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views\/swap_references":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/data_views\/swap_references<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSwap saved object references from one data view to another. Use this endpoint to update dashboards, visualizations, and other saved objects that reference a data view. WARNING: Misuse can break large numbers of saved objects! Use the [`_preview`](https:\/\/www.elastic.co\/docs\/api\/doc\/kibana\/operation\/operation-previewswapdataviewsdefault) endpoint to see which saved objects would be affected before making changes.\n","operationId":"swapDataViewsDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"}],"requestBody":{"content":{"application\/json":{"examples":{"swapDataViewRequest":{"$ref":"#\/components\/examples\/Data_views_swap_data_view_request"}},"schema":{"$ref":"#\/components\/schemas\/Data_views_swap_data_view_request_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"type":"object","properties":{"deleteStatus":{"type":"object","properties":{"deletePerformed":{"type":"boolean"},"remainingRefs":{"type":"integer"}}},"result":{"items":{"type":"object","properties":{"id":{"description":"A saved object identifier.","type":"string"},"type":{"description":"The saved object type.","type":"string"}}},"type":"array"}}}}},"description":"Indicates a successful call."}},"summary":"Swap saved object references","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/data_views\/swap_references\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"fromId\":\"abcd-efg\",\"toId\":\"xyz-123\",\"delete\":true}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/data_views\/swap_references\n{\"fromId\":\"abcd-efg\",\"toId\":\"xyz-123\",\"delete\":true}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/data_views\/swap_references\/_preview":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/data_views\/swap_references\/_preview<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nPreview the effect of swapping saved object references from one data view to another. Returns the list of affected saved objects without making any changes.\n","operationId":"previewSwapDataViewsDefault","parameters":[{"$ref":"#\/components\/parameters\/Data_views_kbn_xsrf"}],"requestBody":{"content":{"application\/json":{"examples":{"previewSwapDataViewRequest":{"$ref":"#\/components\/examples\/Data_views_preview_swap_data_view_request"}},"schema":{"$ref":"#\/components\/schemas\/Data_views_swap_data_view_request_object"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"type":"object","properties":{"result":{"items":{"type":"object","properties":{"id":{"description":"A saved object identifier.","type":"string"},"type":{"description":"The saved object type.","type":"string"}}},"type":"array"}}}}},"description":"Indicates a successful call."}},"summary":"Preview swap references","tags":["data views"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/data_views\/swap_references\/_preview\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"fromId\":\"abcd-efg\",\"toId\":\"xyz-123\"}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/data_views\/swap_references\/_preview\n{\"fromId\":\"abcd-efg\",\"toId\":\"xyz-123\"}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/privileges":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/detection_engine\/privileges<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieves whether or not the user is authenticated, and the user's Kibana\nspace and index privileges, which determine if the user can create an\nindex for the Elastic Security alerts generated by\ndetection engine rules.\n","operationId":"ReadPrivileges","responses":{"200":{"content":{"application\/json":{"examples":{"success":{"value":{"application":{},"cluster":{"all":true,"manage":true,"manage_api_key":true,"manage_index_templates":true,"manage_ml":true,"manage_own_api_key":true,"manage_pipeline":true,"manage_security":true,"manage_transform":true,"monitor":true,"monitor_ml":true,"monitor_transform":true},"has_all_requested":true,"has_encryption_key":true,"index":{".alerts-security.alerts-default":{"all":true,"create":true,"create_doc":true,"create_index":true,"delete":true,"delete_index":true,"index":true,"maintenance":true,"manage":true,"monitor":true,"read":true,"view_index_metadata":true,"write":true}},"is_authenticated":true,"username":"elastic"}}},"schema":{"type":"object","properties":{"has_encryption_key":{"type":"boolean"},"is_authenticated":{"type":"boolean"}},"required":["is_authenticated","has_encryption_key"]}}},"description":"Successful response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Returns user privileges for the Kibana space","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/rules":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/detection_engine\/rules<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a detection rule using the `rule_id` or `id` field.\n\nThe URL query must include one of the following:\n\n* `id` - `DELETE \/api\/detection_engine\/rules?id=`\n* `rule_id`- `DELETE \/api\/detection_engine\/rules?rule_id=`\n\nThe difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.\n","operationId":"DeleteRule","parameters":[{"description":"The rule's `id` value.","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"}},{"description":"The rule's `rule_id` value.","in":"query","name":"rule_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deletedRule":{"summary":"Response shape after a rule is deleted","value":{"actions":[],"created_at":"2020-02-03T11:19:04.259Z","created_by":"elastic","description":"Process started by MS Office program in user folder","enabled":false,"false_positives":[],"from":"now-4200s","id":"c41d170b-8ba6-4de6-b8ec-76440a35ace3","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"MS Office child process","query":"event.action:Process*","references":[],"risk_score":50,"rule_id":"process_started_by_ms_office_user_folder","severity":"low","tags":["tag"],"throttle":null,"to":"now","type":"query","updated_at":"2020-02-03T11:19:04.462Z","updated_by":"elastic","version":3}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call."}},"summary":"Delete a detection rule","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl \\\n --request DELETE https:\/\/localhost:5601\/api\/detection_engine\/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \\\n --header \"Content-Type: application\/json; Elastic-Api-Version=2023-10-31\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/detection_engine\/rules<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a detection rule using the `rule_id` or `id` field.\n\nThe URL query must include one of the following:\n\n* `id` - `GET \/api\/detection_engine\/rules?id=`\n* `rule_id` - `GET \/api\/detection_engine\/rules?rule_id=`\n\nThe difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.\n","operationId":"ReadRule","parameters":[{"description":"The rule's `id` value.","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"}},{"description":"The rule's `rule_id` value.","in":"query","name":"rule_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"example1":{"summary":"Example response for a retrieved rule","value":{"created_at":"2020-02-03T11:19:04.259Z","created_by":"elastic","description":"Process started by MS Office program in user folder","enabled":false,"execution_summary":{"last_execution":{"date":"2022-03-23T16:06:12.787Z","message":"This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.","metrics":{"execution_gap_duration_s":0,"total_indexing_duration_ms":15,"total_search_duration_ms":135},"status":"partial failure","status_order":20}},"false_positives":[],"filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"from":"now-4200s","id":"c41d170b-8ba6-4de6-b8ec-76440a35ace3","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"MS Office child process","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"process.name","type":"keyword"},{"ecs":true,"name":"process.parent.name","type":"keyword"}],"risk_score":21,"rule_id":"process_started_by_ms_office_user_folder","setup":"","severity":"low","tags":["child process","ms office"],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https:\/\/attack.mitre.org\/tactics\/TA0001"},"technique":[{"id":"T1193","name":"Spearphishing Attachment","reference":"https:\/\/attack.mitre.org\/techniques\/T1193"}]}],"to":"now-300s","type":"query","updated_at":"2020-02-03T11:19:04.462Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call.\n> info\n> These fields are under development and their usage or schema may change: execution_summary.\n"}},"summary":"Retrieve a detection rule","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl \\\n --request GET https:\/\/localhost:5601\/api\/detection_engine\/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \\\n --header \"Content-Type: application\/json; Elastic-Api-Version=2023-10-31\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/detection_engine\/rules<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate specific fields of an existing detection rule using the `rule_id` or `id` field.\n\nThe difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.\n> warn\n> When used with [API key](https:\/\/www.elastic.co\/docs\/deploy-manage\/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n","operationId":"PatchRule","requestBody":{"content":{"application\/json":{"examples":{"example1":{"summary":"Patch query rule","value":{"id":"14b7b513-3d8d-4b22-b7da-a7ae632f7e76","name":"New name"}},"example2":{"summary":"Patch EQL rule","value":{"rule_id":"process_started_by_ms_office_program_possible_payload","threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0001","name":"Initial Access","reference":"https:\/\/attack.mitre.org\/tactics\/TA0001"},"technique":[{"id":"T1193","name":"Spearphishing Attachment","reference":"https:\/\/attack.mitre.org\/techniques\/T1193"}]}]}},"example3":{"summary":"Patch threshold rule","value":{"id":"005d2c4f-51ca-493d-a2bd-20ef076339b1","query":"agent.version : * and agent.id : \"243d9b4f-ca01-4311-8e5c-9abbee91afd8\"","threshold":{"cardinality":[],"field":[],"value":600}}},"example4":{"summary":"Patch new terms rule","value":{"history_window_start":"now-3d","id":"569aac91-40dc-4807-a8ae-a2c8698089c4","new_terms_fields":["Endpoint.policy.applied.artifacts.global.identifiers.name"]}},"example5":{"summary":"Patch esql rule","value":{"id":"0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd","query":"FROM logs-abc*\n| STATS count = COUNT(*), min_timestamp = MIN(@timestamp)\n| EVAL event_rate = count \/ DATE_DIFF(\"seconds\", min_timestamp, NOW()) \n| KEEP event_rate\n"}},"example6":{"summary":"Patch indicator match rule","value":{"id":"462f1986-10fe-40a3-a22c-2b1c9c4c48fd","threat_query":"@timestamp >= \"now-30d\/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"false\""}},"example7":{"summary":"Patch machine learning rule","value":{"anomaly_threshold":50,"id":"60b13926-289b-41b1-a537-197ef1fa5059","machine_learning_job_id":["auth_high_count_logon_events_ea"]}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePatchProps"}}},"description":"> info\n> You cannot modify the `id` or `rule_id` values.\n","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"example1":{"summary":"Example response for an updated rule","value":{"actions":[],"created_at":"2020-04-07T14:51:09.755Z","created_by":"elastic","description":"Updated description for the rule.","enabled":false,"false_positives":[],"filters":[{"query":null}],"from":"now-70m","id":"6541b99a-dee9-4f6d-a86d-dbd1869d73b1","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"Updated Rule Name","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","references":[],"related_integrations":[{"package":"o365"}],"required_fields":[{"name":"process.parent.name"}],"risk_score":50,"rule_id":"process_started_by_ms_office_program","setup":"","severity":"low","tags":["child process","ms office"],"threat":[],"to":"now","type":"query","updated_at":"2020-04-07T14:51:09.970Z","updated_by":"elastic","version":2}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call."}},"summary":"Patch a detection rule","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/rules<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new detection rule.\n> warn\n> When used with [API key](https:\/\/www.elastic.co\/docs\/deploy-manage\/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n\nYou can create the following types of rules:\n\n* **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query.\n* **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/eql.html) query.\n* **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value.\n For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/search-aggregations-bucket-terms-aggregation.html) for more information.\n* **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https:\/\/www.elastic.co\/guide\/en\/ecs\/current\/ecs-reference.html).\n* **New terms**: Generates an alert for each new term detected in source documents within a specified time range.\n* **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/esql.html) to find events and aggregate search results.\n* **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold.\n> info\n> To create machine learning rules, you must have the [appropriate license](https:\/\/www.elastic.co\/subscriptions) or use a [cloud deployment](https:\/\/cloud.elastic.co\/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running.\n\nTo retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules:\n\n```json\n...\n\"job_id\": \"linux_anomalous_network_activity_ecs\",\n\"job_type\": \"anomaly_detector\",\n\"job_version\": \"7.7.0\",\n\"groups\": [\n \"auditbeat\",\n \"process\",\n \"siem\"\n],\n...\n```\n\nAdditionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https:\/\/www.elastic.co\/docs\/explore-analyze\/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications:\n\n* Slack\n* Email\n* PagerDuty\n* Webhook\n* Microsoft Teams\n* IBM Resilient\n* Jira\n* ServiceNow ITSM\n> info\n> For more information on PagerDuty fields, see [Send a v2 Event](https:\/\/developer.pagerduty.com\/docs\/events-api-v2\/trigger-events\/).\n\nTo retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https:\/\/www.elastic.co\/docs\/api\/doc\/kibana\/operation\/operation-findsavedobjects) with `\"type\": \"action\"` in the request payload.\n\nFor detailed information on Kibana actions and alerting, and additional API calls, see:\n\n* [Alerting API](https:\/\/www.elastic.co\/docs\/api\/doc\/kibana\/group\/endpoint-alerting)\n* [Alerting and Actions framework](https:\/\/www.elastic.co\/docs\/explore-analyze\/alerting)\n* [Connectors API](https:\/\/www.elastic.co\/docs\/api\/doc\/kibana\/group\/endpoint-connectors)\n","operationId":"CreateRule","requestBody":{"content":{"application\/json":{"examples":{"example1":{"description":"Query rule that searches for processes started by MS Office","summary":"Query rule","value":{"description":"Process started by MS Office program - possible payload","enabled":false,"filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"from":"now-70m","interval":"1h","language":"kuery","name":"MS Office child process","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"name":"process.parent.name","type":"keyword"}],"risk_score":50,"rule_id":"process_started_by_ms_office_program","severity":"low","tags":["child process","ms office"],"type":"query"}},"example2":{"description":"Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address","summary":"Threshold rule","value":{"description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","enabled":true,"exceptions_list":[{"id":"int-ips","namespace_type":"single","type":"detection"}],"from":"now-180s","index":["winlogbeat-*"],"interval":"2m","name":"Windows server prml-19","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure","required_fields":[{"name":"source.ip","type":"ip"}],"risk_score":30,"rule_id":"liv-win-ser-logins","severity":"low","severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"tags":["Brute force"],"threshold":{"field":"source.ip","value":20},"type":"threshold"}},"example3":{"description":"Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above.","summary":"Machine learning rule","value":{"actions":[{"action_type_id":".slack","group":"default","id":"5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5","params":{"message":"Urgent: {{context.rule.description}}"}}],"anomaly_threshold":70,"description":"Generates alerts when the job discovers anomalies over 70","enabled":true,"from":"now-6m","interval":"5m","machine_learning_job_id":"linux_anomalous_network_activity_ecs","name":"Anomalous Linux network activity","note":"Shut down the internet.","risk_score":70,"rule_id":"ml_linux_network_high_threshold","setup":"This rule requires data coming in from Elastic Defend.","severity":"high","tags":["machine learning","Linux"],"type":"machine_learning"}},"example4":{"description":"Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections","summary":"EQL rule","value":{"description":"Unusual rundll32.exe network connection","language":"eql","name":"rundll32.exe network connection","query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]","required_fields":[{"name":"event.type","type":"keyword"},{"name":"process.args","type":"keyword"},{"name":"process.args_count","type":"long"},{"name":"process.entity_id","type":"keyword"},{"name":"process.name","type":"keyword"},{"name":"process.pe.original_file_name","type":"keyword"}],"risk_score":21,"rule_id":"eql-outbound-rundll32-connections","severity":"low","tags":["EQL","Windows","rundll32.exe"],"type":"eql"}},"example5":{"description":"Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index.\n","summary":"Indicator match rule","value":{"actions":[],"description":"Checks for bad IP addresses listed in the ip-threat-list index","index":["packetbeat-*"],"name":"Bad IP threat match","query":"destination.ip:* or host.ip:*","required_fields":[{"name":"destination.ip","type":"ip"},{"name":"destination.port","type":"long"},{"name":"host.ip","type":"ip"}],"risk_score":50,"severity":"medium","threat_index":["ip-threat-list"],"threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_query":"*:*","type":"threat_match"}},"example6":{"description":"New terms rule that creates alerts a new IP address is detected for a user","summary":"New terms rule","value":{"description":"Detects a user associated with a new IP address","history_window_start":"now-30d","index":["auditbeat*"],"language":"kuery","name":"New User IP Detected","new_terms_fields":["user.id","source.ip"],"query":"*","required_fields":[{"name":"user.id","type":"keyword"},{"name":"source.ip","type":"ip"}],"risk_score":21,"severity":"medium","type":"new_terms"}},"example7":{"description":"esql rule that creates alerts from events that match an Excel parent process","summary":"Esql rule","value":{"description":"Find Excel events","enabled":false,"from":"now-360s","interval":"5m","language":"esql","name":"Find Excel events","query":"from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == \"EXCEL.EXE\"","required_fields":[{"name":"process.parent.name","type":"keyword"}],"risk_score":21,"severity":"low","tags":[],"to":"now","type":"esql"}},"example8":{"description":"Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period","summary":"Query rule 2","value":{"alert_suppression":{"duration":{"unit":"h","value":5},"group_by":["process.parent.name"],"missing_fields_strategy":"suppress"},"description":"Process started by MS Office program - possible payload","enabled":false,"filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"from":"now-70m","interval":"1h","language":"kuery","name":"MS Office child process","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","risk_score":50,"rule_id":"process_started_by_ms_office_program","severity":"low","tags":["child process","ms office"],"type":"query"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleCreateProps"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"example1":{"description":"Example response for a query rule","summary":"Query rule response","value":{"actions":[],"created_at":"2020-04-07T14:51:09.755Z","created_by":"elastic","description":"Process started by MS Office program - possible payload","enabled":false,"false_positives":[],"filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"from":"now-70m","id":"6541b99a-dee9-4f6d-a86d-dbd1869d73b1","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"MS Office child process","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"},{"integration":"graphactivitylogs","package":"azure","version":"^1.11.4"}],"required_fields":[{"ecs":true,"name":"process.parent.name","type":"keyword"}],"risk_score":50,"rule_id":"process_started_by_ms_office_program","setup":"","severity":"low","tags":["child process","ms office"],"threat":[],"to":"now","type":"query","updated_at":"2020-04-07T14:51:09.970Z","updated_by":"elastic","version":1}},"example2":{"description":"Example response for a machine learning job rule","summary":"Machine learning response","value":{"actions":[{"action_type_id":".slack","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5","params":{"message":"Urgent: {{context.rule.description}}"}}],"anomaly_threshold":70,"created_at":"2020-04-07T14:45:15.679Z","created_by":"elastic","description":"Generates alerts when the job discovers anomalies over 70","enabled":true,"false_positives":[],"from":"now-6m","id":"83876f66-3a57-4a99-bf37-416494c80f3b","immutable":false,"interval":"5m","machine_learning_job_id":"linux_anomalous_network_activity_ecs","max_signals":100,"name":"Anomalous Linux network activity","note":"Shut down the internet.","references":[],"related_integrations":[],"required_fields":[],"risk_score":70,"rule_id":"ml_linux_network_high_threshold","setup":"","severity":"high","status":"going to run","status_date":"2020-04-07T14:45:21.685Z","tags":["machine learning","Linux"],"threat":[],"to":"now","type":"machine_learning","updated_at":"2020-04-07T14:45:15.892Z","updated_by":"elastic","version":1}},"example3":{"description":"Example response for a threshold rule","summary":"Threshold rule response","value":{"actions":[],"author":[],"created_at":"2020-07-22T10:27:23.486Z","created_by":"elastic","description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","enabled":true,"exceptions_list":[{"id":"int-ips","namespace_type":"single","type":"detection"}],"false_positives":[],"from":"now-180s","id":"15dbde26-b627-4d74-bb1f-a5e0ed9e4993","immutable":false,"index":["winlogbeat-*"],"interval":"2m","language":"kuery","max_signals":100,"name":"Windows server prml-19","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"source.ip","type":"ip"}],"risk_score":30,"risk_score_mapping":[],"rule_id":"liv-win-ser-logins","setup":"","severity":"low","severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"tags":["Brute force"],"threat":[],"threshold":{"field":"source.ip","value":20},"to":"now","type":"threshold","updated_at":"2020-07-22T10:27:23.673Z","updated_by":"elastic","version":1}},"example4":{"description":"Example response for an EQL rule","summary":"EQL rule response","value":{"author":[],"created_at":"2020-10-05T09:06:16.392Z","created_by":"elastic","description":"Unusual rundll32.exe network connection","enabled":true,"exceptions_list":[],"false_positives":[],"from":"now-6m","id":"93808cae-b05b-4dc9-8479-73574b50f8b1","immutable":false,"interval":"5m","language":"eql","max_signals":100,"name":"rundll32.exe network connection","query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"event.type","type":"keyword"},{"ecs":true,"name":"process.args","type":"keyword"},{"ecs":true,"name":"process.args_count","type":"long"},{"ecs":true,"name":"process.entity_id","type":"keyword"},{"ecs":true,"name":"process.name","type":"keyword"},{"ecs":true,"name":"process.pe.original_file_name","type":"keyword"}],"risk_score":21,"risk_score_mapping":[],"rule_id":"eql-outbound-rundll32-connections","setup":"","severity":"low","severity_mapping":[],"tags":["EQL","Windows","rundll32.exe"],"threat":[],"throttle":"no_actions","to":"now","type":"eql","updated_at":"2020-10-05T09:06:16.403Z","updated_by":"elastic","version":1}},"example5":{"description":"Example response for an indicator match rule","summary":"Indicator match rule response","value":{"author":[],"created_at":"2020-10-06T07:07:58.227Z","created_by":"elastic","description":"Checks for bad IP addresses listed in the ip-threat-list index","enabled":true,"exceptions_list":[],"false_positives":[],"from":"now-6m","id":"d5daa13f-81fb-4b13-be2f-31011e1d9ae1","immutable":false,"index":["packetbeat-*"],"interval":"5m","language":"kuery","max_signals":100,"name":"Bad IP threat match","query":"destination.ip:* or host.ip:*","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"destination.ip","type":"ip"},{"ecs":true,"name":"destination.port","type":"long"},{"ecs":true,"name":"host.ip","type":"ip"}],"risk_score":50,"risk_score_mapping":[],"rule_id":"608501e4-c768-4f64-9326-cec55b5d439b","setup":"","severity":"medium","severity_mapping":[],"tags":[],"threat":[],"threat_index":["ip-threat-list"],"threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_query":"*:*","to":"now","type":"threat_match","updated_at":"2020-10-06T07:07:58.237Z","updated_by":"elastic","version":1}},"example6":{"description":"Example response for a new terms rule","summary":"New terms rule response","value":{"author":[],"created_at":"2020-10-06T07:07:58.227Z","created_by":"elastic","description":"Detects a user associated with a new IP address","enabled":true,"exceptions_list":[],"false_positives":[],"from":"now-6m","history_window_start":"now-30d","id":"eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4","immutable":false,"index":["auditbeat*"],"interval":"5m","language":"kuery","max_signals":100,"name":"New User IP Detected","new_terms_fields":["user.id","source.ip"],"query":"*","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"user.id","type":"keyword"},{"ecs":true,"name":"source.ip","type":"ip"}],"risk_score":21,"risk_score_mapping":[],"rule_id":"c6f5d0bc-7be9-47d4-b2f3-073d22641e30","setup":"","severity":"medium","severity_mapping":[],"tags":[],"threat":[],"to":"now","type":"new_terms","updated_at":"2020-10-06T07:07:58.237Z","updated_by":"elastic","version":1}},"example7":{"description":"Example response for an Esql rule","summary":"Esql rule response","value":{"actions":[],"author":[],"created_at":"2023-10-18T10:55:14.269Z","created_by":"elastic","description":"Find Excel events","enabled":false,"exceptions_list":[],"false_positives":[],"from":"now-360s","id":"d0f20490-6da4-11ee-b85e-09e9b661f2e2","immutable":false,"interval":"5m","language":"esql","max_signals":100,"name":"Find Excel events","output_index":"","query":"from auditbeat-8.10.2 METADATA _id | where process.parent.name == \"EXCEL.EXE\"","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"process.parent.name","type":"keyword"}],"revision":0,"risk_score":21,"risk_score_mapping":[],"rule_id":"e4b53a89-debd-4a0d-a3e3-20606952e589","setup":"","severity":"low","severity_mapping":[],"tags":[],"threat":[],"to":"now","type":"esql","updated_at":"2023-10-18T10:55:14.269Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call."}},"summary":"Create a detection rule","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/detection_engine\/rules<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted.\n\nThe difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.\n> warn\n> When used with [API key](https:\/\/www.elastic.co\/docs\/deploy-manage\/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n","operationId":"UpdateRule","requestBody":{"content":{"application\/json":{"examples":{"example1":{"summary":"Update query rule","value":{"description":"A new description","id":"14b7b513-3d8d-4b22-b7da-a7ae632f7e76","name":"A new name for the rule","risk_score":22,"severity":"medium","type":"query"}},"example2":{"summary":"Update EQL rule","value":{"description":"eql rule test","id":"9b684efb-acf9-4323-9bff-8335b3867d14","index":["apm-*-transaction*"],"language":"eql","name":"New name for EQL rule","query":"process where process.name == \"regsvr32.exe\"","risk_score":21,"severity":"low","type":"eql"}},"example3":{"summary":"Update threshold rule","value":{"description":"Description of threat rule test","id":"005d2c4f-51ca-493d-a2bd-20ef076339b1","language":"kuery","name":"New name for threat rule","query":"agent.version : * and agent.id : \"243d9b4f-ca01-4311-8e5c-9abbee91afd8\"","risk_score":21,"severity":"low","tags":["new_tag"],"threshold":{"cardinality":[],"field":[],"value":400},"type":"threshold"}},"example4":{"summary":"Update new terms rule","value":{"description":"New description","history_window_start":"now-7d","id":"569aac91-40dc-4807-a8ae-a2c8698089c4","interval":"5m","name":"New terms rule name","new_terms_fields":["Endpoint.policy.applied.artifacts.global.identifiers.name"],"query":"agent.version : \"9.1.0\"","risk_score":21,"severity":"low","type":"new_terms"}},"example5":{"summary":"Update esql rule","value":{"description":"New description for esql rule","id":"0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd","language":"esql","name":"New name for esql rule","query":"FROM logs*\n| STATS count = COUNT(*), min_timestamp = MIN(@timestamp) \/* MIN(dateField) finds the earliest timestamp in the dataset. *\/\n| EVAL event_rate = count \/ DATE_DIFF(\"seconds\", min_timestamp, NOW()) \/* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. *\/\n| KEEP event_rate\n","risk_score":21,"severity":"low","type":"esql"}},"example6":{"summary":"Update indicator match rule","value":{"description":"New description","id":"462f1986-10fe-40a3-a22c-2b1c9c4c48fd","name":"New name for Indicator Match rule","query":"source.ip:* or destination.ip:*\\n","risk_score":99,"severity":"critical","threat_index":["filebeat-*","logs-ti_*"],"threat_mapping":[{"entries":[{"field":"source.ip","type":"mapping","value":"threat.indicator.ip"}]},{"entries":[{"field":"destination.ip","type":"mapping","value":"threat.indicator.ip"}]}],"threat_query":"@timestamp >= \"now-30d\/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"","type":"threat_match"}},"example7":{"summary":"Update machine learning rule","value":{"anomaly_threshold":50,"description":"New description of ml rule","id":"60b13926-289b-41b1-a537-197ef1fa5059","machine_learning_job_id":["auth_high_count_logon_events_ea"],"name":"New name of ml rule","risk_score":21,"severity":"low","type":"machine_learning"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleUpdateProps"}}},"description":"> info\n> All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values.\n","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"example1":{"summary":"Example response for an updated rule","value":{"actions":[],"created_at":"2020-04-07T14:51:09.755Z","created_by":"elastic","description":"Updated description for the rule.","enabled":false,"false_positives":[],"filters":[{"query":null}],"from":"now-70m","id":"6541b99a-dee9-4f6d-a86d-dbd1869d73b1","immutable":false,"interval":"1h","language":"kuery","max_signals":100,"name":"Updated Rule Name","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","references":[],"related_integrations":[{"package":"o365"}],"required_fields":[{"name":"process.parent.name"}],"risk_score":50,"rule_id":"process_started_by_ms_office_program","setup":"","severity":"low","tags":["child process","ms office"],"threat":[],"to":"now","type":"query","updated_at":"2020-04-07T14:51:09.970Z","updated_by":"elastic","version":2}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"}}},"description":"Indicates a successful call."}},"summary":"Update a detection rule","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/rules\/_bulk_action":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/rules\/_bulk_action<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nApply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.\n\nThe edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. \nThe edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID.\n> warn\n> When used with [API key](https:\/\/www.elastic.co\/docs\/deploy-manage\/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n","operationId":"PerformRulesBulkAction","parameters":[{"description":"Enables dry run mode for the request call.\n\nEnable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can\u2019t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and\/or ID, and additional troubleshooting information.\n\nTo enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won\u2019t be written to Elasticsearch.\n> info\n> Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response.\n","in":"query","name":"dry_run","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"example01":{"description":"The following request activates all rules with the test tag.","summary":"Enable - Enable all rules with the test tag","value":{"action":"enable","query":"alert.attributes.tags: \"test\""}},"example02":{"description":"The following request enables the rule with the specified ID.","summary":"Enable - Enable a specific rule by ID.","value":{"action":"enable","ids":["748694f0-6977-4ea5-8384-cd2e39730779"]}},"example03":{"description":"The following request disables the rule with the specified ID.","summary":"Disable - Disable a specific rule by ID","value":{"action":"disable","ids":["748694f0-6977-4ea5-8384-cd2e39730779"]}},"example04":{"description":"The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions.","summary":"Duplicate - Duplicate rules with specific IDs","value":{"action":"duplicate","duplicate":{"include_exceptions":true,"include_expired_exceptions":false},"ids":["748694f0-6977-4ea5-8384-cd2e39730779","461a4c22-416e-4009-a9a7-cf79656454bf"]}},"example05":{"description":"The following request deletes the rule with the specified ID.","summary":"Delete - Delete a specific rule by ID","value":{"action":"delete","ids":["cf4abfd1-7c37-4519-ab0f-5ea5c75fac60"]}},"example06":{"description":"The following request runs the rule with the specified ID within the given date range.","summary":"Run - Run a specific rule by ID","value":{"action":"run","ids":["748694f0-6977-4ea5-8384-cd2e39730779"],"run":{"end_date":"2025-03-10T23:59:59.999Z","start_date":"2025-03-01T00:00:00.000Z"}}},"example07":{"description":"The following request exports the rules with the specified IDs.","summary":"Export - Export specific rules by ID","value":{"action":"export","ids":["748694f0-6977-4ea5-8384-cd2e39730779"]}},"example08":{"description":"The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api\/detection_engine\/rules\/_bulk_action?dry_run=true","summary":"Edit - dry run - Validate add_index_patterns bulk action","value":{"action":"edit","edit":[{"type":"add_index_patterns","value":["test-*"]}],"ids":["81aa0480-06af-11ed-94fb-dd1a0597d8d2","dc015d10-0831-11ed-ac8b-05a222bd8d4a","de8f5af0-0831-11ed-ac8b-05a222bd8d4a"]}},"example09":{"description":"The following request adds the tag \"tag-1\" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made.","summary":"Edit - Add a tag to rules (idempotent)","value":{"action":"edit","edit":[{"type":"add_tags","value":["tag-1"]}],"ids":["8bc7dad0-9320-11ec-9265-8b772383a08d","8e5c1a40-9320-11ec-9265-8b772383a08d"]}},"example10":{"description":"The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made.","summary":"Edit - Add two tags to rules (idempotent)","value":{"action":"edit","edit":[{"type":"add_tags","value":["tag-1","tag-2"]}],"ids":["8bc7dad0-9320-11ec-9265-8b772383a08d","8e5c1a40-9320-11ec-9265-8b772383a08d"]}},"example11":{"description":"The following request removes the tag \"tag-1\" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made.","summary":"Edit - Delete a tag from rules (idempotent)","value":{"action":"edit","edit":[{"type":"delete_tags","value":["tag-1"]}],"ids":["8bc7dad0-9320-11ec-9265-8b772383a08d","8e5c1a40-9320-11ec-9265-8b772383a08d"]}},"example12":{"description":"The following request sets the tags \"tag-1\" and \"tag-2\" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made.","summary":"Edit - Set (overwrite existing) tags for rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_tags","value":["tag-1","tag-2"]}],"ids":["8bc7dad0-9320-11ec-9265-8b772383a08d","8e5c1a40-9320-11ec-9265-8b772383a08d"]}},"example13":{"description":"The following request adds the index pattern \"test-*\" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made.","summary":"Edit - Add index patterns to rules (idempotent)","value":{"action":"edit","edit":[{"type":"add_index_patterns","value":["test-*"]}],"ids":["81aa0480-06af-11ed-94fb-dd1a0597d8d2","dc015d10-0831-11ed-ac8b-05a222bd8d4a"]}},"example14":{"description":"The following request removes the index pattern \"test-*\" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made.","summary":"Edit - Remove index patterns from rules (idempotent)","value":{"action":"edit","edit":[{"type":"delete_index_patterns","value":["test-*"]}],"ids":["81aa0480-06af-11ed-94fb-dd1a0597d8d2","dc015d10-0831-11ed-ac8b-05a222bd8d4a"]}},"example15":{"description":"The following request sets the index patterns \"test-*\" and \"prod-*\" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made.","summary":"Edit - Set (overwrite existing) index patterns for rules patterns (idempotent)","value":{"action":"edit","edit":[{"type":"set_index_patterns","value":["test-*"]}],"ids":["81aa0480-06af-11ed-94fb-dd1a0597d8d2","dc015d10-0831-11ed-ac8b-05a222bd8d4a"]}},"example16":{"description":"The following request adds investigation field to the rules with the specified IDs.","summary":"Edit - Add investigation field to rules","value":{"action":"edit","edit":[{"type":"add_investigation_fields","value":{"field_names":["alert.status"]}}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example17":{"description":"The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made.","summary":"Edit - Delete investigation fields from rules (idempotent)","value":{"action":"edit","edit":[{"type":"delete_investigation_fields"}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"],"value":["field1","field2"]}},"example18":{"description":"The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made.","summary":"Edit - Set (overwrite existing) investigation fields for rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_investigation_fields","value":["field1","field2"]}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example19":{"description":"The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made.","summary":"Edit - Set (overwrite existing) timeline template for rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_timeline","value":{"timeline_id":"3e827bab-838a-469f-bd1e-5e19a2bff2fd","timeline_title":"Alerts Involving a Single User Timeline"}}],"ids":["eacdfc95-e007-41c9-986e-4b2cbdfdc71b"]}},"example20":{"description":"The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made.","summary":"Edit - Set (overwrite existing) schedule for rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_schedule","value":{"interval":"1h","lookback":"30m"}}],"ids":["99887766-5544-3322-1100-aabbccddeeff"]}},"example21":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules (non-idempotent)","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"The message body"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191928"]}},"example22":{"description":"The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID.","summary":"Edit - Set (overwrite existing) rule actions for rules (non-idempotent)","value":{"action":"edit","edit":[{"type":"set_rule_actions","value":{"actions":[{"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"The message body"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191928"]}},"example23":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules for a webhook connector","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default3","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"The message body"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191921"]}},"example24":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules for an email connector","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default3","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"message":"The message body","subject":"Subject","to":"address@domain.com"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191921"]}},"example25":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules for a slack connector","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default3","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"message":"The content of the message"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191921"]}},"example26":{"description":"The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.","summary":"Edit - Add rule actions to rules for a PagerDuty connector","value":{"action":"edit","edit":[{"type":"add_rule_actions","value":{"actions":[{"group":"default3","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"eventAction":"trigger","severity":"critical","summary":"The message body","timestamp":"2023-10-31T00:00:00.000Z"}}]}}],"ids":["9e946bfc-3118-4c77-bb25-67d781191921"]}},"example27":{"description":"The following request set alert suppression to the rules with the specified IDs.","summary":"Edit - Set alert suppression to rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_alert_suppression","value":{"duration":{"unit":"h","value":1},"group_by":["source.ip"],"missing_fields_strategy":"suppress"}}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example28":{"description":"The following request set alert suppression to threshold rules with the specified IDs.","summary":"Edit - Set alert suppression to threshold rules (idempotent)","value":{"action":"edit","edit":[{"type":"set_alert_suppression_for_threshold","value":{"duration":{"unit":"h","value":1}}}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example29":{"description":"The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made.","summary":"Edit - Removes alert suppression from rules (idempotent)","value":{"action":"edit","edit":[{"type":"delete_alert_suppression"}],"ids":["12345678-1234-1234-1234-1234567890ab","87654321-4321-4321-4321-0987654321ba"]}},"example30":{"description":"The following request triggers the filling of gaps for the specified rule ids and time range","summary":"Fill Gaps - Manually trigger the filling of gaps for specified rules","value":{"action":"fill_gaps","ids":["748694f0-6977-4ea5-8384-cd2e39730779","164d0918-f720-4c9f-9f5c-c5122587cf19"],"run":{"end_date":"2025-03-10T23:59:59.999Z","start_date":"2025-03-01T00:00:00.000Z"}}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkDeleteRules"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkDisableRules"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkEnableRules"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkExportRules"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkDuplicateRules"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkManualRuleRun"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkManualRuleFillGaps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkEditRules"}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"example01":{"description":"In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason.","summary":"Successful response","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[{"id":"51658332-a15e-4c9e-912a-67214e2e2359","name":"Skipped rule","skip_reason":"RULE_NOT_MODIFIED"}],"updated":[{"anomaly_threshold":50,"author":["Elastic"],"created_at":"2022-02-21T14:14:13.801Z","created_by":"elastic","description":"A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.","enabled":true,"exceptions_list":[],"execution_summary":{"last_execution":{"date":"2022-03-23T16:06:12.787Z","message":"This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.","metrics":{"execution_gap_duration_s":0,"total_indexing_duration_ms":15,"total_search_duration_ms":135},"status":"partial failure","status_order":20}},"false_positives":["DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."],"from":"now-45m","id":"8bc7dad0-9320-11ec-9265-8b772383a08d","immutable":false,"interval":"15m","license":"Elastic License v2","machine_learning_job_id":["packetbeat_dns_tunneling_ea"],"max_signals":100,"name":"DNS Tunneling [Duplicate]","references":["https:\/\/www.elastic.co\/docs\/reference\/machine-learning\/ootb-ml-jobs-siem"],"related_integrations":[],"required_fields":[],"risk_score":21,"risk_score_mapping":[],"rule_id":"7289bf08-4e91-4c70-bf01-e04c4c5d7756","setup":"","severity":"low","severity_mapping":[],"tags":["Elastic","Network","Threat Detection","ML"],"threat":[],"to":"now","type":"machine_learning","updated_at":"2022-02-21T17:05:50.883Z","updated_by":"elastic","version":6}]},"summary":{"failed":0,"skipped":1,"succeeded":1,"total":2}},"rules_count":1,"success":true}},"example02":{"description":"If processing of any rule fails, a partial error outputs the ID and\/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request).","summary":"Partial failure","value":{"value":{"attributes":{"errors":[{"message":"Index patterns can't be added. Machine learning rule doesn't have index patterns property","rules":[{"id":"8bc7dad0-9320-11ec-9265-8b772383a08d","name":"DNS Tunneling [Duplicate]"}],"status_code":500}],"results":{"created":[],"deleted":[],"skipped":[],"updated":[{"actions":[],"author":["Elastic"],"created_at":"2022-02-21T14:14:17.883Z","created_by":"elastic","description":"Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.","enabled":true,"exceptions_list":[],"execution_summary":{"last_execution":{"date":"2022-03-23T16:06:12.787Z","message":"This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.","metrics":{"execution_gap_duration_s":0,"total_indexing_duration_ms":15,"total_search_duration_ms":135},"status":"partial failure","status_order":20}},"false_positives":[],"from":"now-6m","id":"8e5c1a40-9320-11ec-9265-8b772383a08d","immutable":false,"index":["apm-*-transaction*","traces-apm*","auditbeat-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*","added-by-id-*"],"interval":"5m","language":"kuery","license":"Elastic License v2","max_signals":10000,"name":"External Alerts [Duplicate]","query":"event.kind:alert and not event.module:(endgame or endpoint)\n","references":[],"related_integrations":[],"required_fields":[],"risk_score":47,"risk_score_mapping":[{"field":"event.risk_score","operator":"equals","value":""}],"rule_id":"941faf98-0cdc-4569-b16d-4af962914d61","rule_name_override":"message","setup":"","severity":"medium","severity_mapping":[{"field":"event.severity","operator":"equals","severity":"low","value":"21"},{"field":"event.severity","operator":"equals","severity":"medium","value":"47"},{"field":"event.severity","operator":"equals","severity":"high","value":"73"},{"field":"event.severity","operator":"equals","severity":"critical","value":"99"}],"tags":["Elastic","Network","Windows","APM","macOS","Linux"],"threat":[],"timestamp_override":"event.ingested","to":"now","type":"query","updated_at":"2022-02-21T16:56:22.818Z","updated_by":"elastic","version":5}]},"summary":{"failed":1,"skipped":0,"succeeded":1,"total":2}},"message":"Bulk edit partially failed","rules_count":2,"status_code":500,"success":false}}},"example03":{"description":"The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn\u2019t return results for rules that have been updated, created, or deleted.","summary":"Dry run","value":{"attributes":{"errors":[{"err_code":"IMMUTABLE","message":"Elastic rule can't be edited","rules":[{"id":"81aa0480-06af-11ed-94fb-dd1a0597d8d2","name":"Unusual AWS Command for a User"}],"status_code":500},{"err_code":"MACHINE_LEARNING_INDEX_PATTERN","message":"Machine learning rule doesn't have index patterns","rules":[{"id":"dc015d10-0831-11ed-ac8b-05a222bd8d4a","name":"Suspicious Powershell Script [Duplicate]"}],"status_code":500}],"results":{"created":[],"deleted":[],"skipped":[],"updated":[]},"summary":{"failed":2,"skipped":0,"succeeded":1,"total":3}},"message":"Bulk edit partially failed","status_code":500}},"example04":{"description":"This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated.","summary":"Set tags successsully for 2 rules","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[],"updated":[{"actions":[],"author":[],"created_at":"2025-03-25T11:46:41.899Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-6m","id":"738112cd-6cfa-414a-8457-2a658845d6ba","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"5m","language":"kuery","license":"","max_signals":100,"meta":{"kibana_siem_app_url":"http:\/\/localhost:5601\/kbn\/app\/security"},"name":"Rule 1","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":1,"risk_score":21,"risk_score_mapping":[],"rule_id":"6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":["tag-1","tag-2"],"threat":[],"to":"now","type":"query","updated_at":"2025-03-25T11:47:11.350Z","updated_by":"elastic","version":2},{"actions":[{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"Hello"},"uuid":"580e2e16-5e91-411c-999b-7b75a11ed441"}],"author":[],"created_at":"2025-03-25T09:49:08.343Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-360s","id":"eacdfc95-e007-41c9-986e-4b2cbdfdc71b","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"3m","investigation_fields":{"field_names":["alert.status","Endpoint.policy.applied.artifacts.global.channel"]},"language":"kuery","license":"","max_signals":100,"meta":{"from":"3m","kibana_siem_app_url":"http:\/\/localhost:5601\/kbn\/app\/security"},"name":"Rule 2","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":33,"risk_score":21,"risk_score_mapping":[],"rule_id":"43250a55-53a3-4ddd-96cb-82a1bd720180","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":["tag-1","tag-2"],"threat":[],"timeline_id":"3e827bab-838a-469f-bd1e-5e19a2bff2fd","timeline_title":"Alerts Involving a Single User Timeline","to":"now","type":"query","updated_at":"2025-03-25T11:47:11.357Z","updated_by":"elastic","version":24}]},"summary":{"failed":0,"skipped":0,"succeeded":2,"total":2}},"rules_count":2,"success":true}},"example05":{"description":"This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them.","summary":"Idempotent behavior of set_tags","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[{"id":"eacdfc95-e007-41c9-986e-4b2cbdfdc71b","name":"Rule 1","skip_reason":"RULE_NOT_MODIFIED"},{"id":"738112cd-6cfa-414a-8457-2a658845d6ba","name":"Rule 2","skip_reason":"RULE_NOT_MODIFIED"}],"updated":[]},"summary":{"failed":0,"skipped":2,"succeeded":0,"total":2}},"rules_count":2,"success":true}},"example06":{"description":"This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added.","summary":"Idempotent behavior of add_tags","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[{"id":"738112cd-6cfa-414a-8457-2a658845d6ba","name":"Test Rule 2","skip_reason":"RULE_NOT_MODIFIED"}],"updated":[{"actions":[{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"Hello"},"uuid":"580e2e16-5e91-411c-999b-7b75a11ed441"}],"author":[],"created_at":"2025-03-25T09:49:08.343Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-360s","id":"eacdfc95-e007-41c9-986e-4b2cbdfdc71b","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"3m","investigation_fields":{"field_names":["alert.status","Endpoint.policy.applied.artifacts.global.channel"]},"language":"kuery","license":"","max_signals":100,"meta":{"from":"3m","kibana_siem_app_url":"http:\/\/localhost:5601\/kbn\/app\/security"},"name":"Test rule","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":34,"risk_score":21,"risk_score_mapping":[],"rule_id":"43250a55-53a3-4ddd-96cb-82a1bd720180","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":["tag-1","tag-2","tag-4"],"threat":[],"timeline_id":"3e827bab-838a-469f-bd1e-5e19a2bff2fd","timeline_title":"Alerts Involving a Single User Timeline","to":"now","type":"query","updated_at":"2025-03-25T11:55:12.752Z","updated_by":"elastic","version":25}]},"summary":{"failed":0,"skipped":1,"succeeded":1,"total":2}},"rules_count":2,"success":true}},"example07":{"description":"This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID.","summary":"Non-idempotent behavior for set_rule_actions","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[],"updated":[{"actions":[{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"20fbf986-a270-460e-80f3-7b83c08b430f","params":{"body":"Hello"},"uuid":"e48428e5-efac-4856-b8ad-b271c14eaa91"}],"author":[],"created_at":"2025-03-25T09:49:08.343Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-360s","id":"eacdfc95-e007-41c9-986e-4b2cbdfdc71b","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"3m","investigation_fields":{"field_names":["alert.status","Endpoint.policy.applied.artifacts.global.channel"]},"language":"kuery","license":"","max_signals":100,"meta":{"from":"3m","kibana_siem_app_url":"http:\/\/localhost:5601\/kbn\/app\/security"},"name":"Test rule","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":39,"risk_score":21,"risk_score_mapping":[],"rule_id":"43250a55-53a3-4ddd-96cb-82a1bd720180","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":["tag-1","tag-2","tag-4"],"threat":[],"timeline_id":"3e827bab-838a-469f-bd1e-5e19a2bff2fd","timeline_title":"Alerts Involving a Single User Timeline","to":"now","type":"query","updated_at":"2025-03-25T12:17:40.528Z","updated_by":"elastic","version":30}]},"summary":{"failed":0,"skipped":0,"succeeded":1,"total":1}},"rules_count":1,"success":true}},"example08":{"description":"This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID.","summary":"Non-idempotent behavior for add_rule_actions","value":{"attributes":{"results":{"created":[],"deleted":[],"skipped":[],"updated":[{"actions":[{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"76af173d-38d8-4a9a-b2cc-a3c695b845b4","params":{"body":"Message body"},"uuid":"0309347e-3954-429c-9168-5da2663389af"},{"action_type_id":".webhook","frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":null},"group":"default","id":"76af173d-38d8-4a9a-b2cc-a3c695b845b4","params":{"body":"Message body"},"uuid":"49ddaa94-d63d-410e-90dc-8c1bad9552bd"}],"author":[],"created_at":"2025-04-02T12:42:03.400Z","created_by":"elastic","description":"test","enabled":false,"exceptions_list":[],"false_positives":[],"filters":[],"from":"now-6m","id":"0d3eb0cd-88c4-4651-ac87-6d9f0cb87217","immutable":false,"index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"interval":"5m","language":"kuery","license":"","max_signals":100,"meta":{"kibana_siem_app_url":"http:\/\/localhost:5601\/kbn\/app\/security"},"name":"Jacek test rule","output_index":"","query":"*","references":[],"related_integrations":[],"required_fields":[],"revision":2,"risk_score":21,"risk_score_mapping":[],"rule_id":"2684c020-1370-4719-ac27-eafe6428fe10","rule_source":{"type":"internal"},"setup":"","severity":"low","severity_mapping":[],"tags":[],"threat":[],"to":"now","type":"query","updated_at":"2025-04-02T12:51:40.215Z","updated_by":"elastic","version":2}]},"summary":{"failed":0,"skipped":0,"succeeded":1,"total":1}},"rules_count":1,"success":true}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkEditActionResponse"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkExportActionResponse"}]}}},"description":"OK"}},"summary":"Apply a bulk action to detection rules","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/rules\/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/rules\/_export<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExport detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file:\n- Actions\n- Exception lists\n> info\n> Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.\n\n> You can use Kibana\u2019s [Saved Objects](https:\/\/www.elastic.co\/docs\/explore-analyze\/find-and-organize\/saved-objects) UI (Stack Management \u2192 Kibana \u2192 Saved Objects) or the Saved Objects APIs (experimental) to [export](https:\/\/www.elastic.co\/docs\/api\/doc\/kibana\/operation\/operation-exportsavedobjectsdefault) and [import](https:\/\/www.elastic.co\/docs\/api\/doc\/kibana\/operation\/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules.\n\n> Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/create-manage-value-lists) UI (Rules \u2192 Detection rules (SIEM) \u2192 Manage value lists) to export and import value lists separately.\n","operationId":"ExportRules","parameters":[{"description":"Determines whether a summary of the exported rules is returned.","in":"query","name":"exclude_export_details","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"File name for saving the exported rules.\n> info\n> When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.\n","in":"query","name":"file_name","required":false,"schema":{"default":"export.ndjson","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"exportByRuleIds":{"summary":"Request body to export a subset of rules","value":{"objects":[{"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"},{"rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"}]}}},"schema":{"nullable":true,"type":"object","properties":{"objects":{"description":"Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified.","items":{"type":"object","properties":{"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"}},"required":["rule_id"]},"type":"array"}},"required":["objects"]}}},"required":false},"responses":{"200":{"content":{"application\/ndjson":{"examples":{"sampleNdjson":{"value":"{\"rule_id\":\"343580b5-c811-447c-8d2d-2ccf052c6900\",\"name\":\"Example rule\",\"type\":\"query\",\"enabled\":true}\n{\"exception_list\":true}\n{\"export_summary\":{\"total_rules\":1,\"exceptions_count\":0}}\n"}},"schema":{"description":"An `.ndjson` file containing the returned rules.\n\nEach line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.\n","format":"binary","type":"string"}}},"description":"Indicates a successful call."}},"summary":"Export detection rules","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl -X POST \"localhost:5601\/api\/detection_engine\/rules\/_export?exclude_export_details=true&file_name=exported_rules.ndjson\" -H 'kbn-xsrf: true' -H 'Content-Type: application\/json' -d'\n{\n \"objects\": [\n {\n \"rule_id\":\"343580b5-c811-447c-8d2d-2ccf052c6900\"\n },\n {\n \"rule_id\":\"2938c9fa-53eb-4c04-b79c-33cbf041b18d\"\n }\n ]\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/rules\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/detection_engine\/rules\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.","operationId":"FindRules","parameters":[{"description":"List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`).\nIf omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or\nuse comma-separated values when supported by your client.\n","in":"query","name":"fields","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Search query\n\nFilters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be:\n- name\n- enabled\n- tags\n- createdBy\n- interval\n- updatedBy\n> info\n> Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.\n","in":"query","name":"filter","required":false,"schema":{"type":"string"}},{"description":"Field to sort by","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_FindRulesSortField"}},{"description":"Sort order","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SortOrder"}},{"description":"Page number","in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"integer"}},{"description":"Rules per page","in":"query","name":"per_page","required":false,"schema":{"default":20,"minimum":0,"type":"integer"}},{"description":"Gaps range start","in":"query","name":"gaps_range_start","required":false,"schema":{"type":"string"}},{"description":"Gaps range end","in":"query","name":"gaps_range_end","required":false,"schema":{"type":"string"}},{"description":"Gap fill statuses","in":"query","name":"gap_fill_statuses","required":false,"schema":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"}},{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","in":"query","name":"gap_auto_fill_scheduler_id","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"example1":{"value":{"data":[{"created_at":"2020-02-02T10:05:19.613Z","created_by":"elastic","description":"Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.","enabled":false,"execution_summary":{"last_execution":{"date":"2022-03-23T16:06:12.787Z","message":"This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.","metrics":{"execution_gap_duration_s":0,"total_indexing_duration_ms":15,"total_search_duration_ms":135},"status":"partial failure","status_order":20}},"false_positives":[],"from":"now-6m","id":"89761517-fdb0-4223-b67b-7621acc48f9e","immutable":true,"index":["winlogbeat-*"],"interval":"5m","language":"kuery","max_signals":33,"name":"Windows Script Executing PowerShell","query":"event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"","references":[],"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"ecs":true,"name":"event.action","type":"keyword"},{"ecs":true,"name":"process.name","type":"keyword"},{"ecs":true,"name":"process.parent.name","type":"keyword"}],"risk_score":21,"rule_id":"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc","setup":"","severity":"low","tags":["Elastic","Windows"],"threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","name":"Execution","reference":"https:\/\/attack.mitre.org\/tactics\/TA0002\/"},"technique":[{"id":"T1193","name":"Spearphishing Attachment","reference":"https:\/\/attack.mitre.org\/techniques\/T1193\/"}]}],"to":"now","type":"query","updated_at":"2020-02-02T10:05:19.830Z","updated_by":"elastic"}],"page":1,"perPage":5,"total":4}}},"schema":{"type":"object","properties":{"data":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"},"type":"array"},"page":{"type":"integer"},"perPage":{"type":"integer"},"total":{"type":"integer"},"warnings":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_WarningSchema"},"type":"array"}},"required":["page","perPage","total","data"]}}},"description":"Successful response\n> info\n> These fields are under development and their usage or schema may change: execution_summary.\n"}},"summary":"List all detection rules","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl -X GET \"localhost:5601\/api\/detection_engine\/rules\/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows\" -H 'kbn-xsrf: true'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/rules\/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/rules\/_import<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nImport detection rules from an `.ndjson` file, including actions and exception lists. The request must include:\n- The `Content-Type: multipart\/form-data` HTTP header.\n- A link to the `.ndjson` file containing the rules.\n> warn\n> When used with [API key](https:\/\/www.elastic.co\/docs\/deploy-manage\/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n> info\n> To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don\u2019t need Actions and Connectors privileges. Refer to [Enable and access detections](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/detections-privileges) for more information.\n\n> info\n> Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.\n\n> You can use Kibana\u2019s [Saved Objects](https:\/\/www.elastic.co\/docs\/explore-analyze\/find-and-organize\/saved-objects) UI (Stack Management \u2192 Kibana \u2192 Saved Objects) or the Saved Objects APIs (experimental) to [export](https:\/\/www.elastic.co\/docs\/api\/doc\/kibana\/operation\/operation-exportsavedobjectsdefault) and [import](https:\/\/www.elastic.co\/docs\/api\/doc\/kibana\/operation\/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules.\n\n> Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/create-manage-value-lists) UI (Rules \u2192 Detection rules (SIEM) \u2192 Manage value lists) to export and import value lists separately.\n","operationId":"ImportRules","parameters":[{"description":"Determines whether existing rules with the same `rule_id` are overwritten.","in":"query","name":"overwrite","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten.","in":"query","name":"overwrite_exceptions","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten.","in":"query","name":"overwrite_action_connectors","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Generates a new list ID for each imported exception list.","in":"query","name":"as_new_list","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"multipart\/form-data":{"examples":{"rulesFile":{"summary":"Multipart part containing a rule export","value":{"file":"rules_import.ndjson"}}},"schema":{"type":"object","properties":{"file":{"description":"The `.ndjson` file containing the rules.","format":"binary","type":"string"}}}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"example1":{"summary":"Import rules with success","value":{"errors":[],"exceptions_errors":[],"exceptions_success":true,"exceptions_success_count":0,"rules_count":1,"success":true,"success_count":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"action_connectors_errors":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ErrorSchema"},"type":"array"},"action_connectors_success":{"type":"boolean"},"action_connectors_success_count":{"minimum":0,"type":"integer"},"action_connectors_warnings":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_WarningSchema"},"type":"array"},"errors":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ErrorSchema"},"type":"array"},"exceptions_errors":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ErrorSchema"},"type":"array"},"exceptions_success":{"type":"boolean"},"exceptions_success_count":{"minimum":0,"type":"integer"},"rules_count":{"minimum":0,"type":"integer"},"success":{"type":"boolean"},"success_count":{"minimum":0,"type":"integer"}},"required":["exceptions_success","exceptions_success_count","exceptions_errors","rules_count","success","success_count","errors","action_connectors_errors","action_connectors_warnings","action_connectors_success","action_connectors_success_count"]}}},"description":"Indicates a successful call."}},"summary":"Import detection rules","tags":["Security Detections API"],"x-codeSamples":[{"lang":"cURL","source":"curl -X POST \"\/api\/detection_engine\/rules\/_import\"\n-u : -H 'kbn-xsrf: true'\n-H 'Content-Type: multipart\/form-data'\n--form \"file=@\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/rules\/{id}\/exceptions":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/rules\/{id}\/exceptions<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate exception items that apply to a single detection rule.","operationId":"CreateRuleExceptionListItems","parameters":[{"description":"Detection rule's identifier","examples":{"id":{"value":"330bdd28-eedf-40e1-bed0-f10176c7f9e0"}},"in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UUID"}}],"requestBody":{"content":{"application\/json":{"examples":{"addItems":{"value":{"items":[{"description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"simple"}]}}},"schema":{"example":{"items":[{"description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"simple"}]},"type":"object","properties":{"items":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateRuleExceptionListItemProps"},"type":"array"}},"required":["items"]}}},"description":"Rule exception items.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ruleExceptionItems":{"value":[{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}]}},"schema":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItem"},"type":"array"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badPayload":{"value":{"error":"Bad Request","message":"Invalid request payload JSON format","statusCode":400}},"badRequest":{"value":{"error":"Bad Request","message":"[request params]: id: Invalid uuid","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"message":"Unable to create exception-list","status_code":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create rule exception items","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/rules\/preview":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/rules\/preview<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSimulates a detection rule using the same rule type and query logic as a persisted rule, over a short\ntime window, without persisting a rule or writing alerts. Use the response to validate queries, see sample\nmatching documents, and inspect execution logs. Pair `invocationCount` and `timeframeEnd` to cap run time.\n","operationId":"RulePreview","parameters":[{"description":"Enables logging and returning in response ES queries, performed during rule execution","in":"query","name":"enable_logged_requests","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"queryRule":{"value":{"description":"Find matching events","from":"now-24h","index":["logs-*"],"invocationCount":1,"language":"kuery","max_signals":20,"name":"Rule preview","query":"process.name : *","risk_score":25,"severity":"low","timeframeEnd":"2025-01-20T12:00:00.000Z","to":"now","type":"query"}}},"schema":{"anyOf":[{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewParams"}]},{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewParams"}]}],"discriminator":{"propertyName":"type"}}}},"description":"Rule create payload (same shape as `POST \/api\/detection_engine\/rules` for a given `type`) plus\n`invocationCount` and `timeframeEnd` to control how the preview is executed. Optional\n`enable_logged_requests` surfaces Elasticsearch request logging for debugging.\n","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"success":{"value":{"isAborted":false,"logs":[{"duration":45,"errors":[],"requests":[],"startedAt":"2025-01-20T10:00:00.000Z","warnings":[]}],"previewId":"7f1c9d1e-4c8a-4a3e-9a5d-0d4f6e1b2a90"}}},"schema":{"type":"object","properties":{"isAborted":{"type":"boolean"},"logs":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewLogs"},"type":"array"},"previewId":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"}},"required":["logs"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body].timeframeEnd: expected string, received null","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Preview rule alerts generated on specified time range","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/signals\/assignees":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/signals\/assignees<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nAssign users to detection alerts, and unassign them from alerts.\n> info\n> You cannot add and remove the same assignee in the same request.\n","operationId":"SetAlertAssignees","requestBody":{"content":{"application\/json":{"examples":{"add":{"$ref":"#\/components\/examples\/Security_Detections_API_SetAlertAssigneesBodyAdd"},"remove":{"$ref":"#\/components\/examples\/Security_Detections_API_SetAlertAssigneesBodyRemove"}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetAlertAssigneesBody"}}},"description":"User profile IDs to add or remove on each listed alert document ID.","required":true},"responses":{"200":{"content":{"application\/json":{"description":"Elasticsearch update by query or update by IDs response","examples":{"add":{"value":{"batches":1,"deleted":0,"failures":[],"noops":0,"requests_per_second":-1,"retries":{"bulk":0,"search":0},"throttled_millis":0,"throttled_until_millis":0,"timed_out":false,"took":76,"total":1,"updated":1,"version_conflicts":0}}}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body].ids: at least one alert id is required to update assignees","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/detection_engine\/signals\/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Assign and unassign users from detection alerts","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/signals\/search":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/signals\/search<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFind and\/or aggregate detection alerts that match the given query.","operationId":"SearchAlerts","requestBody":{"content":{"application\/json":{"examples":{"query":{"value":{"aggs":{"alertsByGrouping":{"terms":{"field":"host.name","size":10}},"missingFields":{"missing":{"field":"host.name"}}},"query":{"bool":{"filter":[{"bool":{"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"must":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}],"should":[]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{},"size":0}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryAlertsBodyParams","description":"Elasticsearch query and aggregation request"}}},"description":"Search and\/or aggregation query","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"success":{"value":{"_shards":{"failed":0,"skipped":0,"successful":1,"total":1},"aggregations":{"alertsByGrouping":{"buckets":[{"doc_count":5,"key":"Host-f43kkddfyc"}],"doc_count_error_upper_bound":0,"sum_other_doc_count":0},"missingFields":{"doc_count":0}},"hits":{"hits":[],"max_score":null,"total":{"relation":"eq","value":5}},"timed_out":false,"took":0}}},"schema":{"additionalProperties":true,"description":"Elasticsearch search response","type":"object"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"Failed to parse search request: unknown query clause in bool filter","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Find and\/or aggregate detection alerts","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/signals\/status":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/signals\/status<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSet the status of one or more detection alerts.","operationId":"SetAlertsStatus","requestBody":{"content":{"application\/json":{"examples":{"byId":{"value":{"signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"],"status":"closed"}},"byQuery":{"value":{"conflicts":"proceed","query":{"bool":{"filter":[{"@timestamp":{"format":"strict_date_optional_time","gte":"2024-10-23T07:00:00.000Z","lte":"2025-01-21T20:12:11.704Z"},"range":null},{"bool":{"filter":{"bool":{"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}},{"@timestamp":{"format":"strict_date_optional_time","gte":"2024-10-23T07:00:00.000Z","lte":"2025-01-21T20:12:11.704Z"},"range":null}],"must":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}],"should":[]}}}}],"must":[],"must_not":[],"should":[]}},"status":"closed"}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_SetAlertsStatusByIds"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SetAlertsStatusByQuery"}]}}},"description":"An object containing desired status and explicit alert ids or a query to select alerts","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"byId":{"value":{"batches":1,"deleted":0,"failures":[],"noops":0,"requests_per_second":-1,"retries":{"bulk":0,"search":0},"throttled_millis":0,"throttled_until_millis":0,"timed_out":false,"took":81,"total":1,"updated":1,"version_conflicts":0}},"byQuery":{"value":{"batches":1,"deleted":0,"failures":[],"noops":0,"requests_per_second":-1,"retries":{"bulk":0,"search":0},"throttled_millis":0,"throttled_until_millis":0,"timed_out":false,"took":100,"total":17,"updated":17,"version_conflicts":0}}},"schema":{"additionalProperties":true,"description":"Elasticsearch update by query response","type":"object"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body].signal_ids: at least one alert id is required to update status","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Set a detection alert status","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/signals\/tags":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/detection_engine\/signals\/tags<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nAdd tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request.\n> info\n> You cannot add and remove the same alert tag in the same request.\n","operationId":"SetAlertTags","requestBody":{"content":{"application\/json":{"examples":{"add":{"$ref":"#\/components\/examples\/Security_Detections_API_SetAlertTagsBodyAdd"},"remove":{"$ref":"#\/components\/examples\/Security_Detections_API_SetAlertTagsBodyRemove"}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetAlertTagsBody"}}},"description":"An object containing tags to add or remove and alert ids the changes will be applied","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"success":{"value":{"batches":"1,","deleted":"0,","failures":[],"noops":"0,","requests_per_second":"-1,","retries":{"bulk":"0,","search":0},"throttled_millis":"0,","throttled_until_millis":"0,","timed_out":"false,","took":"68,","total":"1,","updated":"1,","version_conflicts":"0,"}}},"schema":{"additionalProperties":true,"description":"Elasticsearch update by query response","type":"object"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body].tags: cannot add and remove the same tag in a single request","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Add and remove detection alert tags","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/detection_engine\/tags":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/detection_engine\/tags<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all unique tags from all detection rules.","operationId":"ReadTags","responses":{"200":{"content":{"application\/json":{"examples":{"example1":{"value":["zeek","suricata","windows","linux","network","initial access","remote access","phishing"]}},"schema":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"}}},"description":"Indicates a successful call"}},"summary":"List all detection rule tags","tags":["Security Detections API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint_list":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint_list<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response.","operationId":"CreateEndpointList","responses":{"200":{"content":{"application\/json":{"examples":{"alreadyExists":{"summary":"Endpoint exception list already exists (empty response)","value":{}},"newList":{"summary":"Endpoint exception list created","value":{"created_at":"2025-01-01T00:00:00.000Z","created_by":"elastic","description":"Endpoint Security Exception List","id":"2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b","immutable":false,"list_id":"endpoint_list","name":"Endpoint Security Exception List","namespace_type":"agnostic","os_types":[],"tags":[],"tie_breaker_id":"e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e","type":"endpoint","updated_at":"2025-01-01T00:00:00.000Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_EndpointList"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"500":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Create an Elastic Endpoint rule exception list","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint_list\/items":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/endpoint_list\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.","operationId":"DeleteEndpointListItem","parameters":[{"description":"Either `id` or `item_id` must be specified","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemId"}},{"description":"Either `id` or `item_id` must be specified","in":"query","name":"item_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleted":{"summary":"Deleted endpoint exception list item","value":{"comments":[],"created_at":"2025-01-01T12:00:00.000Z","created_by":"elastic","description":"Blocks a known malicious file by its hash","entries":[{"field":"file.hash.sha256","operator":"included","type":"match","value":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}],"id":"d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e","item_id":"block-malicious-file","list_id":"endpoint_list","name":"Block malicious file","namespace_type":"agnostic","os_types":["windows"],"tags":[],"tie_breaker_id":"f1e2d3c4-b5a6-7890-abcd-ef1234567890","type":"simple","updated_at":"2025-01-01T12:00:00.000Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list item not found"},"500":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Delete an Elastic Endpoint exception list item","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint_list\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.","operationId":"ReadEndpointListItem","parameters":[{"description":"Either `id` or `item_id` must be specified","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemId"}},{"description":"Either `id` or `item_id` must be specified","in":"query","name":"item_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"item":{"summary":"Endpoint exception list item","value":{"comments":[],"created_at":"2025-01-01T12:00:00.000Z","created_by":"elastic","description":"Blocks a known malicious file by its hash","entries":[{"field":"file.hash.sha256","operator":"included","type":"match","value":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}],"id":"d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e","item_id":"block-malicious-file","list_id":"endpoint_list","name":"Block malicious file","namespace_type":"agnostic","os_types":["windows"],"tags":["policy:all"],"tie_breaker_id":"f1e2d3c4-b5a6-7890-abcd-ef1234567890","type":"simple","updated_at":"2025-01-01T12:00:00.000Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list item not found"},"500":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Get an Elastic Endpoint rule exception list item","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint_list\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list.","operationId":"CreateEndpointListItem","requestBody":{"content":{"application\/json":{"examples":{"matchAny":{"summary":"Exclude multiple process names","value":{"description":"Exclude common security tools from endpoint protection","entries":[{"field":"process.name","operator":"included","type":"match_any","value":["scanner.exe","updater.exe"]}],"name":"Trusted security tools","os_types":["windows"],"type":"simple"}},"simpleMatch":{"summary":"Block a specific file hash","value":{"description":"Blocks a known malicious file by its hash","entries":[{"field":"file.hash.sha256","operator":"included","type":"match","value":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}],"name":"Block malicious file","os_types":["windows"],"tags":["policy:all"],"type":"simple"}}},"schema":{"type":"object","properties":{"comments":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray","default":[]},"description":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray"},"item_id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemName"},"os_types":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemTags","default":[]},"type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description","entries"]}}},"description":"Exception list item's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"created":{"summary":"Endpoint exception list item created","value":{"comments":[],"created_at":"2025-01-01T12:00:00.000Z","created_by":"elastic","description":"Blocks a known malicious file by its hash","entries":[{"field":"file.hash.sha256","operator":"included","type":"match","value":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}],"id":"d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e","item_id":"block-malicious-file","list_id":"endpoint_list","name":"Block malicious file","namespace_type":"agnostic","os_types":["windows"],"tags":["policy:all"],"tie_breaker_id":"f1e2d3c4-b5a6-7890-abcd-ef1234567890","type":"simple","updated_at":"2025-01-01T12:00:00.000Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"409":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list item already exists"},"500":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Create an Elastic Endpoint rule exception list item","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/endpoint_list\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.","operationId":"UpdateEndpointListItem","requestBody":{"content":{"application\/json":{"examples":{"updateName":{"summary":"Update an endpoint exception list item","value":{"description":"Updated description for the exception","entries":[{"field":"file.hash.sha256","operator":"included","type":"match","value":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}],"item_id":"block-malicious-file","name":"Block malicious file (updated)","os_types":["windows","linux"],"type":"simple"}}},"schema":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version.","type":"string"},"comments":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray","default":[]},"description":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray"},"id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemId","description":"Either `id` or `item_id` must be specified"},"item_id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId","description":"Either `id` or `item_id` must be specified"},"meta":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemName"},"os_types":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemTags"},"type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description","entries"]}}},"description":"Exception list item's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"updated":{"summary":"Endpoint exception list item updated","value":{"comments":[],"created_at":"2025-01-01T12:00:00.000Z","created_by":"elastic","description":"Updated description for the exception","entries":[{"field":"file.hash.sha256","operator":"included","type":"match","value":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}],"id":"d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e","item_id":"block-malicious-file","list_id":"endpoint_list","name":"Block malicious file (updated)","namespace_type":"agnostic","os_types":["windows","linux"],"tags":["policy:all"],"tie_breaker_id":"f1e2d3c4-b5a6-7890-abcd-ef1234567890","type":"simple","updated_at":"2025-01-15T09:30:00.000Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list item not found"},"500":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Update an Elastic Endpoint rule exception list item","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint_list\/items\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint_list\/items\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all Elastic Endpoint exception list items.","operationId":"FindEndpointListItems","parameters":[{"description":"Filters the returned results according to the value of the specified field,\nusing the `:` syntax.\n","in":"query","name":"filter","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"}},{"description":"The page number to return","in":"query","name":"page","required":false,"schema":{"minimum":0,"type":"integer"}},{"description":"The number of exception list items to return per page","in":"query","name":"per_page","required":false,"schema":{"minimum":0,"type":"integer"}},{"description":"Determines which field is used to sort the results","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"}},{"description":"Determines the sort order, which can be `desc` or `asc`","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"foundItems":{"summary":"Found endpoint exception list items","value":{"data":[{"comments":[],"created_at":"2025-01-01T12:00:00.000Z","created_by":"elastic","description":"Blocks a known malicious file by its hash","entries":[{"field":"file.hash.sha256","operator":"included","type":"match","value":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"}],"id":"d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e","item_id":"block-malicious-file","list_id":"endpoint_list","name":"Block malicious file","namespace_type":"agnostic","os_types":["windows"],"tags":["policy:all"],"tie_breaker_id":"f1e2d3c4-b5a6-7890-abcd-ef1234567890","type":"simple","updated_at":"2025-01-01T12:00:00.000Z","updated_by":"elastic"}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"data":{"description":"The list of endpoint exception list items.","items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItem"},"type":"array"},"page":{"description":"The current page number.","minimum":0,"type":"integer"},"per_page":{"description":"The number of items per page.","minimum":0,"type":"integer"},"pit":{"description":"The point-in-time ID for pagination.","type":"string"},"total":{"description":"The total number of endpoint exception list items.","minimum":0,"type":"integer"}},"required":["data","page","per_page","total"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_PlatformErrorResponse"}}},"description":"Insufficient privileges"},"404":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Endpoint list not found"},"500":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error"}},"summary":"Get Elastic Endpoint exception list items","tags":["Security Endpoint Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/action<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all response actions.","operationId":"EndpointGetActionsList","parameters":[{"in":"query","name":"page","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Page"}},{"in":"query","name":"pageSize","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PageSize"}},{"in":"query","name":"commands","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Commands"}},{"in":"query","name":"agentIds","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentIds"}},{"in":"query","name":"userIds","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_UserIds"}},{"in":"query","name":"startDate","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_StartDate"}},{"in":"query","name":"endDate","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndDate"}},{"in":"query","name":"agentTypes","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"}},{"in":"query","name":"withOutputs","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_WithOutputs"}},{"in":"query","name":"types","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Types"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_GetEndpointActionListResponse"}}},"description":"Indicates a successful call."}},"summary":"Get response actions","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/action_status<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the status of response actions for the specified agent IDs.","operationId":"EndpointGetActionsStatus","parameters":[{"description":"A list of agent IDs to get the action status for.","in":"query","name":"agent_ids","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentIds"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ActionStatusSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Get response actions status","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/{action_id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/action\/{action_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of a response action using the action ID.","operationId":"EndpointGetActionsDetails","parameters":[{"in":"path","name":"action_id","required":true,"schema":{"description":"The ID of the action to retrieve.","example":"fr518850-681a-4y60-aa98-e22640cae2b8","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ActionDetailsResponse"}}},"description":"OK"}},"summary":"Get action details","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/{action_id}\/file\/{file_id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/action\/{action_id}\/file\/{file_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet information for the specified response action file download.\n","operationId":"EndpointFileInfo","parameters":[{"description":"The ID of the response action that generated the file.","in":"path","name":"action_id","required":true,"schema":{"type":"string"}},{"description":"The file identifier is constructed in one of two ways:\n- For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator:\n`{file_id}` = `{action_id}.{agent_id}`\n- For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to.\n","in":"path","name":"file_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"properties":{"data":{"type":"object","properties":{"actionId":{"description":"The response action ID.","type":"string"},"agentId":{"description":"The agent ID that generated the file.","type":"string"},"agentType":{"description":"The type of agent that generated the file.","type":"string"},"created":{"description":"The date and time the file was created.","format":"date-time","type":"string"},"id":{"description":"The unique file identifier.","type":"string"},"mimeType":{"description":"The MIME type of the file.","type":"string"},"name":{"description":"The file name.","type":"string"},"size":{"description":"The file size in bytes.","type":"number"},"status":{"description":"The file upload status.","enum":["AWAITING_UPLOAD","UPLOADING","READY","UPLOAD_ERROR","DELETED"],"type":"string"}}}}}}},"description":"Indicates a successful call."}},"summary":"Get file information","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/{action_id}\/file\/{file_id}\/download":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/action\/{action_id}\/file\/{file_id}\/download<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDownload a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment.\n> info\n> Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https:\/\/www.elastic.co\/docs\/solutions\/security\/endpoint-response-actions\/third-party-response-actions) for your system's password.\n","operationId":"EndpointFileDownload","parameters":[{"description":"The ID of the response action that generated the file.","in":"path","name":"action_id","required":true,"schema":{"type":"string"}},{"description":"The file identifier is constructed in one of two ways:\n- For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator:\n`{file_id}` = `{action_id}.{agent_id}`\n- For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to.\n","in":"path","name":"file_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/octet-stream":{"schema":{"format":"binary","type":"string"}}},"description":"Indicates a successful call."}},"summary":"Download a file","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/cancel":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/cancel<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCancel a running or pending response action (Applies only to some agent types).","operationId":"CancelAction","requestBody":{"content":{"application\/json":{"examples":{"MicrosoftDefenderEndpoint":{"summary":"Cancel a response action on a Microsoft Defender for Endpoint host","value":{"agent_type":"microsoft_defender_endpoint","comment":"Cancelling action due to change in requirements","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"id":"7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_CancelRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"CancelSuccess":{"summary":"Cancel action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"microsoft_defender_endpoint","command":"cancel","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"id":"7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d"},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Cancel a response action","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/execute":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/execute<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRun a shell command on an endpoint.","operationId":"EndpointExecuteAction","requestBody":{"content":{"application\/json":{"examples":{"executeCommand":{"summary":"Execute a shell command on an endpoint","value":{"comment":"Get list of all files","endpoint_ids":["b3d6de74-36b0-4fa8-be46-c375bf1771bf"],"parameters":{"command":"ls -al","timeout":600}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ExecuteRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ExecuteSuccess":{"summary":"Execute action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"execute","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"9f934028-2300-4927-b531-b26376793dc4","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"command":"ls -al","timeout":600},"startedAt":"2023-07-28T18:43:27.362Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Run a command","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/get_file":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/get_file<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a file from an endpoint.","operationId":"EndpointGetFileAction","requestBody":{"content":{"application\/json":{"examples":{"getFile":{"summary":"Get a specific file from an endpoint","value":{"comment":"Get my file","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"path":"\/usr\/my-file.txt"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_GetFileRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"GetFileSuccess":{"summary":"Get file action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"get-file","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"27ba1b42-7cc6-4e53-86ce-675c876092b2","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"path":"\/usr\/my-file.txt"},"startedAt":"2023-07-28T19:00:03.911Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Get a file","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/isolate":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/isolate<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nIsolate an endpoint from the network. The endpoint remains isolated until it's released.","operationId":"EndpointIsolateAction","requestBody":{"content":{"application\/json":{"examples":{"multiple_endpoints":{"summary":"Isolates several hosts; includes a comment","value":{"comment":"Locked down, pending further investigation","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}},"single_endpoint":{"summary":"Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8","value":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}},"with_case_id":{"summary":"Isolates a single host with a case_id value of 1234","value":{"case_ids":["4976be38-c134-4554-bd5e-0fd89ce63667"],"comment":"Isolating as initial response","endpoint_ids":["1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0","b30a11bf-1395-4707-b508-fbb45ef9793e"]}}},"schema":{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"IsolateSuccess":{"summary":"Isolate action successfully created","value":{"action":"233db9ea-6733-4849-9226-5a7039c7161d","data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"isolate","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_IsolateRouteResponse"}}},"description":"Indicates a successful call."}},"summary":"Isolate an endpoint","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/kill_process":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/kill_process<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nTerminate a running process on an endpoint.","operationId":"EndpointKillProcessAction","requestBody":{"content":{"application\/json":{"examples":{"byEntityId":{"summary":"Terminate a process by entity ID","value":{"comment":"Terminating malicious process","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"entity_id":"abc123"}}},"byPid":{"summary":"Terminate a process by PID","value":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"pid":1234}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_KillProcessRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"KillProcessSuccess":{"summary":"Kill process action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"kill-process","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"entity_id":"abc123"},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Terminate a process","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/memory_dump":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/memory_dump<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGenerates memory dumps on the targeted host.","operationId":"EndpointGenerateMemoryDump","requestBody":{"content":{"application\/json":{"examples":{"ProcessMemoryDump":{"summary":"Generate a memory dump from the host machine","value":{"agent_type":"endpoint","comment":"Generating memory dump for investigation","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"entity_id":"abc123","type":"process"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_MemoryDumpRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"MemoryDumpSuccessResponse":{"summary":"Memory dump action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"memory-dump","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"entity_id":"abc123","type":"process"},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Generate a memory dump from the host machine","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/running_procs":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/running_procs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all processes running on an endpoint.","operationId":"EndpointGetProcessesAction","requestBody":{"content":{"application\/json":{"examples":{"singleEndpoint":{"summary":"Get running processes on a single endpoint","value":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_GetProcessesRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"RunningProcsSuccess":{"summary":"Running processes action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"running-processes","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Get running processes","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/runscript":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/runscript<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRun a script on a host. Currently supported only for some agent types.","operationId":"RunScriptAction","requestBody":{"content":{"application\/json":{"examples":{"MDE":{"description":"Microsoft Defender Endpoint runscript","summary":"Run a script against a Microsoft Defender Endpoint agent","value":{"agent_type":"microsoft_defender_endpoint","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"args":"-param1 value1 -param2 value2","scriptName":"my-script.ps1"}}},"SentinelOne":{"description":"SentinelOne runscript","summary":"Run a script against a SentinelOne agent","value":{"agent_type":"sentinel_one","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"scriptId":"1111-2222-3333-4444-5555-6666-7777-8888","scriptInput":"--delete --paths-to-delete \/tmp\/temp_file.txt,\/tmp\/random_file.txt"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_RunScriptRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"RunScriptSuccess":{"summary":"Run script action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"sentinel_one","command":"runscript","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"scriptId":"1111-2222-3333-4444-5555-6666-7777-8888"},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Run a script","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/scan":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/scan<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nScan a specific file or directory on an endpoint for malware.","operationId":"EndpointScanAction","requestBody":{"content":{"application\/json":{"examples":{"scanFile":{"summary":"Scan a file on an endpoint","value":{"comment":"Scan the file for malware","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"path":"\/usr\/my-file.txt"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ScanRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ScanSuccess":{"summary":"Scan action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"scan","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"27ba1b42-7cc6-4e53-86ce-675c876092b2","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"path":"\/usr\/my-file.txt"},"startedAt":"2023-07-28T19:00:03.911Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Scan a file or directory","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/state":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/action\/state<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a response actions state, which reports whether encryption is enabled.","operationId":"EndpointGetActionsState","responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ActionStateSuccessResponse"}}},"description":"OK"}},"summary":"Get actions state","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/suspend_process":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/suspend_process<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSuspend a running process on an endpoint.","operationId":"EndpointSuspendProcessAction","requestBody":{"content":{"application\/json":{"examples":{"byEntityId":{"summary":"Suspend a process by entity ID","value":{"comment":"Suspending suspicious process","endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"entity_id":"abc123"}}},"byPid":{"summary":"Suspend a process by PID","value":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"],"parameters":{"pid":1234}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"SuspendProcessSuccess":{"summary":"Suspend process action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"suspend-process","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"entity_id":"abc123"},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Suspend a process","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/unisolate":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/unisolate<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRelease an isolated endpoint, allowing it to rejoin a network.","operationId":"EndpointUnisolateAction","requestBody":{"content":{"application\/json":{"examples":{"multipleHosts":{"summary":"Releases several hosts; includes a comment:","value":{"comment":"Benign process identified, releasing group","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}},"singleHost":{"summary":"Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8","value":{"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}},"withCaseId":{"summary":"Releases hosts with an associated case; includes a comment.","value":{"case_ids":["4976be38-c134-4554-bd5e-0fd89ce63667"],"comment":"Remediation complete, restoring network","endpoint_ids":["1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0","b30a11bf-1395-4707-b508-fbb45ef9793e"]}}},"schema":{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"UnisolateSuccess":{"summary":"Unisolate action successfully created","value":{"action":"233db9ea-6733-4849-9226-5a7039c7161d","data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"unisolate","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_UnisolateRouteResponse"}}},"description":"Indicates a successful call."}},"summary":"Release an isolated endpoint","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/action\/upload":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/action\/upload<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpload a file to an endpoint.","operationId":"EndpointUploadAction","requestBody":{"content":{"multipart\/form-data":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_UploadRouteRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"UploadSuccess":{"summary":"Upload action successfully created","value":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"endpoint","command":"upload","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"Host-5i6cuc8kdv"}},"id":"9ff6aebc-2cb6-481e-8869-9b30036c9731","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{"file_id":"10e4ce3d-4abb-4f93-a0cd-eaf63a489280","file_name":"fix-malware.sh","file_sha256":"a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a","file_size":69},"startedAt":"2023-07-03T15:07:22.837Z","status":"pending","wasSuccessful":false}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Upload a file","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/metadata":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/metadata<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all endpoint host metadata.","operationId":"GetEndpointMetadataList","parameters":[{"in":"query","name":"page","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Page"}},{"in":"query","name":"pageSize","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PageSize"}},{"in":"query","name":"kuery","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Kuery"}},{"in":"query","name":"hostStatuses","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_HostStatuses"}},{"in":"query","name":"sortField","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_SortField"}},{"in":"query","name":"sortDirection","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_SortDirection"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_MetadataListResponse"}}},"description":"Indicates a successful call."}},"summary":"Get a metadata list","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/metadata\/{id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/metadata\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet host metadata for a specific endpoint.","operationId":"GetEndpointMetadata","parameters":[{"description":"The agent ID of the endpoint.","in":"path","name":"id","required":true,"schema":{"example":"ed518850-681a-4d60-bb98-e22640cae2a8","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointMetadataResponse"}}},"description":"Indicates a successful call."}},"summary":"Get metadata","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/policy_response":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/policy_response<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the most recent policy response for an endpoint.","operationId":"GetPolicyResponse","parameters":[{"description":"The agent ID to retrieve the policy response for.","in":"query","name":"agentId","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentId"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_SuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Get a policy response","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/endpoint\/protection_updates_note\/{package_policy_id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/endpoint\/protection_updates_note\/{package_policy_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the protection updates note for a package policy.","operationId":"GetProtectionUpdatesNote","parameters":[{"description":"The package policy ID to retrieve the protection updates note for.","in":"path","name":"package_policy_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse"}}},"description":"Indicates a successful call."}},"summary":"Get a protection updates note","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/endpoint\/protection_updates_note\/{package_policy_id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate or update the protection updates note for a package policy.","operationId":"CreateUpdateProtectionUpdatesNote","parameters":[{"description":"The package policy ID to create or update the protection updates note for.","in":"path","name":"package_policy_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"type":"object","properties":{"note":{"description":"The note content.","type":"string"}}}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse"}}},"description":"Indicates a successful call."}},"summary":"Create or update a protection updates note","tags":["Security Endpoint Management API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/engine\/delete":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/engine\/delete<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDeletes the Privilege Monitoring Engine and optionally removes all associated privileged user data.","operationId":"DeleteMonitoringEngine","parameters":[{"description":"Whether to delete all the privileged user data","in":"query","name":"data","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"DeleteMonitoringEngineResponse":{"summary":"Engine deleted successfully","value":{"deleted":true}}},"schema":{"type":"object","properties":{"deleted":{"type":"boolean"}},"required":["deleted"]}}},"description":"Successful response"}},"summary":"Delete the Privilege Monitoring Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/engine\/disable":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/engine\/disable<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDisables the Privilege Monitoring Engine, stopping all monitoring activity without removing data.","operationId":"DisableMonitoringEngine","responses":{"200":{"content":{"application\/json":{"examples":{"DisableMonitoringEngineResponse":{"summary":"Engine disabled successfully","value":{"status":"disabled"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoringEngineDescriptor"}}},"description":"Successful response"}},"summary":"Disable the Privilege Monitoring Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/engine\/init":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/engine\/init<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInitializes the Privilege Monitoring Engine, setting up the required resources and starting the engine.","operationId":"InitMonitoringEngine","responses":{"200":{"content":{"application\/json":{"examples":{"InitMonitoringEngineResponse":{"summary":"Engine initialized successfully","value":{"status":"started"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoringEngineDescriptor"}}},"description":"Successful response"},"500":{"content":{"application\/json":{"examples":{"InitMonitoringEngineError":{"summary":"Internal server error during engine initialization","value":{"error":{"message":"Failed to initialize monitoring engine"},"status":"error"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoringEngineDescriptor"}}},"description":"Internal Server Error"}},"summary":"Initialize the Privilege Monitoring Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/engine\/schedule_now":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/engine\/schedule_now<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSchedules the Privilege Monitoring Engine to run as soon as possible, triggering an immediate monitoring cycle.","operationId":"ScheduleMonitoringEngine","responses":{"200":{"content":{"application\/json":{"examples":{"ScheduleMonitoringEngineResponse":{"summary":"Engine scheduled successfully","value":{"success":true}}},"schema":{"type":"object","properties":{"success":{"description":"Indicates the scheduling was successful","type":"boolean"}}}}},"description":"Successful response"},"409":{"content":{"application\/json":{"examples":{"ScheduleMonitoringEngineConflict":{"summary":"Engine is already running","value":{"message":"Monitoring engine is already running"}}},"schema":{"type":"object","properties":{"message":{"description":"Error message indicating the engine is already running","type":"string"}}}}},"description":"Conflict - Monitoring engine is already running"}},"summary":"Schedule the Privilege Monitoring Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/privileges\/health":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/privileges\/health<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics.","operationId":"PrivMonHealth","responses":{"200":{"content":{"application\/json":{"examples":{"PrivMonHealthResponse":{"summary":"Healthy privilege monitoring engine","value":{"status":"started","users":{"current_count":42,"max_allowed":1000}}}},"schema":{"type":"object","properties":{"error":{"type":"object","properties":{"message":{"type":"string"}},"required":["status"]},"status":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus"},"users":{"description":"User statistics for privilege monitoring","type":"object","properties":{"current_count":{"description":"Current number of privileged users being monitored","type":"integer"},"max_allowed":{"description":"Maximum number of privileged users allowed to be monitored","type":"integer"}},"required":["current_count","max_allowed"]}},"required":["status"]}}},"description":"Successful response"}},"summary":"Health check on Privilege Monitoring","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/privileges\/privileges":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/privileges\/privileges<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCheck if the current user has all required permissions for Privilege Monitoring","operationId":"PrivMonPrivileges","responses":{"200":{"content":{"application\/json":{"examples":{"PrivMonPrivilegesResponse":{"summary":"Privileges check response","value":{"has_all_required":true,"privileges":{"elasticsearch":{"index":{".entity_analytics.monitoring.user-default":{"read":true}}}}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityAnalyticsPrivileges"}}},"description":"Successful response"}},"summary":"Run a privileges check on Privilege Monitoring","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/users":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/users<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreates a new privileged user to be monitored by the Privilege Monitoring Engine.","operationId":"CreatePrivMonUser","requestBody":{"content":{"application\/json":{"examples":{"CreatePrivMonUserRequest":{"summary":"Create a monitored user","value":{"entity_analytics_monitoring":{"labels":[{"field":"department","source":"api","value":"IT"}]},"user":{"name":"john.doe"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_UserName"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"CreatePrivMonUserResponse":{"summary":"Created monitored user","value":{"@timestamp":"2026-01-28T12:00:00.000Z","entity_analytics_monitoring":{"labels":[{"field":"department","source":"api","value":"IT"}]},"event":{"ingested":"2026-01-28T12:00:00.000Z"},"id":"user-abc-123","user":{"is_privileged":true,"name":"john.doe"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoredUserDoc"}}},"description":"User created successfully"}},"summary":"Create a new monitored user","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/users\/_csv":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/users\/_csv<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nBulk upserts privileged users by uploading a CSV file. Returns per-row errors and aggregate upload statistics.","operationId":"PrivmonBulkUploadUsersCSV","requestBody":{"content":{"multipart\/form-data":{"examples":{"PrivmonBulkUploadUsersCSVRequest":{"summary":"CSV file with privileged users","value":{"file":"username,is_privileged\njohn.doe,true\njane.smith,true\n"}}},"schema":{"type":"object","properties":{"file":{"description":"The CSV file to upload.","format":"binary","type":"string"}},"required":["file"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"PrivmonBulkUploadUsersCSVResponse":{"summary":"Bulk upload response with mixed results","value":{"errors":[{"index":1,"message":"Invalid monitored field","username":"john.doe"}],"stats":{"failedOperations":1,"successfulOperations":1,"totalOperations":2,"uploaded":2}}}},"schema":{"type":"object","properties":{"errors":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem"},"type":"array"},"stats":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats"}},"required":["errors","stats"]}}},"description":"Bulk upload successful"},"413":{"description":"File too large"}},"summary":"Upsert multiple monitored users via CSV upload","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/users\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/users\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRemoves a privileged user from monitoring by their document ID.","operationId":"DeletePrivMonUser","parameters":[{"description":"The document ID of the monitored user to delete","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"DeletePrivMonUserResponse":{"summary":"User deleted successfully","value":{"acknowledged":true,"message":"User deleted successfully"}}},"schema":{"type":"object","properties":{"acknowledged":{"description":"Indicates if the deletion was successful","type":"boolean"},"message":{"description":"A message providing additional information about the deletion status","type":"string"}},"required":["success"]}}},"description":"User deleted successfully"}},"summary":"Delete a monitored user","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/users\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdates the details of an existing monitored privileged user by their document ID.","operationId":"UpdatePrivMonUser","parameters":[{"description":"The document ID of the monitored user to update","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"UpdatePrivMonUserRequest":{"summary":"Update a monitored user","value":{"entity_analytics_monitoring":{"labels":[{"field":"department","source":"api","value":"Security"}]},"user":{"is_privileged":true,"name":"john.doe"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoredUserUpdateDoc"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"UpdatePrivMonUserResponse":{"summary":"Updated monitored user","value":{"@timestamp":"2026-01-28T12:00:00.000Z","entity_analytics_monitoring":{"labels":[{"field":"department","source":"api","value":"Security"}]},"event":{"ingested":"2026-01-28T12:00:00.000Z"},"id":"user-abc-123","user":{"is_privileged":true,"name":"john.doe"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoredUserDoc"}}},"description":"User updated successfully"}},"summary":"Update a monitored user","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/monitoring\/users\/list":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_analytics\/monitoring\/users\/list<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns a list of all privileged users currently being monitored. Supports optional KQL filtering.","operationId":"ListPrivMonUsers","parameters":[{"description":"KQL query to filter the list of monitored users","in":"query","name":"kql","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ListPrivMonUsersResponse":{"summary":"List of monitored users","value":[{"@timestamp":"2026-01-28T12:00:00.000Z","entity_analytics_monitoring":{"labels":[{"field":"department","source":"api","value":"IT"}]},"event":{"ingested":"2026-01-28T12:00:00.000Z"},"id":"user-abc-123","user":{"is_privileged":true,"name":"john.doe"}},{"@timestamp":"2026-01-15T09:00:00.000Z","entity_analytics_monitoring":{"labels":[{"field":"department","source":"csv","value":"Security"}]},"event":{"ingested":"2026-01-15T09:00:00.000Z"},"id":"user-def-456","user":{"is_privileged":true,"name":"jane.smith"}}]}},"schema":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoredUserDoc"},"type":"array"}}},"description":"List of monitored users"}},"summary":"List all monitored users","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/privileged_user_monitoring\/pad\/install":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/privileged_user_monitoring\/pad\/install<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstalls the privileged access detection integration package and sets up the associated ML modules required for the Entity Analytics privileged user monitoring experience.","operationId":"InstallPrivilegedAccessDetectionPackage","responses":{"200":{"content":{"application\/json":{"examples":{"InstallPrivilegedAccessDetectionPackageResponse":{"summary":"Package installed successfully","value":{"message":"Privileged access detection package installed successfully"}}},"schema":{"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Successful response"}},"summary":"Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/privileged_user_monitoring\/pad\/status":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_analytics\/privileged_user_monitoring\/pad\/status<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job.","operationId":"GetPrivilegedAccessDetectionPackageStatus","responses":{"200":{"content":{"application\/json":{"examples":{"GetPrivilegedAccessDetectionPackageStatusResponse":{"summary":"Package fully installed and running","value":{"jobs":[{"description":"Detects high-risk login patterns","job_id":"pad-high-risk-login","state":"opened"},{"description":"Detects privilege escalation events","job_id":"pad-privilege-escalation","state":"opened"}],"ml_module_setup_status":"complete","package_installation_status":"complete"}}},"schema":{"type":"object","properties":{"jobs":{"items":{"type":"object","properties":{"description":{"type":"string"},"job_id":{"type":"string"},"state":{"enum":["closing","closed","opened","failed","opening"],"type":"string"}},"required":["job_id","state"]},"type":"array"},"ml_module_setup_status":{"enum":["complete","incomplete"],"type":"string"},"package_installation_status":{"enum":["complete","incomplete"],"type":"string"}},"required":["package_installation_status","ml_module_setup_status","jobs"]}}},"description":"Privileged access detection status retrieved"}},"summary":"Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/watchlists":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/watchlists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities.","operationId":"CreateWatchlist","requestBody":{"content":{"application\/json":{"examples":{"CreateWatchlistRequest":{"summary":"Create watchlist request","value":{"description":"High risk vendor watchlist","managed":false,"name":"High Risk Vendors","riskModifier":1.5}},"CreateWatchlistWithSourcesRequest":{"summary":"Create watchlist with entity sources","value":{"description":"High risk vendor watchlist","entitySources":[{"enabled":true,"identifierField":"user.name","indexPattern":"my-sync-index","name":"My User Index Source","type":"index"}],"managed":false,"name":"High Risk Vendors","riskModifier":1.5}}},"schema":{"type":"object","properties":{"description":{"description":"Description of the watchlist","type":"string"},"entitySources":{"description":"Optional entity sources to create and link to the watchlist","items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"filter":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Filter"},"identifierField":{"description":"Field used to query the entity store for index-type sources","type":"string"},"indexPattern":{"type":"string"},"integrationName":{"description":"Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad.","type":"string"},"matchers":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Matcher"},"type":"array"},"name":{"type":"string"},"queryRule":{"description":"KQL query used to filter data from the provided index patterns","type":"string"},"range":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_DateRange"},"type":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntitySourceType"}},"required":["type","name"]},"type":"array"},"managed":{"description":"Indicates if the watchlist is managed by the system","type":"boolean"},"name":{"description":"Unique name for the watchlist","type":"string"},"riskModifier":{"description":"Risk score modifier associated with the watchlist","maximum":2,"minimum":0,"type":"number"}},"required":["name","riskModifier"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"CreateWatchlistResponse":{"summary":"Created watchlist","value":{"createdAt":"2026-01-28T12:00:00.000Z","description":"High risk vendor watchlist","id":"watchlist-123","managed":false,"name":"High Risk Vendors","riskModifier":1.5,"updatedAt":"2026-01-28T12:00:00.000Z"}}},"schema":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_WatchlistObject"},{"type":"object","properties":{"entitySources":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoringEntitySource"},"type":"array"}}}]}}},"description":"Watchlist created successfully"}},"summary":"Create a new watchlist","tags":["Security Entity Analytics API"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/watchlists\/{id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_analytics\/watchlists\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieves the details of an entity analytics watchlist by its unique identifier.","operationId":"GetWatchlist","parameters":[{"description":"Unique ID of the watchlist","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"GetWatchlistResponse":{"summary":"Watchlist details","value":{"createdAt":"2026-01-28T12:00:00.000Z","description":"High risk vendor watchlist","id":"watchlist-123","managed":false,"name":"High Risk Vendors","riskModifier":1.5,"updatedAt":"2026-02-18T12:00:00.000Z"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_WatchlistObject"}}},"description":"Watchlist details"}},"summary":"Get a watchlist by ID","tags":["Security Entity Analytics API"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/entity_analytics\/watchlists\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdates the name, description, risk modifier, or managed status of an existing entity analytics watchlist.","operationId":"UpdateWatchlist","parameters":[{"description":"The ID of the watchlist to update","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"UpdateWatchlistRequest":{"summary":"Update watchlist request","value":{"description":"High risk vendor watchlist","managed":false,"name":"High Risk Vendors","riskModifier":1.5}}},"schema":{"type":"object","properties":{"description":{"description":"Description of the watchlist","type":"string"},"managed":{"description":"Indicates if the watchlist is managed by the system","type":"boolean"},"name":{"description":"Unique name of the watchlist","type":"string"},"riskModifier":{"description":"Risk score modifier associated with the watchlist","maximum":2,"minimum":0,"type":"number"}},"required":["name","riskModifier"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"UpdateWatchlistResponse":{"summary":"Updated watchlist","value":{"createdAt":"2026-01-28T12:00:00.000Z","description":"High risk vendor watchlist","id":"watchlist-123","managed":false,"name":"High Risk Vendors","riskModifier":1.5,"updatedAt":"2026-02-18T12:00:00.000Z"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_WatchlistObject"}}},"description":"Watchlist updated successfully"}},"summary":"Update an existing watchlist","tags":["Security Entity Analytics API"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/watchlists\/{watchlist_id}\/csv_upload":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/watchlists\/{watchlist_id}\/csv_upload<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUploads a CSV file to add entities to a watchlist. The CSV must contain a header row\nwith a \"type\" column (user, host, service, or generic) and one or more ECS identity\nfields (e.g. \"user.name\", \"host.hostname\") used to match entities in the entity store.\n\nMatched entities are added to the watchlist and their `entity.attributes.watchlists`\nfield is updated in the entity store.\n\nEach row will match up to 10,000 entities.\n","operationId":"UploadWatchlistCsv","parameters":[{"description":"The ID of the watchlist to add entities to","example":"high-risk-vendors","in":"path","name":"watchlist_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart\/form-data":{"examples":{"csvUpload":{"summary":"CSV file with user entities","value":{"file":"type,user.name\nuser,john.doe\nuser,jane.smith\n"}}},"schema":{"type":"object","properties":{"file":{"description":"The CSV file to upload.","format":"binary","type":"string"}},"required":["file"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"CsvUploadResponse":{"summary":"CSV upload response with mixed results","value":{"failed":1,"items":[{"matchedEntities":1,"status":"success"},{"error":"Invalid entity type","matchedEntities":0,"status":"failure"},{"matchedEntities":0,"status":"unmatched"}],"successful":1,"total":3,"unmatched":1}}},"schema":{"type":"object","properties":{"failed":{"description":"Number of rows that failed to process","example":1,"type":"integer"},"items":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem"},"type":"array"},"successful":{"description":"Number of rows that matched at least one entity","example":1,"type":"integer"},"total":{"description":"Total number of rows processed","example":3,"type":"integer"},"unmatched":{"description":"Number of rows that matched no entities","example":1,"type":"integer"}},"required":["successful","failed","total","unmatched","items"]}}},"description":"Upload successful"},"413":{"description":"File too large"}},"summary":"Upload a CSV file to add entities to a watchlist","tags":["Security Entity Analytics API"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/watchlists\/{watchlist_id}\/entities\/assign":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/watchlists\/{watchlist_id}\/entities\/assign<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nAssigns the provided entities to the specified watchlist using a \"manual\" source label.\nThe entities must already exist in the entity store.\n\nIf an entity is already on the watchlist, no new document is created \u2014 the \"manual\" label\nis added to its existing source labels instead.\n","operationId":"AssignWatchlistEntities","parameters":[{"description":"The ID of the watchlist to add entities to","example":"high-risk-vendors","in":"path","name":"watchlist_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"assignEntities":{"summary":"Assign two entities to a watchlist","value":{"euids":["user:john.doe","host:web-01"]}}},"schema":{"type":"object","properties":{"euids":{"description":"The EUIDs of the entities to assign","example":["user:john.doe","host:web-01"],"items":{"type":"string"},"type":"array"}},"required":["euids"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"assignEntitiesResponse":{"summary":"Successful assignment of two entities","value":{"failed":0,"items":[{"euid":"user:john.doe","status":"success"},{"euid":"host:web-01","status":"not_found"}],"not_found":1,"successful":1,"total":2}}},"schema":{"type":"object","properties":{"failed":{"description":"Number of entities that failed to process","example":0,"type":"integer"},"items":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem"},"type":"array"},"not_found":{"description":"Number of entities not found in the entity store","example":1,"type":"integer"},"successful":{"description":"Number of entities successfully assigned","example":1,"type":"integer"},"total":{"description":"Total number of entities processed","example":2,"type":"integer"}},"required":["successful","failed","not_found","total","items"]}}},"description":"Assignment successful"}},"summary":"Manually assign entities to a watchlist","tags":["Security Entity Analytics API"],"x-state":"Technical Preview; added in 9.4.0","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/watchlists\/{watchlist_id}\/entities\/unassign":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_analytics\/watchlists\/{watchlist_id}\/entities\/unassign<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUnassigns the provided entities from the specified watchlist.\nThis only removes the \"manual\" assignment. If the entity is also\nassigned via other sources (for example, index or integration), it will\nremain on the watchlist.\n","operationId":"UnassignWatchlistEntities","parameters":[{"description":"The ID of the watchlist to remove entities from","example":"high-risk-vendors","in":"path","name":"watchlist_id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"unassignEntities":{"summary":"Unassign two entities from a watchlist","value":{"euids":["user:john.doe","host:web-01"]}}},"schema":{"type":"object","properties":{"euids":{"description":"The EUIDs of the entities to unassign","example":["user:john.doe","host:web-01"],"items":{"type":"string"},"type":"array"}},"required":["euids"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"unassignEntitiesResponse":{"summary":"Successful unassignment of two entities","value":{"failed":0,"items":[{"euid":"user:john.doe","status":"success"},{"euid":"host:web-01","status":"not_found"}],"not_found":1,"successful":1,"total":2}}},"schema":{"type":"object","properties":{"failed":{"description":"Number of entities that failed to process","example":0,"type":"integer"},"items":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem"},"type":"array"},"not_found":{"description":"Number of entities not found in the manual watchlist assignment","example":1,"type":"integer"},"successful":{"description":"Number of entities successfully unassigned","example":1,"type":"integer"},"total":{"description":"Total number of entities processed","example":2,"type":"integer"}},"required":["successful","failed","not_found","total","items"]}}},"description":"Unassignment successful"}},"summary":"Manually unassign entities from a watchlist","tags":["Security Entity Analytics API"],"x-state":"Technical Preview; added in 9.4.0","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_analytics\/watchlists\/list":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_analytics\/watchlists\/list<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns a list of all entity analytics watchlists.","operationId":"ListWatchlists","responses":{"200":{"content":{"application\/json":{"examples":{"ListWatchlistsResponse":{"summary":"List of watchlists","value":[{"createdAt":"2026-01-28T12:00:00.000Z","description":"High risk vendor watchlist","id":"watchlist-123","managed":false,"name":"High Risk Vendors","riskModifier":1.5,"updatedAt":"2026-02-18T12:00:00.000Z"},{"createdAt":"2026-01-10T09:30:00.000Z","description":"Privileged user monitoring watchlist","id":"watchlist-456","managed":true,"name":"Privileged Accounts","riskModifier":2,"updatedAt":"2026-02-01T15:45:00.000Z"}]}},"schema":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_WatchlistObject"},"type":"array"}}},"description":"List of watchlists"}},"summary":"List all watchlists","tags":["Security Entity Analytics API"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/enable":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_store\/enable<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInitialize the entire Entity Store, creating engines for all or specified entity types.","operationId":"InitEntityStore","requestBody":{"content":{"application\/json":{"schema":{"type":"object","properties":{"delay":{"default":"1m","description":"The delay before the transform will run.","pattern":"[smdh]$","type":"string"},"docsPerSecond":{"default":-1,"description":"The number of documents per second to process.","type":"integer"},"enrichPolicyExecutionInterval":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Interval"},"entityTypes":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"},"type":"array"},"fieldHistoryLength":{"default":10,"description":"The number of historical values to keep for each field.","type":"integer"},"filter":{"type":"string"},"frequency":{"default":"1m","description":"The frequency at which the transform will run.","pattern":"[smdh]$","type":"string"},"indexPattern":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_IndexPattern"},"lookbackPeriod":{"default":"3h","description":"The amount of time the transform looks back to calculate the aggregations.","pattern":"[smdh]$","type":"string"},"maxPageSearchSize":{"default":500,"description":"The initial page size to use for the composite aggregation of each checkpoint.","type":"integer"},"timeout":{"default":"180s","description":"The timeout for initializing the aggregating transform.","pattern":"[smdh]$","type":"string"},"timestampField":{"default":"@timestamp","description":"The field to use as the timestamp.","type":"string"}}}}},"description":"Configuration for the entity store initialization.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"initEntityStoreExample":{"description":"The Entity Store was successfully initialized, creating host and user engines in the installing state.","summary":"Entity Store initialized with host and user engines","value":{"engines":[{"delay":"1m","fieldHistoryLength":10,"frequency":"1m","indexPattern":"","lookbackPeriod":"24h","status":"installing","timeout":"180s","timestampField":"@timestamp","type":"host"},{"delay":"1m","fieldHistoryLength":10,"frequency":"1m","indexPattern":"","lookbackPeriod":"24h","status":"installing","timeout":"180s","timestampField":"@timestamp","type":"user"}],"succeeded":true}}},"schema":{"type":"object","properties":{"engines":{"description":"The engine descriptors created during initialization.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineDescriptor"},"type":"array"},"succeeded":{"description":"Whether the Entity Store was initialized successfully.","type":"boolean"}}}}},"description":"Successful response"},"400":{"description":"Invalid request"}},"summary":"Initialize the Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/engines":{"delete":{"operationId":"DeleteEntityEngines","parameters":[{"description":"The entity type of the engine ('user', 'host', 'service', 'generic').","examples":{"hostAndService":{"value":"host,service"}},"in":"query","name":"entityTypes","required":false,"schema":{"description":"Array of engine types to delete. Empty by default, which results in all the engines being deleted.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"},"type":"array"}},{"description":"Control flag to also delete the entity data.","in":"query","name":"delete_data","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteEntityEnginesExample":{"description":"Example response after deleting 'host' engine","value":{"deleted":["host"],"still_running":["generic","user","service"]}}},"schema":{"type":"object","properties":{"deleted":{"description":"Entity types whose engines were successfully deleted.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"},"type":"array"},"still_running":{"description":"Entity types whose engines are still running.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"},"type":"array"}}}}},"description":"Successful response"}},"summary":"Delete Entity Engines","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/entity_store\/engines<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_store\/engines<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all installed entity engines and their current status.","operationId":"ListEntityEngines","responses":{"200":{"content":{"application\/json":{"examples":{"listEntityEnginesExample":{"description":"Returns a list with one running host engine and one stopped user engine.","summary":"Two engines installed","value":{"count":2,"engines":[{"delay":"1m","fieldHistoryLength":10,"frequency":"1m","indexPattern":"","lookbackPeriod":"24h","status":"started","timeout":"180s","timestampField":"@timestamp","type":"host"},{"delay":"1m","fieldHistoryLength":10,"frequency":"1m","indexPattern":"","lookbackPeriod":"24h","status":"stopped","timeout":"180s","timestampField":"@timestamp","type":"user"}]}}},"schema":{"type":"object","properties":{"count":{"description":"The total number of entity engines.","type":"integer"},"engines":{"description":"An array of engine descriptors.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineDescriptor"},"type":"array"}}}}},"description":"Successful response"}},"summary":"List the Entity Engines","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/engines\/{entityType}":{"delete":{"operationId":"DeleteEntityEngine","parameters":[{"description":"The entity type of the engine (either 'user' or 'host').","examples":{"host":{"value":"host"}},"in":"path","name":"entityType","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"}},{"description":"Control flag to also delete the entity data.","in":"query","name":"delete_data","required":false,"schema":{"type":"boolean"}},{"deprecated":true,"description":"Control flag to also delete the entity data.","in":"query","name":"data","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteEntityEngineExample":{"description":"Example response after deleting 'host' engine","value":{"deleted":true}}},"schema":{"type":"object","properties":{"deleted":{"description":"Whether the engine was successfully deleted.","type":"boolean"}}}}},"description":"Successful response"}},"summary":"Delete the Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}],"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/entity_store\/engines\/{entityType}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information."},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_store\/engines\/{entityType}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the engine descriptor for a specific entity type, including its configuration and current status.","operationId":"GetEntityEngine","parameters":[{"description":"The entity type of the engine.","example":"host","in":"path","name":"entityType","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getEntityEngineExample":{"description":"Returns the engine descriptor for a host engine that is currently running with default settings.","summary":"A running host engine","value":{"delay":"1m","fieldHistoryLength":10,"frequency":"1m","indexPattern":"","lookbackPeriod":"24h","status":"started","timeout":"180s","timestampField":"@timestamp","type":"host"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineDescriptor"}}},"description":"Successful response"}},"summary":"Get an Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/engines\/{entityType}\/init":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_store\/engines\/{entityType}\/init<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInitialize a single entity engine for the specified entity type.","operationId":"InitEntityEngine","parameters":[{"description":"The entity type of the engine.","in":"path","name":"entityType","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"}}],"requestBody":{"content":{"application\/json":{"schema":{"type":"object","properties":{"delay":{"default":"1m","description":"The delay before the transform will run.","pattern":"[smdh]$","type":"string"},"docsPerSecond":{"default":-1,"description":"The number of documents per second to process.","type":"integer"},"enrichPolicyExecutionInterval":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Interval"},"fieldHistoryLength":{"default":10,"description":"The number of historical values to keep for each field.","type":"integer"},"filter":{"type":"string"},"frequency":{"default":"1m","description":"The frequency at which the transform will run.","pattern":"[smdh]$","type":"string"},"indexPattern":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_IndexPattern"},"lookbackPeriod":{"default":"3h","description":"The amount of time the transform looks back to calculate the aggregations.","pattern":"[smdh]$","type":"string"},"maxPageSearchSize":{"default":500,"description":"The initial page size to use for the composite aggregation of each checkpoint.","type":"integer"},"timeout":{"default":"180s","description":"The timeout for initializing the aggregating transform.","pattern":"[smdh]$","type":"string"},"timestampField":{"default":"@timestamp","description":"The field to use as the timestamp for the entity type.","type":"string"}}}}},"description":"Schema for the engine initialization","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"initEntityEngineExample":{"description":"A host engine was successfully initialized and is now in the installing state.","summary":"Host engine initialized","value":{"delay":"1m","fieldHistoryLength":10,"frequency":"1m","indexPattern":"","lookbackPeriod":"3h","status":"installing","timeout":"180s","timestampField":"@timestamp","type":"host"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineDescriptor"}}},"description":"Successful response"},"400":{"description":"Invalid request"}},"summary":"Initialize an Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/engines\/{entityType}\/start":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_store\/engines\/{entityType}\/start<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nStart a previously stopped entity engine, resuming transform processing for the given entity type.","operationId":"StartEntityEngine","parameters":[{"description":"The entity type of the engine to start.","example":"host","in":"path","name":"entityType","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"startEntityEngineExample":{"description":"The engine was successfully started and is now processing data.","summary":"Engine started successfully","value":{"started":true}}},"schema":{"type":"object","properties":{"started":{"description":"Whether the engine was successfully started.","type":"boolean"}}}}},"description":"Successful response"}},"summary":"Start an Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/engines\/{entityType}\/stop":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_store\/engines\/{entityType}\/stop<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nStop a running entity engine, pausing transform processing for the given entity type.","operationId":"StopEntityEngine","parameters":[{"description":"The entity type of the engine to stop.","example":"host","in":"path","name":"entityType","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"stopEntityEngineExample":{"description":"The engine was successfully stopped and is no longer processing data.","summary":"Engine stopped successfully","value":{"stopped":true}}},"schema":{"type":"object","properties":{"stopped":{"description":"Whether the engine was successfully stopped.","type":"boolean"}}}}},"description":"Successful response"}},"summary":"Stop an Entity Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/engines\/apply_dataview_indices":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/entity_store\/engines\/apply_dataview_indices<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSynchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms.","operationId":"ApplyEntityEngineDataviewIndices","responses":{"200":{"content":{"application\/json":{"examples":{"applyDataviewIndicesExample":{"description":"All running engines were successfully updated with the current data view index patterns.","summary":"All engines updated","value":{"result":[{"changes":{"indexPatterns":["logs-*","filebeat-*","auditbeat-*"]},"type":"host"},{"changes":{"indexPatterns":["logs-*","filebeat-*","auditbeat-*"]},"type":"user"}],"success":true}}},"schema":{"type":"object","properties":{"result":{"description":"Per-engine update results.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineDataviewUpdateResult"},"type":"array"},"success":{"description":"Whether all engines updated successfully.","type":"boolean"}}}}},"description":"Successful response"},"207":{"content":{"application\/json":{"examples":{"partialSuccessExample":{"description":"The host engine was updated but the user engine failed due to insufficient privileges.","summary":"One engine failed","value":{"errors":["Failed to update user engine: insufficient privileges"],"result":[{"changes":{"indexPatterns":["logs-*","filebeat-*"]},"type":"host"}],"success":false}}},"schema":{"type":"object","properties":{"errors":{"description":"Error messages for engines that failed to update.","items":{"type":"string"},"type":"array"},"result":{"description":"Per-engine update results for engines that succeeded.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineDataviewUpdateResult"},"type":"array"},"success":{"description":"Always `false` for a partial success.","type":"boolean"}}}}},"description":"Partial successful response"},"500":{"content":{"application\/json":{"examples":{"serverErrorExample":{"description":"An unexpected error occurred while applying data view indices.","summary":"Internal server error","value":{"body":"An internal error occurred while updating engine indices","statusCode":500}}},"schema":{"type":"object","properties":{"body":{"description":"Error message.","type":"string"},"statusCode":{"description":"HTTP status code.","type":"number"}}}}},"description":"Error response"}},"summary":"Apply DataView indices to all installed engines","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/entities\/{entityType}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/entity_store\/entities\/{entityType}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a single entity in Entity Store.\nThe entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. \n","operationId":"DeleteSingleEntity","parameters":[{"example":"user","in":"path","name":"entityType","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"}}],"requestBody":{"content":{"application\/json":{"schema":{"type":"object","properties":{"id":{"description":"Identifier of the entity to be deleted, commonly entity.id value.","example":"arn:aws:iam::123456789012:user\/jane.doe","type":"string"}},"required":["id"]}}},"description":"Schema for the deleting entity","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"deleteEntityExample":{"description":"The entity was found and successfully removed from the latest index.","summary":"Entity deleted","value":{"deleted":true}}},"schema":{"type":"object","properties":{"deleted":{"description":"Whether the entity was successfully deleted.","type":"boolean"}}}}},"description":"Successful response. Entity deleted."},"404":{"description":"Entity Not Found. No entity with this ID and Type exists."},"503":{"description":"Operation on an uninitialized Engine or in a cluster without CRUD API Enabled"}},"summary":"Delete an entity in Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/entity_store\/entities\/{entityType}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate or create an entity in Entity Store.\nIf the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index.\n> Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values.\n> Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute.\n","operationId":"UpsertEntity","parameters":[{"example":"user","in":"path","name":"entityType","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"}},{"description":"When true, allows updating protected fields.","in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Entity"}}},"description":"Schema for the updating a single entity","required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Entity"}}},"description":"Entity updated or created"},"403":{"description":"Operation on a restricted field"},"409":{"description":"Conflict. The entity was updated while another update was happening in ElasticSearch"},"503":{"description":"Operation on an uninitialized Engine or in a cluster without CRUD API Enabled"}},"summary":"Upsert an entity in Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/entities\/bulk":{"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/entity_store\/entities\/bulk<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate or create many entities in Entity Store.\nIf the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created.\nThe creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute.\n","operationId":"UpsertEntitiesBulk","parameters":[{"description":"When true, allows updating protected fields.","in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntitiesContainer"}}},"description":"Schema for the updating many entities","required":true},"responses":{"200":{"description":"Entities updated or created"},"403":{"description":"Operation on a restricted field"},"503":{"description":"Operation on an uninitialized Engine or in a cluster without CRUD API Enabled"}},"summary":"Upsert many entities in Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/entities\/list":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_store\/entities\/list<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList entities records, paging, sorting and filtering as needed.","operationId":"ListEntities","parameters":[{"description":"Field to sort results by.","example":"entity.name","in":"query","name":"sort_field","required":false,"schema":{"type":"string"}},{"description":"Sort order.","in":"query","name":"sort_order","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"description":"Page number to return (1-indexed).","example":1,"in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"integer"}},{"description":"Number of entities per page.","example":10,"in":"query","name":"per_page","required":false,"schema":{"maximum":10000,"minimum":1,"type":"integer"}},{"description":"An ES query to filter by.","in":"query","name":"filterQuery","required":false,"schema":{"type":"string"}},{"description":"Entity types to include in the results.","in":"query","name":"entity_types","required":true,"schema":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"},"type":"array"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"type":"object","properties":{"inspect":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_InspectQuery"},"page":{"description":"Current page number.","minimum":1,"type":"integer"},"per_page":{"description":"Number of entities per page.","maximum":1000,"minimum":1,"type":"integer"},"records":{"description":"The entity records for this page.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Entity"},"type":"array"},"total":{"description":"Total number of entities matching the query.","minimum":0,"type":"integer"}},"required":["records","page","per_page","total"]}}},"description":"Entities returned successfully"}},"summary":"List Entity Store Entities","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/entity_store\/status":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/entity_store\/status<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the overall Entity Store status and per-engine statuses, optionally including component-level health details.","operationId":"GetEntityStoreStatus","parameters":[{"description":"If true, returns a detailed status of each engine including all its components.","example":true,"in":"query","name":"include_components","schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"entityStoreRunning":{"description":"The Entity Store is running with both host and user engines started and using default settings.","summary":"Entity Store running with two engines","value":{"engines":[{"delay":"1m","fieldHistoryLength":10,"frequency":"1m","indexPattern":"","lookbackPeriod":"24h","status":"started","timeout":"180s","timestampField":"@timestamp","type":"host"},{"delay":"1m","fieldHistoryLength":10,"frequency":"1m","indexPattern":"","lookbackPeriod":"24h","status":"started","timeout":"180s","timestampField":"@timestamp","type":"user"}],"status":"running"}}},"schema":{"type":"object","properties":{"engines":{"description":"Per-engine status information.","items":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineDescriptor"},{"type":"object","properties":{"components":{"description":"Detailed component-level status. Only included when include_components is true.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineComponentStatus"},"type":"array"}}}]},"type":"array"},"status":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_StoreStatus","description":"The overall status of the Entity Store."}},"required":["status","engines"]}}},"description":"Successful response"}},"summary":"Get the status of the Entity Store","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exception_lists":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/exception_lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an exception list using the `id` or `list_id` field.","operationId":"DeleteExceptionList","parameters":[{"description":"Exception list's identifier. Either `id` or `list_id` must be specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListId"}},{"description":"Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.","examples":{"autogeneratedId":{"value":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2"},"list_id":{"value":"simple_list"}},"in":"query","name":"list_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"}},{"description":"`single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the\nlist you are removing when using `list_id` or `id`.\n","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"detectionExceptionList":{"value":{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE \/api\/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"exception list list_id: \"foo\" does not exist","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/exception_lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of an exception list using the `id` or `list_id` field.","operationId":"ReadExceptionList","parameters":[{"description":"Exception list's identifier. Either `id` or `list_id` must be specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListId"}},{"description":"Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.","in":"query","name":"list_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"}},{"description":"When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global\n(space-agnostic) container. Required for looking up the correct list when `list_id` is not unique.\n","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"detectionType":{"value":{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get exception list details","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/exception_lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nAn exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules.\n> info\n> All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.\n","operationId":"CreateExceptionList","requestBody":{"content":{"application\/json":{"examples":{"createDetection":{"value":{"description":"This is a sample detection type exception list.","list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"detection"}}},"schema":{"example":{"description":"This is a sample detection type exception list.","list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"detection"},"type":"object","properties":{"description":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListDescription"},"list_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListOsTypeArray"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListTags","default":[]},"type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListType"},"version":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListVersion","default":1}},"required":["name","description","type"]}}},"description":"Exception list's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"autogeneratedListId":{"value":{"_version":"WzMsMV0=","created_at":"2025-01-09T01:05:23.019Z","created_by":"elastic","description":"This is a sample detection type exception with an autogenerated list_id.","id":"28243c2f-624a-4443-823d-c0b894880931","immutable":false,"list_id":"8c1aae4c-1ef5-4bce-a2e3-16584b501783","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"ad94de31-39f7-4ad7-b8e4-988bfa95f338","type":"detection","updated_at":"2025-01-09T01:05:23.020Z","updated_by":"elastic","version":1}},"namespaceAgnostic":{"value":{"_version":"WzUsMV0=","created_at":"2025-01-09T01:10:36.369Z","created_by":"elastic","description":"This is a sample agnostic endpoint type exception.","id":"1a744e77-22ca-4b6b-9085-54f55275ebe5","immutable":false,"list_id":"b935eb55-7b21-4c1c-b235-faa1df23b3d6","name":"Sample Agnostic Endpoint Exception List","namespace_type":"agnostic","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"49ea0adc-a2b8-4d83-a8f3-2fb98301dea3","type":"endpoint","updated_at":"2025-01-09T01:10:36.369Z","updated_by":"elastic","version":1}},"typeDetection":{"value":{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}},"typeEndpoint":{"value":{"_version":"WzQsMV0=","created_at":"2025-01-09T01:07:49.658Z","created_by":"elastic","description":"This is a sample endpoint type exception list.","id":"a79f4730-6e32-4278-abfc-349c0add7d54","immutable":false,"list_id":"endpoint_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"94a028af-8f47-427a-aca5-ffaf829e64ee","type":"endpoint","updated_at":"2025-01-09T01:07:49.658Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: list_id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application\/json":{"examples":{"alreadyExists":{"value":{"message":"exception list id: \"simple_list\" already exists","status_code":409}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list already exists response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/exception_lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an exception list using the `id` or `list_id` field.","operationId":"UpdateExceptionList","requestBody":{"content":{"application\/json":{"examples":{"fullReplace":{"value":{"description":"Different description","list_id":"simple_list","name":"Updated exception list name","os_types":["linux"],"tags":["draft","malware"],"type":"detection"}}},"schema":{"example":{"description":"Different description","list_id":"simple_list","name":"Updated exception list name","os_types":["linux"],"tags":["draft malware"],"type":"detection"},"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListDescription"},"id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListId"},"list_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListOsTypeArray","default":[]},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListTags"},"type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListType"},"version":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListVersion"}},"required":["name","description","type"]}}},"description":"Exception list's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"simpleList":{"value":{"_version":"WzExLDFd","created_at":"2025-01-07T20:43:55.264Z","created_by":"elastic","description":"Different description","id":"fa7f545f-191b-4d32-b1f0-c7cd62a79e55","immutable":false,"list_id":"simple_list","name":"Updated exception list name","namespace_type":"single","os_types":[],"tags":["draft malware"],"tie_breaker_id":"319fe983-acdd-4806-b6c4-3098eae9392f","type":"detection","updated_at":"2025-01-07T21:32:03.726Z","updated_by":"elastic","version":2}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: list_id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PUT \/api\/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Update an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exception_lists\/_duplicate":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/exception_lists\/_duplicate<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDuplicate an existing exception list.","operationId":"DuplicateExceptionList","parameters":[{"description":"The `list_id` of the existing exception list to copy (source list).","in":"query","name":"list_id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"}},{"description":"Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces).","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType"}},{"description":"Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`.","in":"query","name":"include_expired_exceptions","required":true,"schema":{"default":"true","enum":["true","false"],"example":true,"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"detectionExceptionList":{"value":{"_version":"WzExNDY1LDFd","created_at":"2025-01-09T16:19:50.280Z","created_by":"elastic","description":"This is a sample detection type exception","id":"b2f4a715-6ab1-444c-8b1e-3fa1b1049429","immutable":false,"list_id":"d6390d60-bce3-4a48-9002-52db600f329c","name":"Sample Detection Exception List [Duplicate]","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"6fa670bd-666d-4c9c-9f1e-d1dbc516e985","type":"detection","updated_at":"2025-01-09T16:19:50.280Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type: Invalid enum value. Expected 'agnostic' | 'single', received 'foo'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/exception_lists\/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"exception list id: \"foo\" does not exist","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Exception list not found"},"405":{"content":{"application\/json":{"examples":{"notAllowed":{"value":{"message":"Cannot duplicate: list is immutable or the operation is not allowed in this state","status_code":405}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list to duplicate not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Duplicate an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exception_lists\/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/exception_lists\/_export<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExport an exception list and its associated items to an NDJSON file.","operationId":"ExportExceptionList","parameters":[{"description":"Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target.","in":"query","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListId"}},{"description":"Human-readable `list_id` of the exception list to export, as shown in the UI and API responses.","in":"query","name":"list_id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"}},{"description":"`single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list.\n","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType"}},{"description":"Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`.","example":true,"in":"query","name":"include_expired_exceptions","required":true,"schema":{"default":"true","enum":["true","false"],"type":"string"}}],"responses":{"200":{"content":{"application\/ndjson":{"examples":{"exportSavedObjectsResponse":{"value":"{\"_version\":\"WzExNDU5LDFd\",\"created_at\":\"2025-01-09T16:18:17.757Z\",\"created_by\":\"elastic\",\"description\":\"This is a sample detection type exception\",\"id\":\"c86c2da0-2ab6-4343-b81c-216ef27e8d75\",\"immutable\":false,\"list_id\":\"simple_list\",\"name\":\"Sample Detection Exception List\",\"namespace_type\":\"single\",\"os_types\":[],\"tags\":[\"user added string for a tag\",\"malware\"],\"tie_breaker_id\":\"cf4a7b92-732d-47f0-a0d5-49a35a1736bf\",\"type\":\"detection\",\"updated_at\":\"2025-01-09T16:18:17.757Z\",\"updated_by\":\"elastic\",\"version\":1}\n{\"_version\":\"WzExNDYxLDFd\",\"comments\":[],\"created_at\":\"2025-01-09T16:18:42.308Z\",\"created_by\":\"elastic\",\"description\":\"This is a sample endpoint type exception\",\"entries\":[{\"type\":\"exists\",\"field\":\"actingProcess.file.signer\",\"operator\":\"excluded\"},{\"type\":\"match_any\",\"field\":\"host.name\",\"value\":[\"some host\",\"another host\"],\"operator\":\"included\"}],\"id\":\"f37597ce-eaa7-4b64-9100-4301118f6806\",\"item_id\":\"simple_list_item\",\"list_id\":\"simple_list\",\"name\":\"Sample Endpoint Exception List\",\"namespace_type\":\"single\",\"os_types\":[\"linux\"],\"tags\":[\"user added string for a tag\",\"malware\"],\"tie_breaker_id\":\"4ca3ef3e-9721-42c0-8107-cf47e094d40f\",\"type\":\"simple\",\"updated_at\":\"2025-01-09T16:18:42.308Z\",\"updated_by\":\"elastic\"}\n{\"exported_exception_list_count\":1,\"exported_exception_list_item_count\":1,\"missing_exception_list_item_count\":0,\"missing_exception_list_items\":[],\"missing_exception_lists\":[],\"missing_exception_lists_count\":0}\n"}},"schema":{"description":"A `.ndjson` file containing specified exception list and its items","format":"binary","type":"string"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: list_id: Required, namespace_type: Required","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/exception_lists\/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Export an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exception_lists\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/exception_lists\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all exception list containers.","operationId":"FindExceptionLists","parameters":[{"description":"Filters the returned results according to the value of the specified field.\n\nUses the `so type.field name:field` value syntax, where `so type` can be:\n\n- `exception-list`: Specify a space-aware exception list.\n- `exception-list-agnostic`: Specify an exception list that is shared across spaces.\n","in":"query","name":"filter","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_FindExceptionListsFilter"}},{"description":"Determines whether the returned containers are Kibana associated with a Kibana space\nor available in all spaces (`agnostic` or `single`)\n","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"default":["single"],"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType"},"type":"array"}},{"description":"The page number to return","in":"query","name":"page","required":false,"schema":{"example":1,"minimum":1,"type":"integer"}},{"description":"The number of exception lists to return per page","in":"query","name":"per_page","required":false,"schema":{"example":20,"minimum":1,"type":"integer"}},{"description":"Determines which field is used to sort the results.","in":"query","name":"sort_field","required":false,"schema":{"example":"name","type":"string"}},{"description":"Determines the sort order, which can be `desc` or `asc`.","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"example":"desc","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"simpleLists":{"value":{"data":[{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Detection Exception List","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"data":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionList"},"type":"array"},"page":{"minimum":1,"type":"integer"},"per_page":{"minimum":1,"type":"integer"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/exception_lists\/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get exception lists","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exception_lists\/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/exception_lists\/_import<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nImport an exception list and its associated items from an NDJSON file.","operationId":"ImportExceptionList","parameters":[{"description":"Determines whether existing exception lists with the same `list_id` are overwritten.\nIf any exception items have the same `item_id`, those are also overwritten.\n","in":"query","name":"overwrite","required":false,"schema":{"default":false,"example":false,"type":"boolean"}},{"description":"Determines whether the list being imported will have a new `list_id` generated.\nAdditional `item_id`'s are generated for each exception item. Both the exception\nlist and its items are overwritten.\n","in":"query","name":"as_new_list","required":false,"schema":{"default":false,"example":false,"type":"boolean"}}],"requestBody":{"content":{"multipart\/form-data":{"examples":{"ndjsonUpload":{"value":{"file":"exception_lists.ndjson"}}},"schema":{"type":"object","properties":{"file":{"description":"A `.ndjson` file containing the exception list","example":"{\"_version\":\"WzExNDU5LDFd\",\"created_at\":\"2025-01-09T16:18:17.757Z\",\"created_by\":\"elastic\",\"description\":\"This is a sample detection type exception\",\"id\":\"c86c2da0-2ab6-4343-b81c-216ef27e8d75\",\"immutable\":false,\"list_id\":\"simple_list\",\"name\":\"Sample Detection Exception List\",\"namespace_type\":\"single\",\"os_types\":[],\"tags\":[\"user added string for a tag\",\"malware\"],\"tie_breaker_id\":\"cf4a7b92-732d-47f0-a0d5-49a35a1736bf\",\"type\":\"detection\",\"updated_at\":\"2025-01-09T16:18:17.757Z\",\"updated_by\":\"elastic\",\"version\":1}\n{\"_version\":\"WzExNDYxLDFd\",\"comments\":[],\"created_at\":\"2025-01-09T16:18:42.308Z\",\"created_by\":\"elastic\",\"description\":\"This is a sample endpoint type exception\",\"entries\":[{\"type\":\"exists\",\"field\":\"actingProcess.file.signer\",\"operator\":\"excluded\"},{\"type\":\"match_any\",\"field\":\"host.name\",\"value\":[\"some host\",\"another host\"],\"operator\":\"included\"}],\"id\":\"f37597ce-eaa7-4b64-9100-4301118f6806\",\"item_id\":\"simple_list_item\",\"list_id\":\"simple_list\",\"name\":\"Sample Endpoint Exception List\",\"namespace_type\":\"single\",\"os_types\":[\"linux\"],\"tags\":[\"user added string for a tag\",\"malware\"],\"tie_breaker_id\":\"4ca3ef3e-9721-42c0-8107-cf47e094d40f\",\"type\":\"simple\",\"updated_at\":\"2025-01-09T16:18:42.308Z\",\"updated_by\":\"elastic\"}\n","format":"binary","type":"string"}}}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"withErrors":{"value":{"errors":[{"error":{"message":"Error found importing exception list: Invalid value \\\"4\\\" supplied to \\\"list_id\\\"","status_code":400},"list_id":"(unknown list_id)"},{"error":{"message":"Found that item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" already exists. Import of item_id: \\\"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\\\" skipped.","status_code":409},"item_id":"f7fd00bb-dba8-4c93-9d59-6cbd427b6330","list_id":"7d7cccb8-db72-4667-b1f3-648efad7c1ee"}],"success":"false,","success_count":"0,","success_count_exception_list_items":0,"success_count_exception_lists":"0,","success_exception_list_items":"false,","success_exception_lists":"false,"}},"withoutErrors":{"value":{"errors":[],"success":true,"success_count":2,"success_count_exception_list_items":1,"success_count_exception_lists":1,"success_exception_list_items":true,"success_exception_lists":"true,"}}},"schema":{"type":"object","properties":{"errors":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListsImportBulkErrorArray"},"success":{"type":"boolean"},"success_count":{"minimum":0,"type":"integer"},"success_count_exception_list_items":{"minimum":0,"type":"integer"},"success_count_exception_lists":{"minimum":0,"type":"integer"},"success_exception_list_items":{"type":"boolean"},"success_exception_lists":{"type":"boolean"}},"required":["errors","success","success_count","success_exception_lists","success_count_exception_lists","success_exception_list_items","success_count_exception_list_items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"Multipart part `file` is required and must contain a valid .ndjson exception list export","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/exception_lists\/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Import an exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exception_lists\/items":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/exception_lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an exception list item using the `id` or `item_id` field.","operationId":"DeleteExceptionListItem","parameters":[{"description":"Exception item's identifier. Either `id` or `item_id` must be specified","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemId"}},{"description":"Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified","in":"query","name":"item_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemHumanId"}},{"description":"`single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item.\n","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"simpleExceptionItem":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE \/api\/exception_lists\/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"exception list item item_id: \\\"foo\\\" does not exist","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete an exception list item","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/exception_lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of an exception list item using the `id` or `item_id` field.","operationId":"ReadExceptionListItem","parameters":[{"description":"Exception list item's identifier. Either `id` or `item_id` must be specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemId"}},{"description":"Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified.","in":"query","name":"item_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemHumanId"}},{"description":"`single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must\nmatch how the list was created.\n","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"simpleListItem":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/exception_lists\/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"exception list item item_id: \\\"foo\\\" does not exist","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get an exception list item","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/exception_lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate an exception item and associate it with the specified exception list.\n> info\n> Before creating exception items, you must create an exception list.\n","operationId":"CreateExceptionListItem","requestBody":{"content":{"application\/json":{"examples":{"simpleItem":{"value":{"description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"}],"item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"simple"}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemGeneric"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemEndpointList"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemEventFilters"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemHostIsolation"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBlocklistMac"}]}}},"description":"Exception list item's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"autogeneratedItemId":{"value":{"_version":"WzYsMV0=","comments":[],"created_at":"2025-01-09T01:16:23.322Z","created_by":"elastic","description":"This is a sample exception that has no item_id so it is autogenerated.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"}],"id":"323faa75-c657-4fa0-9084-8827612c207b","item_id":"80e6edf7-4b13-4414-858f-2fa74aa52b37","list_id":"8c1aae4c-1ef5-4bce-a2e3-16584b501783","name":"Sample Autogenerated Exception List Item ID","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"d6799986-3a23-4213-bc6d-ed9463a32f23","type":"simple","updated_at":"2025-01-09T01:16:23.322Z","updated_by":"elastic"}},"detectionExceptionListItem":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withExistEntry":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withMatchAnyEntry":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withMatchEntry":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"included","type":"match","value":"Elastic N.V."}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withNestedEntry":{"value":{"_version":"WzQsMV0=","comments":[],"created_at":"2025-01-07T20:07:33.119Z","created_by":"elastic","description":"This is a sample detection type exception item.","entries":[{"entries":[{"field":"signer","operator":"included","type":"match","value":"Evil"},{"field":"trusted","operator":"included","type":"match","value":true}],"field":"file.signature","type":"nested"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"09434836-9db9-4942-a234-5a9268e0b34c","type":"simple","updated_at":"2025-01-07T20:07:33.119Z","updated_by":"elastic"}},"withValueListEntry":{"value":{"_version":"WzcsMV0=","comments":[],"created_at":"2025-01-09T01:31:12.614Z","created_by":"elastic","description":"Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list","entries":[{"field":"source.ip","list":{"id":"goodguys.txt","type":"ip"},"operator":"excluded","type":"list"}],"id":"deb26876-297d-4677-8a1f-35467d2f1c4f","item_id":"686b129e-9b8d-4c59-8d8d-c93a9ea82c71","list_id":"8c1aae4c-1ef5-4bce-a2e3-16584b501783","name":"Filter out good guys ip and agent.name rock01","namespace_type":"single","os_types":[],"tags":["malware"],"tie_breaker_id":"5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8","type":"simple","updated_at":"2025-01-09T01:31:12.614Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request,","message":"[request body]: list_id: Expected string, received number","statusCode":"400,"}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/exception_lists\/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application\/json":{"examples":{"alreadyExists":{"value":{"message":"exception list item id: \\\"simple_list_item\\\" already exists","status_code":409}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item already exists response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create an exception list item","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/exception_lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an exception list item using the `id` or `item_id` field.","operationId":"UpdateExceptionListItem","requestBody":{"content":{"application\/json":{"examples":{"updateItem":{"value":{"description":"Updated description","id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","name":"Updated name","namespace_type":"single","type":"simple"}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemGeneric"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemEndpointList"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemEventFilters"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemHostIsolation"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac"}]}}},"description":"Exception list item's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"simpleListItem":{"value":{"_version":"WzEyLDFd","comments":[],"created_at":"2025-01-07T21:12:25.512Z","created_by":"elastic","description":"Updated description","entries":[{"field":"host.name","operator":"included","type":"match","value":"rock01"}],"id":"459c5e7e-f8b2-4f0b-b136-c1fc702f72da","item_id":"simple_list_item","list_id":"simple_list","name":"Updated name","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0","type":"simple","updated_at":"2025-01-07T21:34:50.233Z","updated_by":"elastic"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: item_id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PUT \/api\/exception_lists\/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"exception list item item_id: \\\"foo\\\" does not exist","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list item not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Update an exception list item","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exception_lists\/items\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/exception_lists\/items\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all exception list items in the specified list.","operationId":"FindExceptionListItems","parameters":[{"description":"The `list_id`s of the items to fetch.","in":"query","name":"list_id","required":true,"schema":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"},"type":"array"}},{"description":"Filters the returned results according to the value of the specified field,\nusing the `:` syntax.\n","examples":{"singleFilter":{"value":["exception-list.attributes.name:%My%20item"]}},"in":"query","name":"filter","required":false,"schema":{"default":[],"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"type":"array"}},{"description":"Determines whether the returned containers are Kibana associated with a Kibana space\nor available in all spaces (`agnostic` or `single`)\n","examples":{"single":{"value":["single"]}},"in":"query","name":"namespace_type","required":false,"schema":{"default":["single"],"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType"},"type":"array"}},{"description":"Free-text search term applied to exception list item fields (for example a hostname or file path fragment).\n","in":"query","name":"search","required":false,"schema":{"example":"host.name","type":"string"}},{"description":"The page number to return","in":"query","name":"page","required":false,"schema":{"example":1,"minimum":0,"type":"integer"}},{"description":"The number of exception list items to return per page","in":"query","name":"per_page","required":false,"schema":{"example":20,"minimum":0,"type":"integer"}},{"description":"Determines which field is used to sort the results.","example":"name","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"}},{"description":"Determines the sort order, which can be `desc` or `asc`.","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"example":"desc","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"simpleListItems":{"value":{"data":[{"_version":"WzgsMV0=","comments":[],"created_at":"2025-01-07T21:12:25.512Z","created_by":"elastic","description":"This is a sample exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["jupiter","saturn"]}],"id":"459c5e7e-f8b2-4f0b-b136-c1fc702f72da","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0","type":"simple","updated_at":"2025-01-07T21:12:25.512Z","updated_by":"elastic"}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"data":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItem"},"type":"array"},"page":{"minimum":1,"type":"integer"},"per_page":{"minimum":1,"type":"integer"},"pit":{"type":"string"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/exception_lists\/items\/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"exception list list_id: \"foo\" does not exist","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get exception list items","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exception_lists\/summary":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/exception_lists\/summary<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a summary of the specified exception list.","operationId":"ReadExceptionListSummary","parameters":[{"description":"Exception list's identifier generated upon creation.","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListId"}},{"description":"Exception list's human readable identifier.","in":"query","name":"list_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"}},{"description":"`single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must\nline up with `id` \/ `list_id` used to look up the list.\n","examples":{"agnostic":{"value":"agnostic"},"single":{"value":"single"}},"in":"query","name":"namespace_type","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"}},{"description":"Search filter clause","in":"query","name":"filter","required":false,"schema":{"example":"exception-list-agnostic.attributes.tags:\"policy:policy-1\" OR exception-list-agnostic.attributes.tags:\"policy:all\"","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"summary":{"value":{"linux":0,"macos":0,"total":0,"windows":0}}},"schema":{"type":"object","properties":{"linux":{"minimum":0,"type":"integer"},"macos":{"minimum":0,"type":"integer"},"total":{"minimum":0,"type":"integer"},"windows":{"minimum":0,"type":"integer"}}}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/exception_lists\/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message\"":"exception list id: \"foo\" does not exist","status_code\"":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get an exception list summary","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/exceptions\/shared":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/exceptions\/shared<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nAn exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules.\n> info\n> All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.\n","operationId":"CreateSharedExceptionList","requestBody":{"content":{"application\/json":{"schema":{"example":{"description":"This is a sample detection type exception list.","list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"]},"type":"object","properties":{"description":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListDescription"},"name":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListName"}},"required":["name","description"]}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"sharedList":{"value":{"_version":"WzIsMV0=","created_at":"2025-01-07T19:34:27.942Z","created_by":"elastic","description":"This is a sample detection type exception list.","id":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":["linux"],"tags":["malware"],"tie_breaker_id":"78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3","type":"detection","updated_at":"2025-01-07T19:34:27.942Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionList"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: list_id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"message":"Unable to create exception-list","status_code":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application\/json":{"examples":{"alreadyExists":{"value":{"message":"exception list id: \"simple_list\" already exists","status_code":409}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Exception list already exists response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create a shared exception list","tags":["Security Exceptions API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_download_sources":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_download_sources<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all agent binary download sources.[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.","operationId":"get-fleet-agent-download-sources","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getDownloadSourcesExample":{"description":"List of agent binary download sources","value":{"items":[{"host":"https:\/\/artifacts.elastic.co\/downloads\/","id":"download-source-id-1","is_default":true,"name":"Elastic Artifacts"}],"page":1,"perPage":20,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"api_key":{"type":"string"},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"password":{"type":"string"},"username":{"type":"string"}}},"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"type":"object","properties":{"api_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["id","name","host"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get agent binary download sources","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agent_download_sources<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new agent binary download source.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-agent-download-sources","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postDownloadSourceRequestExample":{"description":"Create a new agent binary download source","value":{"host":"https:\/\/my-custom-host.example.com\/downloads\/","is_default":false,"name":"My custom download source"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"api_key":{"type":"string"},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"password":{"type":"string"},"username":{"type":"string"}}},"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"type":"object","properties":{"api_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["name","host"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postDownloadSourceExample":{"description":"The created agent binary download source","value":{"item":{"host":"https:\/\/my-custom-host.example.com\/downloads\/","id":"download-source-id-2","is_default":false,"name":"My custom download source"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"api_key":{"type":"string"},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"password":{"type":"string"},"username":{"type":"string"}}},"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"type":"object","properties":{"api_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["id","name","host"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create an agent binary download source","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_download_sources\/{sourceId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/agent_download_sources\/{sourceId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an agent binary download source by ID.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"delete-fleet-agent-download-sources-sourceid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"sourceId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteDownloadSourceExample":{"description":"The download source was successfully deleted","value":{"id":"download-source-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No download source was found with the given ID","value":{"error":"Not Found","message":"Agent binary source download-source-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Delete an agent binary download source","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_download_sources\/{sourceId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet an agent binary download source by ID.[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.","operationId":"get-fleet-agent-download-sources-sourceid","parameters":[{"in":"path","name":"sourceId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getDownloadSourceExample":{"description":"An agent binary download source","value":{"item":{"host":"https:\/\/artifacts.elastic.co\/downloads\/","id":"download-source-id-1","is_default":true,"name":"Elastic Artifacts"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"api_key":{"type":"string"},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"password":{"type":"string"},"username":{"type":"string"}}},"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"type":"object","properties":{"api_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["id","name","host"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No download source was found with the given ID","value":{"error":"Not Found","message":"Agent binary source download-source-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get an agent binary download source","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/agent_download_sources\/{sourceId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an agent binary download source by ID.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-agent-download-sources-sourceid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"sourceId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putDownloadSourceRequestExample":{"description":"Update an agent binary download source","value":{"host":"https:\/\/updated-host.example.com\/downloads\/","is_default":false,"name":"Updated download source"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"api_key":{"type":"string"},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"password":{"type":"string"},"username":{"type":"string"}}},"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"type":"object","properties":{"api_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["name","host"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putDownloadSourceExample":{"description":"The updated agent binary download source","value":{"item":{"host":"https:\/\/updated-host.example.com\/downloads\/","id":"download-source-id-1","is_default":false,"name":"Updated download source"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"api_key":{"type":"string"},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"password":{"type":"string"},"username":{"type":"string"}}},"host":{"format":"uri","type":"string"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"description":"The ID of the proxy to use for this download source. See the proxies API for more information.","nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"type":"object","properties":{"api_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"}}}},"required":["id","name","host"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No download source was found with the given ID","value":{"error":"Not Found","message":"Download source download-source-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Update an agent binary download source","tags":["Elastic Agent binary download sources"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all agent policies.[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.","operationId":"get-fleet-agent-policies","parameters":[{"in":"query","name":"page","required":false,"schema":{"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"type":"number"}},{"in":"query","name":"sortField","required":false,"schema":{"type":"string"}},{"in":"query","name":"sortOrder","required":false,"schema":{"enum":["desc","asc"],"type":"string"}},{"in":"query","name":"showUpgradeable","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}},{"description":"use withAgentCount instead","in":"query","name":"noAgentCount","required":false,"schema":{"deprecated":true,"type":"boolean"}},{"description":"get policies with agent count","in":"query","name":"withAgentCount","required":false,"schema":{"type":"boolean"}},{"description":"get full policies with package policies populated","in":"query","name":"full","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentPoliciesExample":{"description":"List of agent policies","value":{"items":[{"description":"A sample agent policy","id":"agent-policy-id-1","is_managed":false,"is_protected":false,"name":"My agent policy","namespace":"default","revision":1,"status":"active","updated_at":"2024-01-15T10:00:00.000Z","updated_by":"user1"}],"page":1,"perPage":20,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_features_disable_policy_change_acks_enabled":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"agents_per_version":{"items":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"version":{"type":"string"}},"required":["version","count"]},"maxItems":1000,"type":"array"},"created_at":{"type":"string"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":100,"type":"array"},"has_agent_version_conditions":{"type":"boolean"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"is_verifier":{"description":"Indicates this is a short-lived verifier policy used for OTel permission verification.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs\/metrics collection will be disabled","nullable":true,"type":"boolean"},"min_agent_version":{"nullable":true,"type":"string"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{"nullable":true},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_agent_version_conditions":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version_condition":{"type":"string"}},"required":["name","title","version_condition"]},"maxItems":1000,"nullable":true,"type":"array"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get agent policies","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new agent policy.[Required authorization] Route required privileges: fleet-agent-policies-all.","operationId":"post-fleet-agent-policies","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"sys_monitoring","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"postAgentPolicyRequestExample":{"description":"Create a new agent policy","value":{"description":"A sample agent policy","monitoring_enabled":["logs","metrics"],"name":"My agent policy","namespace":"default"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_features_disable_policy_change_acks_enabled":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fleet_server_host_id":{"nullable":true,"type":"string"},"force":{"type":"boolean"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":100,"type":"array"},"has_agent_version_conditions":{"type":"boolean"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_protected":{"type":"boolean"},"is_verifier":{"description":"Indicates this is a short-lived verifier policy used for OTel permission verification.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs\/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{"nullable":true},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"}},"required":["name","namespace"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postAgentPolicyExample":{"description":"The created agent policy","value":{"item":{"description":"A sample agent policy","id":"agent-policy-id-2","is_managed":false,"is_protected":false,"name":"My agent policy","namespace":"default","revision":1,"status":"active","updated_at":"2024-01-15T10:00:00.000Z","updated_by":"user1"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_features_disable_policy_change_acks_enabled":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"agents_per_version":{"items":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"version":{"type":"string"}},"required":["version","count"]},"maxItems":1000,"type":"array"},"created_at":{"type":"string"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":100,"type":"array"},"has_agent_version_conditions":{"type":"boolean"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"is_verifier":{"description":"Indicates this is a short-lived verifier policy used for OTel permission verification.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs\/metrics collection will be disabled","nullable":true,"type":"boolean"},"min_agent_version":{"nullable":true,"type":"string"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{"nullable":true},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_agent_version_conditions":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version_condition":{"type":"string"}},"required":["name","title","version_condition"]},"maxItems":1000,"nullable":true,"type":"array"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/_bulk_get":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/_bulk_get<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet multiple agent policies by ID.[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.","operationId":"post-fleet-agent-policies-bulk-get","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkGetAgentPoliciesRequestExample":{"description":"Retrieve multiple agent policies by ID","value":{"ids":["agent-policy-id-1","agent-policy-id-2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"full":{"description":"get full policies with package policies populated","type":"boolean"},"ids":{"description":"list of package policy ids","items":{"type":"string"},"maxItems":1000,"type":"array"},"ignoreMissing":{"type":"boolean"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkGetAgentPoliciesExample":{"description":"The requested agent policies","value":{"items":[{"id":"agent-policy-id-1","is_managed":false,"is_protected":false,"name":"My agent policy","namespace":"default","revision":1,"status":"active","updated_at":"2024-01-15T10:00:00.000Z","updated_by":"user1"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_features_disable_policy_change_acks_enabled":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"agents_per_version":{"items":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"version":{"type":"string"}},"required":["version","count"]},"maxItems":1000,"type":"array"},"created_at":{"type":"string"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":100,"type":"array"},"has_agent_version_conditions":{"type":"boolean"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"is_verifier":{"description":"Indicates this is a short-lived verifier policy used for OTel permission verification.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs\/metrics collection will be disabled","nullable":true,"type":"boolean"},"min_agent_version":{"nullable":true,"type":"string"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{"nullable":true},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_agent_version_conditions":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version_condition":{"type":"string"}},"required":["name","title","version_condition"]},"maxItems":1000,"nullable":true,"type":"array"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"One or more agent policies were not found","value":{"error":"Not Found","message":"An error message describing what went wrong","statusCode":404}}}}},"description":"Not Found"}},"summary":"Bulk get agent policies","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/{agentPolicyId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/{agentPolicyId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet an agent policy by ID.[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.","operationId":"get-fleet-agent-policies-agentpolicyid","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentPolicyExample":{"description":"An agent policy","value":{"item":{"description":"A sample agent policy","id":"agent-policy-id-1","is_managed":false,"is_protected":false,"name":"My agent policy","namespace":"default","revision":1,"status":"active","updated_at":"2024-01-15T10:00:00.000Z","updated_by":"user1"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_features_disable_policy_change_acks_enabled":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"agents_per_version":{"items":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"version":{"type":"string"}},"required":["version","count"]},"maxItems":1000,"type":"array"},"created_at":{"type":"string"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":100,"type":"array"},"has_agent_version_conditions":{"type":"boolean"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"is_verifier":{"description":"Indicates this is a short-lived verifier policy used for OTel permission verification.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs\/metrics collection will be disabled","nullable":true,"type":"boolean"},"min_agent_version":{"nullable":true,"type":"string"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{"nullable":true},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_agent_version_conditions":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version_condition":{"type":"string"}},"required":["name","title","version_condition"]},"maxItems":1000,"nullable":true,"type":"array"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No agent policy was found with the given ID","value":{"error":"Not Found","message":"Agent policy not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/{agentPolicyId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an agent policy by ID.[Required authorization] Route required privileges: fleet-agent-policies-all.","operationId":"put-fleet-agent-policies-agentpolicyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putAgentPolicyRequestExample":{"description":"Update an agent policy","value":{"description":"An updated agent policy description","monitoring_enabled":["logs"],"name":"Updated agent policy","namespace":"default"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_features_disable_policy_change_acks_enabled":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"bumpRevision":{"type":"boolean"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fleet_server_host_id":{"nullable":true,"type":"string"},"force":{"type":"boolean"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":100,"type":"array"},"has_agent_version_conditions":{"type":"boolean"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_protected":{"type":"boolean"},"is_verifier":{"description":"Indicates this is a short-lived verifier policy used for OTel permission verification.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs\/metrics collection will be disabled","nullable":true,"type":"boolean"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{"nullable":true},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the agent policy supports agentless integrations. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"}},"required":["name","namespace"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putAgentPolicyExample":{"description":"The updated agent policy","value":{"item":{"description":"An updated agent policy description","id":"agent-policy-id-1","is_managed":false,"is_protected":false,"name":"Updated agent policy","namespace":"default","revision":2,"status":"active","updated_at":"2024-01-15T11:00:00.000Z","updated_by":"user1"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_features_disable_policy_change_acks_enabled":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"agents_per_version":{"items":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"version":{"type":"string"}},"required":["version","count"]},"maxItems":1000,"type":"array"},"created_at":{"type":"string"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":100,"type":"array"},"has_agent_version_conditions":{"type":"boolean"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"is_verifier":{"description":"Indicates this is a short-lived verifier policy used for OTel permission verification.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs\/metrics collection will be disabled","nullable":true,"type":"boolean"},"min_agent_version":{"nullable":true,"type":"string"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{"nullable":true},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_agent_version_conditions":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version_condition":{"type":"string"}},"required":["name","title","version_condition"]},"maxItems":1000,"nullable":true,"type":"array"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Update an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/{agentPolicyId}\/auto_upgrade_agents_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/{agentPolicyId}\/auto_upgrade_agents_status<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the auto-upgrade status for agents assigned to an agent policy.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAutoUpgradeAgentsStatusExample":{"description":"Auto-upgrade status for agents in the policy","value":{"agentsCount":5,"currentVersion":"8.16.0","failedAgentsCount":0,"upgradedAgentsCount":3,"upgradingAgentsCount":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"currentVersions":{"items":{"additionalProperties":false,"type":"object","properties":{"agents":{"description":"Number of agents that upgraded to this version","type":"number"},"failedUpgradeActionIds":{"description":"List of action IDs related to failed upgrades","items":{"type":"string"},"maxItems":1000,"type":"array"},"failedUpgradeAgents":{"description":"Number of agents that failed to upgrade to this version","type":"number"},"inProgressUpgradeActionIds":{"description":"List of action IDs related to in-progress upgrades","items":{"type":"string"},"maxItems":1000,"type":"array"},"inProgressUpgradeAgents":{"description":"Number of agents that are upgrading to this version","type":"number"},"version":{"description":"Agent version","type":"string"}},"required":["version","agents","failedUpgradeAgents","inProgressUpgradeAgents"]},"maxItems":10000,"type":"array"},"totalAgents":{"type":"number"}},"required":["currentVersions","totalAgents"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get auto upgrade agent status","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/{agentPolicyId}\/copy":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/{agentPolicyId}\/copy<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCopy an agent policy by ID.[Required authorization] Route required privileges: fleet-agent-policies-all.","operationId":"post-fleet-agent-policies-agentpolicyid-copy","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postCopyAgentPolicyRequestExample":{"description":"Copy an agent policy with a new name","value":{"description":"A copy of the original agent policy","name":"Copy of my agent policy"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"name":{"minLength":1,"type":"string"}},"required":["name"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postCopyAgentPolicyExample":{"description":"The copied agent policy","value":{"item":{"description":"A copy of the original agent policy","id":"agent-policy-id-copy-1","is_managed":false,"is_protected":false,"name":"Copy of my agent policy","namespace":"default","revision":1,"status":"active","updated_at":"2024-01-15T11:00:00.000Z","updated_by":"user1"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"advanced_settings":{"additionalProperties":false,"type":"object","properties":{"agent_download_target_directory":{"nullable":true},"agent_download_timeout":{"nullable":true},"agent_features_disable_policy_change_acks_enabled":{"nullable":true},"agent_internal":{"nullable":true},"agent_limits_go_max_procs":{"nullable":true},"agent_logging_files_interval":{"nullable":true},"agent_logging_files_keepfiles":{"nullable":true},"agent_logging_files_rotateeverybytes":{"nullable":true},"agent_logging_level":{"nullable":true},"agent_logging_metrics_period":{"nullable":true},"agent_logging_to_files":{"nullable":true},"agent_monitoring_runtime_experimental":{"nullable":true}}},"agent_features":{"items":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"name":{"type":"string"}},"required":["name","enabled"]},"maxItems":100,"type":"array"},"agentless":{"additionalProperties":false,"type":"object","properties":{"cloud_connectors":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"target_csp":{"enum":["aws","azure","gcp"],"type":"string"}},"required":["enabled"]},"resources":{"additionalProperties":false,"type":"object","properties":{"requests":{"additionalProperties":false,"type":"object","properties":{"cpu":{"type":"string"},"memory":{"type":"string"}}}}}}},"agents":{"type":"number"},"agents_per_version":{"items":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"version":{"type":"string"}},"required":["version","count"]},"maxItems":1000,"type":"array"},"created_at":{"type":"string"},"data_output_id":{"nullable":true,"type":"string"},"description":{"type":"string"},"download_source_id":{"nullable":true,"type":"string"},"fips_agents":{"type":"number"},"fleet_server_host_id":{"nullable":true,"type":"string"},"global_data_tags":{"description":"User defined data tags that are added to all of the inputs. The values can be strings or numbers.","items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["name","value"]},"maxItems":100,"type":"array"},"has_agent_version_conditions":{"type":"boolean"},"has_fleet_server":{"type":"boolean"},"id":{"type":"string"},"inactivity_timeout":{"default":1209600,"minimum":0,"type":"number"},"is_default":{"type":"boolean"},"is_default_fleet_server":{"type":"boolean"},"is_managed":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"is_protected":{"description":"Indicates whether the agent policy has tamper protection enabled. Default false.","type":"boolean"},"is_verifier":{"description":"Indicates this is a short-lived verifier policy used for OTel permission verification.","type":"boolean"},"keep_monitoring_alive":{"default":false,"description":"When set to true, monitoring will be enabled but logs\/metrics collection will be disabled","nullable":true,"type":"boolean"},"min_agent_version":{"nullable":true,"type":"string"},"monitoring_diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"monitoring_enabled":{"items":{"enum":["logs","metrics","traces"],"type":"string"},"maxItems":3,"type":"array"},"monitoring_http":{"additionalProperties":false,"type":"object","properties":{"buffer":{"additionalProperties":false,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"maximum":65353,"minimum":0,"type":"number"}}},"monitoring_output_id":{"nullable":true,"type":"string"},"monitoring_pprof_enabled":{"type":"boolean"},"name":{"minLength":1,"type":"string"},"namespace":{"minLength":1,"type":"string"},"overrides":{"additionalProperties":{"nullable":true},"description":"Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object"},"package_agent_version_conditions":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version_condition":{"type":"string"}},"required":["name","title","version_condition"]},"maxItems":1000,"nullable":true,"type":"array"},"package_policies":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"description":"This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter","items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}]},"required_versions":{"items":{"additionalProperties":false,"type":"object","properties":{"percentage":{"description":"Target percentage of agents to auto upgrade","maximum":100,"minimum":0,"type":"number"},"version":{"description":"Target version for automatic agent upgrade","type":"string"}},"required":["version","percentage"]},"maxItems":100,"nullable":true,"type":"array"},"revision":{"type":"number"},"schema_version":{"type":"string"},"space_ids":{"items":{"type":"string"},"maxItems":100,"type":"array"},"status":{"enum":["active","inactive"],"type":"string"},"supports_agentless":{"default":false,"description":"Indicates whether the agent policy supports agentless integrations.","nullable":true,"type":"boolean"},"unenroll_timeout":{"minimum":0,"type":"number"},"unprivileged_agents":{"type":"number"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"version":{"type":"string"}},"required":["id","name","namespace","is_protected","status","updated_at","updated_by","revision"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Copy an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/{agentPolicyId}\/download":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/{agentPolicyId}\/download<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDownload an agent policy by ID.[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup.","operationId":"get-fleet-agent-policies-agentpolicyid-download","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"description":"If true, returns the policy as a downloadable file","in":"query","name":"download","required":false,"schema":{"type":"boolean"}},{"description":"If true, returns the policy formatted for standalone agents","in":"query","name":"standalone","required":false,"schema":{"type":"boolean"}},{"description":"If true, returns the policy formatted for Kubernetes deployment","in":"query","name":"kubernetes","required":false,"schema":{"type":"boolean"}},{"description":"If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags.","in":"query","name":"revision","required":false,"schema":{"type":"number"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getDownloadAgentPolicyExample":{"description":"The agent policy download response","value":{"item":"id: agent-policy-id-1\\nrevision: 1\\noutputs:\\n default:\\n type: elasticsearch\\n hosts:\\n - https:\/\/elasticsearch.example.com:9200\\n"}}},"schema":{"type":"string"}}},"description":"Successful response \u2014 returns the agent policy as a YAML file download"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No agent policy was found with the given ID","value":{"error":"Not Found","message":"Agent policy not found","statusCode":404}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Not Found"}},"summary":"Download an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/{agentPolicyId}\/full":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/{agentPolicyId}\/full<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a full agent policy by ID.[Required authorization] Route required privileges: fleet-agent-policies-read.","operationId":"get-fleet-agent-policies-agentpolicyid-full","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}},{"description":"If true, returns the policy as a downloadable file","in":"query","name":"download","required":false,"schema":{"type":"boolean"}},{"description":"If true, returns the policy formatted for standalone agents","in":"query","name":"standalone","required":false,"schema":{"type":"boolean"}},{"description":"If true, returns the policy formatted for Kubernetes deployment","in":"query","name":"kubernetes","required":false,"schema":{"type":"boolean"}},{"description":"If provided, returns the policy at the specified revision. Cannot be used with standalone or kubernetes flags.","in":"query","name":"revision","required":false,"schema":{"type":"number"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getFullAgentPolicyExample":{"description":"The full agent policy configuration","value":{"item":{"agent":{"monitoring":{"logs":true,"metrics":true}},"id":"agent-policy-id-1","inputs":[],"outputs":{"default":{"hosts":["https:\/\/elasticsearch.example.com:9200"],"type":"elasticsearch"}},"revision":1}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"anyOf":[{"type":"string"},{"additionalProperties":false,"type":"object","properties":{"agent":{"additionalProperties":false,"type":"object","properties":{"download":{"additionalProperties":false,"type":"object","properties":{"auth":{"additionalProperties":false,"type":"object","properties":{"api_key":{"type":"string"},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"password":{"type":"string"},"username":{"type":"string"}}},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"proxy_url":{"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"}}}},"required":["key"]}}},"sourceURI":{"type":"string"},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"renegotiation":{"type":"string"},"verification_mode":{"type":"string"}}},"target_directory":{"type":"string"},"timeout":{"type":"string"}},"required":["sourceURI"]},"features":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"}},"required":["enabled"]},"type":"object"},"internal":{"nullable":true},"limits":{"additionalProperties":false,"type":"object","properties":{"go_max_procs":{"type":"number"}}},"logging":{"additionalProperties":false,"type":"object","properties":{"files":{"additionalProperties":false,"type":"object","properties":{"interval":{"type":"string"},"keepfiles":{"type":"number"},"rotateeverybytes":{"type":"number"}}},"level":{"type":"string"},"metrics":{"additionalProperties":false,"type":"object","properties":{"period":{"type":"string"}}},"to_files":{"type":"boolean"}}},"monitoring":{"additionalProperties":false,"type":"object","properties":{"_runtime_experimental":{"type":"string"},"apm":{"nullable":true},"diagnostics":{"additionalProperties":false,"type":"object","properties":{"limit":{"additionalProperties":false,"type":"object","properties":{"burst":{"type":"number"},"interval":{"type":"string"}}},"uploader":{"additionalProperties":false,"type":"object","properties":{"init_dur":{"type":"string"},"max_dur":{"type":"string"},"max_retries":{"type":"number"}}}}},"enabled":{"type":"boolean"},"http":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"host":{"type":"string"},"port":{"type":"number"}}},"logs":{"type":"boolean"},"metrics":{"type":"boolean"},"namespace":{"type":"string"},"pprof":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"}},"required":["enabled"]},"traces":{"type":"boolean"},"use_output":{"type":"string"}},"required":["enabled","metrics","logs","traces","apm"]},"protection":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"signing_key":{"type":"string"},"uninstall_token_hash":{"type":"string"}},"required":["enabled","uninstall_token_hash","signing_key"]}},"required":["monitoring","download","features","internal"]},"connectors":{"additionalProperties":{"nullable":true},"type":"object"},"exporters":{"additionalProperties":{"nullable":true},"type":"object"},"extensions":{"additionalProperties":{"nullable":true},"type":"object"},"fleet":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hosts":{"items":{"type":"string"},"maxItems":100,"type":"array"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"proxy_url":{"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"}}}},"required":["key"]}}},"ssl":{"additionalProperties":false,"type":"object","properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"renegotiation":{"type":"string"},"verification_mode":{"type":"string"}}}},"required":["hosts"]},{"additionalProperties":false,"type":"object","properties":{"kibana":{"additionalProperties":false,"type":"object","properties":{"hosts":{"items":{"type":"string"},"maxItems":100,"type":"array"},"path":{"type":"string"},"protocol":{"type":"string"}},"required":["hosts","protocol"]}},"required":["kibana"]}]},"id":{"type":"string"},"inputs":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"namespace":{"type":"string"}},"required":["namespace"]},"id":{"type":"string"},"meta":{"additionalProperties":true,"type":"object","properties":{"package":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"},"version":{"type":"string"}},"required":["name","version"]}}},"name":{"type":"string"},"package_policy_id":{"type":"string"},"processors":{"items":{"additionalProperties":true,"type":"object","properties":{"add_fields":{"additionalProperties":true,"type":"object","properties":{"fields":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"}]},"type":"object"},"target":{"type":"string"}},"required":["target","fields"]}},"required":["add_fields"]},"maxItems":10000,"type":"array"},"revision":{"type":"number"},"streams":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"dataset":{"type":"string"},"type":{"type":"string"}},"required":["dataset"]},"id":{"type":"string"}},"required":["id","data_stream"]},"maxItems":10000,"type":"array"},"type":{"type":"string"},"use_output":{"type":"string"}},"required":["id","name","revision","type","data_stream","use_output","package_policy_id"]},"maxItems":10000,"type":"array"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"output_permissions":{"additionalProperties":{"additionalProperties":{"nullable":true},"type":"object"},"type":"object"},"outputs":{"additionalProperties":{"additionalProperties":true,"type":"object","properties":{"ca_sha256":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":100,"type":"array"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"proxy_url":{"type":"string"},"type":{"type":"string"}},"required":["type"]},"type":"object"},"processors":{"additionalProperties":{"nullable":true},"type":"object"},"receivers":{"additionalProperties":{"nullable":true},"type":"object"},"revision":{"type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10000,"type":"array"},"service":{"additionalProperties":false,"type":"object","properties":{"extensions":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"pipelines":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"exporters":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"processors":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"receivers":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"x-oas-optional":true},"type":"object"}}},"signed":{"additionalProperties":false,"type":"object","properties":{"data":{"type":"string"},"signature":{"type":"string"}},"required":["data","signature"]}},"required":["id","outputs","inputs"]}]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No agent policy was found with the given ID","value":{"error":"Not Found","message":"Agent policy not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get a full agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/{agentPolicyId}\/outputs":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/{agentPolicyId}\/outputs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of outputs associated with agent policy by policy id.[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.","operationId":"get-fleet-agent-policies-agentpolicyid-outputs","parameters":[{"in":"path","name":"agentPolicyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentPolicyOutputsExample":{"description":"Outputs associated with the agent policy","value":{"item":{"data_output":{"id":"output-id-1","name":"Default output","type":"elasticsearch"},"monitoring_output":{"id":"output-id-1","name":"Default output","type":"elasticsearch"}}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"agentPolicyId":{"type":"string"},"data":{"additionalProperties":false,"type":"object","properties":{"integrations":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"integrationPolicyName":{"type":"string"},"name":{"type":"string"},"pkgName":{"type":"string"}}},"maxItems":1000,"type":"array"},"output":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}},"required":["output"]},"monitoring":{"additionalProperties":false,"type":"object","properties":{"output":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}},"required":["output"]}},"required":["monitoring","data"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No agent policy was found with the given ID","value":{"error":"Not Found","message":"Agent policy not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get outputs for an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/delete":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/delete<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an agent policy by ID.[Required authorization] Route required privileges: fleet-agent-policies-all.","operationId":"post-fleet-agent-policies-delete","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postDeleteAgentPolicyRequestExample":{"description":"Delete an agent policy by ID","value":{"agentPolicyId":"agent-policy-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agentPolicyId":{"type":"string"},"force":{"description":"bypass validation checks that can prevent agent policy deletion","type":"boolean"}},"required":["agentPolicyId"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postDeleteAgentPolicyExample":{"description":"The agent policy was successfully deleted","value":{"id":"agent-policy-id-1","name":"My agent policy"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Delete an agent policy","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_policies\/outputs":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agent_policies\/outputs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of outputs associated with agent policies.[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.","operationId":"post-fleet-agent-policies-outputs","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postListAgentPolicyOutputsRequestExample":{"description":"Get outputs for multiple agent policies","value":{"ids":["agent-policy-id-1","agent-policy-id-2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"ids":{"description":"list of package policy ids","items":{"type":"string"},"maxItems":1000,"type":"array"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postListAgentPolicyOutputsExample":{"description":"Outputs associated with the requested agent policies","value":{"items":[{"agent_policy_id":"agent-policy-id-1","data_output":{"id":"output-id-1","name":"Default output","type":"elasticsearch"},"monitoring_output":{"id":"output-id-1","name":"Default output","type":"elasticsearch"}}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"agentPolicyId":{"type":"string"},"data":{"additionalProperties":false,"type":"object","properties":{"integrations":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"integrationPolicyName":{"type":"string"},"name":{"type":"string"},"pkgName":{"type":"string"}}},"maxItems":1000,"type":"array"},"output":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}},"required":["output"]},"monitoring":{"additionalProperties":false,"type":"object","properties":{"output":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name"]}},"required":["output"]}},"required":["monitoring","data"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get outputs for agent policies","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_status<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a summary of agent statuses for a given agent policy.","operationId":"get-fleet-agent-status","parameters":[{"in":"query","name":"policyId","required":false,"schema":{"type":"string"}},{"in":"query","name":"policyIds","required":false,"schema":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentStatusExample":{"description":"Agent status summary for an agent policy","value":{"results":{"error":1,"offline":2,"online":5,"other":0,"updating":0},"totalInactive":0}}},"schema":{"additionalProperties":false,"type":"object","properties":{"results":{"additionalProperties":false,"type":"object","properties":{"active":{"type":"number"},"all":{"type":"number"},"error":{"type":"number"},"events":{"type":"number"},"inactive":{"type":"number"},"offline":{"type":"number"},"online":{"type":"number"},"orphaned":{"type":"number"},"other":{"type":"number"},"unenrolled":{"type":"number"},"uninstalled":{"type":"number"},"updating":{"type":"number"}},"required":["events","online","error","offline","other","updating","inactive","unenrolled","all","active"]}},"required":["results"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get an agent status summary","tags":["Elastic Agent status"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agent_status\/data":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agent_status\/data<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the data streams that an agent is actively sending data to.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agent-status-data","parameters":[{"in":"query","name":"agentsIds","required":true,"schema":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},{"in":"query","name":"pkgName","required":false,"schema":{"type":"string"}},{"in":"query","name":"pkgVersion","required":false,"schema":{"type":"string"}},{"in":"query","name":"previewData","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentDataExample":{"description":"Data streams the agent is actively sending data to","value":{"items":[{"data":{"logs-nginx.access-default":[{"id":"agent-id-1","name":"my-host"}]}}],"total":1,"totalMonitoring":0}}},"schema":{"additionalProperties":false,"type":"object","properties":{"dataPreview":{"items":{"nullable":true},"maxItems":10000,"type":"array"},"items":{"items":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"data":{"type":"boolean"}},"required":["data"]},"type":"object"},"maxItems":10000,"type":"array"}},"required":["items","dataPreview"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get incoming agent data","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agentless_policies":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agentless_policies<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate an agentless policy","operationId":"post-fleet-agentless-policies","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The format of the response package policy.","in":"query","name":"format","required":false,"schema":{"default":"simplified","enum":["legacy","simplified"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createAgentlessPoliciesRequestExample":{"description":"Example request to create agentless policies","value":{"description":"test","inputs":{"ESS Billing-cel":{"enabled":true,"streams":{"ess_billing.billing":{"enabled":true,"vars":{"hide_sensitive":true,"http_client_timeout":"30s","lookbehind":365,"tags":["forwarded","billing"]}},"ess_billing.credits":{"enabled":false}},"vars":{"api_key":"","organization_id":"1234"}}},"name":"ess_billing-1","namespace":"default","package":{"name":"ess_billing","version":"1.6.0"}}},"createAgentlessPoliciesReuseAWSCloudConnectorExample":{"description":"Example request to create agentless policy reusing an existing AWS cloud connector","value":{"cloud_connector":{"cloud_connector_id":"existing-aws-connector-id","target_csp":"aws"},"description":"CSPM integration for AWS reusing existing cloud connector","inputs":{"cspm-cloudbeat\/cis_aws":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"aws.account_type":"organization-account","aws.credentials.type":"cloud_connector","aws.supports_cloud_connectors":true,"external_id":{"id":"ABCDEFGHIJKLMNOPQRST","isSecretRef":true},"role_arn":"arn:aws:iam::123456789012:role\/TestRole"}}},"vars":{"cloud_formation_template":"https:\/\/console.aws.amazon.com\/cloudformation\/home#\/stacks\/quickcreate?templateURL=https:\/\/elastic-cspm-cft.s3.eu-central-1.amazonaws.com\/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"}},"cspm-cloudbeat\/cis_azure":{"enabled":false},"cspm-cloudbeat\/cis_gcp":{"enabled":false}},"name":"cspm-aws-reuse-policy","namespace":"default","package":{"name":"cloud_security_posture","version":"3.1.1"},"vars":{"deployment":"aws","posture":"cspm"}}},"createAgentlessPoliciesWithAWSCloudConnectorExample":{"description":"Example request to create agentless policy with AWS cloud connector","value":{"cloud_connector":{"target_csp":"aws"},"description":"CSPM integration for AWS with cloud connector","inputs":{"cspm-cloudbeat\/cis_aws":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"aws.account_type":"organization-account","aws.credentials.type":"cloud_connector","aws.supports_cloud_connectors":true,"external_id":{"id":"ABCDEFGHIJKLMNOPQRST","isSecretRef":true},"role_arn":"arn:aws:iam::123456789012:role\/TestRole"}}},"vars":{"cloud_formation_template":"https:\/\/console.aws.amazon.com\/cloudformation\/home#\/stacks\/quickcreate?templateURL=https:\/\/elastic-cspm-cft.s3.eu-central-1.amazonaws.com\/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"}},"cspm-cloudbeat\/cis_azure":{"enabled":false},"cspm-cloudbeat\/cis_gcp":{"enabled":false}},"name":"cspm-aws-policy","namespace":"default","package":{"name":"cloud_security_posture","version":"3.1.1"},"vars":{"deployment":"aws","posture":"cspm"}}},"createAgentlessPoliciesWithAzureCloudConnectorExample":{"description":"Example request to create agentless policy with Azure cloud connector","value":{"cloud_connector":{"target_csp":"azure"},"description":"CSPM integration for Azure with cloud connector","inputs":{"cspm-cloudbeat\/cis_aws":{"enabled":false},"cspm-cloudbeat\/cis_azure":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"azure_credentials_cloud_connector_id":{"type":"text","value":"existing-azure-credentials-connector-id"},"azure.account_type":"organization-account","client_id":{"id":"client-secret-id","isSecretRef":true},"tenant_id":{"id":"tenant-secret-id","isSecretRef":true}}}}},"cspm-cloudbeat\/cis_gcp":{"enabled":false}},"name":"cspm-azure-policy","namespace":"default","package":{"name":"cloud_security_posture","version":"3.1.1"},"vars":{"deployment":"azure","posture":"cspm"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":100,"nullable":true,"type":"array"},"cloud_connector":{"additionalProperties":false,"type":"object","properties":{"cloud_connector_id":{"description":"ID of an existing cloud connector to reuse. If not provided, a new connector will be created.","type":"string"},"enabled":{"default":false,"description":"Whether cloud connectors are enabled for this policy.","type":"boolean"},"name":{"description":"Optional name for the cloud connector. If not provided, will be auto-generated from credentials.","maxLength":255,"minLength":1,"type":"string"},"target_csp":{"description":"Target cloud service provider. If not provided, will be auto-detected from inputs.","enum":["aws","azure","gcp"],"type":"string"}}},"description":{"description":"Policy description.","type":"string"},"force":{"description":"Force package policy creation even if the package is not verified, or if the agent policy is managed.","type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"type":"array"},"id":{"description":"Policy unique identifier.","type":"string"},"inputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object"},"name":{"description":"Unique name for the policy.","type":"string"},"namespace":{"description":"Policy namespace. When not specified, it inherits the agent policy namespace.","type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_template":{"description":"The policy template to use for the agentless package policy. If not provided, the default policy template will be used.","type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}},"required":["name","package"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"createAgentlessPoliciesResponseExample":{"description":"Example response showing the successful result of communication initialisation over MCP protocol","value":{"item":{"created_at":"2025-11-06T18:27:43.541Z","created_by":"test_user","description":"test","enabled":true,"id":"d52a7812-5736-4fdc-aed8-72152afa1ffa","inputs":{"ESS Billing-cel":{"enabled":true,"streams":{"ess_billing.billing":{"enabled":true,"vars":{"hide_sensitive":true,"http_client_timeout":"30s","lookbehind":365,"tags":["forwarded","billing"]}},"ess_billing.credits":{"enabled":false}},"vars":{"api_key":{"id":"QY1sWpoBbWcMW-edr0Ee","isSecretRef":true},"organization_id":"1234","url":"https:\/\/billing.elastic-cloud.com"}}},"name":"ess_billing-1","namespace":"default","package":{"name":"ess_billing","title":"Elasticsearch Service Billing","version":"1.6.0"},"revision":1,"secret_references":[{"id":"QY1sWpoBbWcMW-edr0Ee"}],"supports_agentless":true,"updated_at":"2025-11-06T18:27:43.541Z","updated_by":"test_user","version":"WzE0OTgsMV0="}}},"createAgentlessPoliciesWithAWSCloudConnectorResponseExample":{"description":"Example response for AWS cloud connector integration","value":{"item":{"cloud_connector_id":"aws-connector-67890","created_at":"2025-11-06T18:27:43.541Z","created_by":"test_user","description":"CSPM integration for AWS with cloud connector","enabled":true,"id":"aws-policy-12345","inputs":{"cspm-cloudbeat\/cis_aws":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"aws.account_type":"organization-account","aws.credentials.type":"cloud_connector","external_id":{"id":"secret-external-id-123","isSecretRef":true},"role_arn":"arn:aws:iam::123456789012:role\/TestRole"}}},"vars":{"cloud_formation_template":"https:\/\/console.aws.amazon.com\/cloudformation\/home#\/stacks\/quickcreate?templateURL=https:\/\/elastic-cspm-cft.s3.eu-central-1.amazonaws.com\/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml"}},"cspm-cloudbeat\/cis_azure":{"enabled":false},"cspm-cloudbeat\/cis_gcp":{"enabled":false}},"name":"cspm-aws-policy","namespace":"default","package":{"name":"cloud_security_posture","title":"Cloud Security Posture Management","version":"3.1.1"},"revision":1,"secret_references":[{"id":"secret-external-id-123"}],"supports_agentless":true,"supports_cloud_connector":true,"updated_at":"2025-11-06T18:27:43.541Z","updated_by":"test_user","vars":{"deployment":"aws","posture":"cspm"},"version":"WzE0OTgsMV0="}}},"createAgentlessPoliciesWithAzureCloudConnectorResponseExample":{"description":"Example response for Azure cloud connector integration","value":{"item":{"cloud_connector_id":"azure-connector-67890","created_at":"2025-11-06T18:27:43.541Z","created_by":"test_user","description":"CSPM integration for Azure with cloud connector","enabled":true,"id":"azure-policy-12345","inputs":{"cspm-cloudbeat\/cis_aws":{"enabled":false},"cspm-cloudbeat\/cis_azure":{"enabled":true,"streams":{"cloud_security_posture.findings":{"enabled":true,"vars":{"azure_credentials_cloud_connector_id":{"type":"text","value":"existing-azure-credentials-connector-id"},"azure.account_type":"organization-account","client_id":{"id":"client-secret-id-456","isSecretRef":true},"tenant_id":{"id":"tenant-secret-id-123","isSecretRef":true}}}}},"cspm-cloudbeat\/cis_gcp":{"enabled":false}},"name":"cspm-azure-policy","namespace":"default","package":{"name":"cloud_security_posture","title":"Cloud Security Posture Management","version":"3.1.1"},"revision":1,"secret_references":[{"id":"tenant-secret-id-123"},{"id":"client-secret-id-456"}],"supports_agentless":true,"supports_cloud_connector":true,"updated_at":"2025-11-06T18:27:43.541Z","updated_by":"test_user","vars":{"deployment":"azure","posture":"cspm"},"version":"WzE0OTgsMV0="}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"description":"The created agentless package policy.","type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]}},"required":["item"]}}},"description":"Indicates a successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"409":{"content":{"application\/json":{"examples":{"conflictErrorResponseExample":{"description":"Example of a conflict error response","value":{"error":"Conflict","message":"An error message describing what went wrong","statusCode":409}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Conflict"}},"summary":"Create an agentless policy","tags":["Fleet agentless policies"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agentless_policies\/{policyId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/agentless_policies\/{policyId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an agentless policy","operationId":"delete-fleet-agentless-policies-policyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The ID of the policy to delete.","in":"path","name":"policyId","required":true,"schema":{"type":"string"}},{"description":"Force delete the policy even if the policy is managed.","in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"createAgentlessPoliciesResponseExample":{"description":"Example response showing the successful result of communication initialisation over MCP protocol","value":{"item":{"id":"d52a7812-5736-4fdc-aed8-72152afa1ffa"}}}},"schema":{"additionalProperties":false,"description":"Response for deleting an agentless package policy.","type":"object","properties":{"id":{"description":"The ID of the deleted agentless package policy.","type":"string"}},"required":["id"]}}},"description":"Indicates a successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"409":{"content":{"application\/json":{"examples":{"conflictErrorResponseExample":{"description":"Example of a conflict error response","value":{"error":"Conflict","message":"An error message describing what went wrong","statusCode":409}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Conflict"}},"summary":"Delete an agentless policy","tags":["Fleet agentless policies"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList agents, with optional filtering and pagination.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents","parameters":[{"in":"query","name":"page","required":false,"schema":{"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"default":20,"type":"number"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"showAgentless","required":false,"schema":{"default":true,"type":"boolean"}},{"in":"query","name":"showInactive","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"withMetrics","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"showUpgradeable","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"getStatusSummary","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"sortField","required":false,"schema":{"type":"string"}},{"in":"query","name":"sortOrder","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"in":"query","name":"searchAfter","required":false,"schema":{"type":"string"}},{"in":"query","name":"openPit","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"pitId","required":false,"schema":{"type":"string"}},{"in":"query","name":"pitKeepAlive","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentsExample":{"description":"List of agents","value":{"items":[{"active":true,"enrolled_at":"2024-01-01T00:00:00.000Z","id":"agent-id-1","policy_id":"agent-policy-id-1","policy_revision":1,"status":"online","type":"PERMANENT","updated_at":"2024-01-01T00:00:00.000Z"}],"page":1,"perPage":20,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"access_api_key":{"type":"string"},"access_api_key_id":{"type":"string"},"active":{"type":"boolean"},"agent":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"},"version":{"type":"string"}},"required":["id","version"]},"audit_unenrolled_reason":{"type":"string"},"capabilities":{"items":{"type":"string"},"maxItems":100,"type":"array"},"components":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"type":"string"},"units":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"payload":{"additionalProperties":{"nullable":true},"type":"object"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"enum":["input","output",""],"type":"string"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"},"default_api_key":{"type":"string"},"default_api_key_history":{"items":{"additionalProperties":false,"deprecated":true,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"default_api_key_id":{"type":"string"},"effective_config":{"nullable":true},"enrolled_at":{"type":"string"},"health":{"additionalProperties":{"nullable":true},"type":"object"},"id":{"type":"string"},"identifying_attributes":{"additionalProperties":{"type":"string"},"type":"object"},"last_checkin":{"type":"string"},"last_checkin_message":{"type":"string"},"last_checkin_status":{"enum":["error","online","degraded","updating","starting","disconnected"],"type":"string"},"last_known_status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"local_metadata":{"additionalProperties":{"nullable":true},"type":"object"},"metrics":{"additionalProperties":false,"type":"object","properties":{"cpu_avg":{"type":"number"},"memory_size_byte_avg":{"type":"number"}}},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"non_identifying_attributes":{"additionalProperties":{"type":"string"},"type":"object"},"outputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"api_key_id":{"type":"string"},"to_retire_api_key_ids":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"type":{"type":"string"}}},"type":"object"},"packages":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"policy_id":{"type":"string"},"policy_revision":{"nullable":true,"type":"number"},"sequence_num":{"type":"number"},"sort":{"items":{"nullable":true},"maxItems":10,"type":"array"},"status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"tags":{"items":{"type":"string"},"maxItems":100,"type":"array"},"type":{"enum":["PERMANENT","EPHEMERAL","TEMPORARY","OPAMP"],"type":"string"},"unenrolled_at":{"type":"string"},"unenrollment_started_at":{"type":"string"},"unhealthy_reason":{"items":{"enum":["input","output","other"],"type":"string"},"maxItems":3,"nullable":true,"type":"array"},"upgrade":{"additionalProperties":false,"type":"object","properties":{"rollbacks":{"items":{"additionalProperties":false,"type":"object","properties":{"valid_until":{"type":"string"},"version":{"type":"string"}},"required":["valid_until","version"]},"maxItems":100,"type":"array"}}},"upgrade_attempts":{"items":{"type":"string"},"maxItems":10000,"nullable":true,"type":"array"},"upgrade_details":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"action_id":{"type":"string"},"metadata":{"additionalProperties":false,"type":"object","properties":{"download_percent":{"type":"number"},"download_rate":{"type":"number"},"error_msg":{"type":"string"},"failed_state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"reason":{"type":"string"},"retry_error_msg":{"type":"string"},"retry_until":{"type":"string"},"scheduled_at":{"type":"string"}}},"state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"target_version":{"type":"string"}},"required":["target_version","action_id","state"]},"upgrade_started_at":{"nullable":true,"type":"string"},"upgraded_at":{"nullable":true,"type":"string"},"user_provided_metadata":{"additionalProperties":{"nullable":true},"type":"object"}},"required":["id","packages","type","active","enrolled_at","local_metadata","effective_config"]},"maxItems":10000,"type":"array"},"nextSearchAfter":{"type":"string"},"page":{"type":"number"},"perPage":{"type":"number"},"pit":{"type":"string"},"statusSummary":{"additionalProperties":{"type":"number"},"type":"object"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get agents","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve agents associated with specific action IDs.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"post-fleet-agents","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postGetAgentsByActionsRequestExample":{"description":"Retrieve agents associated with specific action IDs","value":{"actionIds":["action-id-1","action-id-2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionIds":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"required":["actionIds"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postGetAgentsByActionsExample":{"description":"Agents associated with the given actions","value":{"items":[{"active":true,"id":"agent-id-1","policy_id":"agent-policy-id-1","status":"online"}],"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get agents by action ids","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an agent by ID.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"delete-fleet-agents-agentid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteAgentExample":{"description":"Agent successfully deleted","value":{"id":"agent-id-1","success":true}}},"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["deleted"],"type":"string"}},"required":["action"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No agent was found with the given ID","value":{"error":"Not Found","message":"Agent agent-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Delete an agent","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet an agent by ID.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-agentid","parameters":[{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}},{"in":"query","name":"withMetrics","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentExample":{"description":"Agent details","value":{"item":{"active":true,"agent_id":"agent-id-1","enrolled_at":"2024-01-01T00:00:00.000Z","id":"agent-id-1","local_metadata":{"elastic":{"agent":{"version":"8.17.0"}},"host":{"hostname":"my-host"},"os":{"name":"linux"}},"policy_id":"agent-policy-id-1","policy_revision":1,"status":"online","type":"PERMANENT","updated_at":"2024-01-01T00:00:00.000Z"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"access_api_key":{"type":"string"},"access_api_key_id":{"type":"string"},"active":{"type":"boolean"},"agent":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"},"version":{"type":"string"}},"required":["id","version"]},"audit_unenrolled_reason":{"type":"string"},"capabilities":{"items":{"type":"string"},"maxItems":100,"type":"array"},"components":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"type":"string"},"units":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"payload":{"additionalProperties":{"nullable":true},"type":"object"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"enum":["input","output",""],"type":"string"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"},"default_api_key":{"type":"string"},"default_api_key_history":{"items":{"additionalProperties":false,"deprecated":true,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"default_api_key_id":{"type":"string"},"effective_config":{"nullable":true},"enrolled_at":{"type":"string"},"health":{"additionalProperties":{"nullable":true},"type":"object"},"id":{"type":"string"},"identifying_attributes":{"additionalProperties":{"type":"string"},"type":"object"},"last_checkin":{"type":"string"},"last_checkin_message":{"type":"string"},"last_checkin_status":{"enum":["error","online","degraded","updating","starting","disconnected"],"type":"string"},"last_known_status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"local_metadata":{"additionalProperties":{"nullable":true},"type":"object"},"metrics":{"additionalProperties":false,"type":"object","properties":{"cpu_avg":{"type":"number"},"memory_size_byte_avg":{"type":"number"}}},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"non_identifying_attributes":{"additionalProperties":{"type":"string"},"type":"object"},"outputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"api_key_id":{"type":"string"},"to_retire_api_key_ids":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"type":{"type":"string"}}},"type":"object"},"packages":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"policy_id":{"type":"string"},"policy_revision":{"nullable":true,"type":"number"},"sequence_num":{"type":"number"},"sort":{"items":{"nullable":true},"maxItems":10,"type":"array"},"status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"tags":{"items":{"type":"string"},"maxItems":100,"type":"array"},"type":{"enum":["PERMANENT","EPHEMERAL","TEMPORARY","OPAMP"],"type":"string"},"unenrolled_at":{"type":"string"},"unenrollment_started_at":{"type":"string"},"unhealthy_reason":{"items":{"enum":["input","output","other"],"type":"string"},"maxItems":3,"nullable":true,"type":"array"},"upgrade":{"additionalProperties":false,"type":"object","properties":{"rollbacks":{"items":{"additionalProperties":false,"type":"object","properties":{"valid_until":{"type":"string"},"version":{"type":"string"}},"required":["valid_until","version"]},"maxItems":100,"type":"array"}}},"upgrade_attempts":{"items":{"type":"string"},"maxItems":10000,"nullable":true,"type":"array"},"upgrade_details":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"action_id":{"type":"string"},"metadata":{"additionalProperties":false,"type":"object","properties":{"download_percent":{"type":"number"},"download_rate":{"type":"number"},"error_msg":{"type":"string"},"failed_state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"reason":{"type":"string"},"retry_error_msg":{"type":"string"},"retry_until":{"type":"string"},"scheduled_at":{"type":"string"}}},"state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"target_version":{"type":"string"}},"required":["target_version","action_id","state"]},"upgrade_started_at":{"nullable":true,"type":"string"},"upgraded_at":{"nullable":true,"type":"string"},"user_provided_metadata":{"additionalProperties":{"nullable":true},"type":"object"}},"required":["id","packages","type","active","enrolled_at","local_metadata","effective_config"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No agent was found with the given ID","value":{"error":"Not Found","message":"Agent agent-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get an agent","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an agent by ID.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"put-fleet-agents-agentid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putAgentRequestExample":{"description":"Update agent tags","value":{"tags":["production","linux"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"tags":{"items":{"type":"string"},"maxItems":10,"type":"array"},"user_provided_metadata":{"additionalProperties":{"nullable":true},"type":"object"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putAgentExample":{"description":"Updated agent details","value":{"item":{"active":true,"enrolled_at":"2024-01-01T00:00:00.000Z","id":"agent-id-1","policy_id":"agent-policy-id-1","policy_revision":1,"status":"online","tags":["production","linux"],"type":"PERMANENT","updated_at":"2024-01-01T00:00:00.000Z"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"access_api_key":{"type":"string"},"access_api_key_id":{"type":"string"},"active":{"type":"boolean"},"agent":{"additionalProperties":true,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"},"version":{"type":"string"}},"required":["id","version"]},"audit_unenrolled_reason":{"type":"string"},"capabilities":{"items":{"type":"string"},"maxItems":100,"type":"array"},"components":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"type":"string"},"units":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"message":{"type":"string"},"payload":{"additionalProperties":{"nullable":true},"type":"object"},"status":{"enum":["STARTING","CONFIGURING","HEALTHY","DEGRADED","FAILED","STOPPING","STOPPED"],"type":"string"},"type":{"enum":["input","output",""],"type":"string"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"}},"required":["id","type","status","message"]},"maxItems":10000,"type":"array"},"default_api_key":{"type":"string"},"default_api_key_history":{"items":{"additionalProperties":false,"deprecated":true,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"default_api_key_id":{"type":"string"},"effective_config":{"nullable":true},"enrolled_at":{"type":"string"},"health":{"additionalProperties":{"nullable":true},"type":"object"},"id":{"type":"string"},"identifying_attributes":{"additionalProperties":{"type":"string"},"type":"object"},"last_checkin":{"type":"string"},"last_checkin_message":{"type":"string"},"last_checkin_status":{"enum":["error","online","degraded","updating","starting","disconnected"],"type":"string"},"last_known_status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"local_metadata":{"additionalProperties":{"nullable":true},"type":"object"},"metrics":{"additionalProperties":false,"type":"object","properties":{"cpu_avg":{"type":"number"},"memory_size_byte_avg":{"type":"number"}}},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"non_identifying_attributes":{"additionalProperties":{"type":"string"},"type":"object"},"outputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"api_key_id":{"type":"string"},"to_retire_api_key_ids":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"retired_at":{"type":"string"}},"required":["id","retired_at"]},"maxItems":100,"type":"array"},"type":{"type":"string"}}},"type":"object"},"packages":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"policy_id":{"type":"string"},"policy_revision":{"nullable":true,"type":"number"},"sequence_num":{"type":"number"},"sort":{"items":{"nullable":true},"maxItems":10,"type":"array"},"status":{"enum":["offline","error","online","inactive","enrolling","unenrolling","unenrolled","updating","degraded","uninstalled","orphaned"],"type":"string"},"tags":{"items":{"type":"string"},"maxItems":100,"type":"array"},"type":{"enum":["PERMANENT","EPHEMERAL","TEMPORARY","OPAMP"],"type":"string"},"unenrolled_at":{"type":"string"},"unenrollment_started_at":{"type":"string"},"unhealthy_reason":{"items":{"enum":["input","output","other"],"type":"string"},"maxItems":3,"nullable":true,"type":"array"},"upgrade":{"additionalProperties":false,"type":"object","properties":{"rollbacks":{"items":{"additionalProperties":false,"type":"object","properties":{"valid_until":{"type":"string"},"version":{"type":"string"}},"required":["valid_until","version"]},"maxItems":100,"type":"array"}}},"upgrade_attempts":{"items":{"type":"string"},"maxItems":10000,"nullable":true,"type":"array"},"upgrade_details":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"action_id":{"type":"string"},"metadata":{"additionalProperties":false,"type":"object","properties":{"download_percent":{"type":"number"},"download_rate":{"type":"number"},"error_msg":{"type":"string"},"failed_state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"reason":{"type":"string"},"retry_error_msg":{"type":"string"},"retry_until":{"type":"string"},"scheduled_at":{"type":"string"}}},"state":{"enum":["UPG_REQUESTED","UPG_SCHEDULED","UPG_DOWNLOADING","UPG_EXTRACTING","UPG_REPLACING","UPG_RESTARTING","UPG_FAILED","UPG_WATCHING","UPG_ROLLBACK"],"type":"string"},"target_version":{"type":"string"}},"required":["target_version","action_id","state"]},"upgrade_started_at":{"nullable":true,"type":"string"},"upgraded_at":{"nullable":true,"type":"string"},"user_provided_metadata":{"additionalProperties":{"nullable":true},"type":"object"}},"required":["id","packages","type","active","enrolled_at","local_metadata","effective_config"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No agent was found with the given ID","value":{"error":"Not Found","message":"Agent agent-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Update an agent by ID","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/actions":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/actions<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new action for a specific agent.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-actions","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postAgentActionRequestExample":{"description":"Create a UNENROLL action for an agent","value":{"action":{"type":"UNENROLL"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"ack_data":{"nullable":true},"data":{"nullable":true},"type":{"enum":["UNENROLL","UPGRADE","POLICY_REASSIGN"],"type":"string"}},"required":["type","data","ack_data"]},{"additionalProperties":false,"type":"object","properties":{"data":{"additionalProperties":false,"type":"object","properties":{"log_level":{"enum":["debug","info","warning","error"],"nullable":true,"type":"string"}},"required":["log_level"]},"type":{"enum":["SETTINGS"],"type":"string"}},"required":["type","data"]}]}},"required":["action"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postAgentActionExample":{"description":"Created agent action","value":{"item":{"agents":["agent-id-1"],"created_at":"2024-01-01T00:00:00.000Z","id":"action-id-1","type":"UNENROLL"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"ack_data":{"nullable":true},"agents":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"created_at":{"type":"string"},"data":{"nullable":true},"expiration":{"type":"string"},"id":{"type":"string"},"minimum_execution_duration":{"type":"number"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"rollout_duration_seconds":{"type":"number"},"sent_at":{"type":"string"},"source_uri":{"type":"string"},"start_time":{"type":"string"},"total":{"type":"number"},"type":{"type":"string"}},"required":["id","type","data","created_at","ack_data"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create an agent action","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/effective_config":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/effective_config<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet an agent's effective config by ID.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-agentid-effective-config","parameters":[{"description":"The agent ID to get effective config of","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"effective_config":{}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"effective_config":{"nullable":true}},"required":["effective_config"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get an agent's effective config","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/migrate":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/migrate<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nMigrate a single agent to another cluster.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-migrate","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postMigrateAgentRequestExample":{"description":"Migrate a single agent to another cluster","value":{"enrollment_token":"enrollment-token-value","settings":{"retry_max":5},"uri":"https:\/\/fleet-server.example.com:8220"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"enrollment_token":{"type":"string"},"settings":{"additionalProperties":false,"type":"object","properties":{"ca_sha256":{"type":"string"},"certificate_authorities":{"type":"string"},"elastic_agent_cert":{"type":"string"},"elastic_agent_cert_key":{"type":"string"},"elastic_agent_cert_key_passphrase":{"type":"string"},"headers":{"additionalProperties":{"type":"string"},"type":"object"},"insecure":{"type":"boolean"},"proxy_disabled":{"type":"boolean"},"proxy_headers":{"additionalProperties":{"type":"string"},"type":"object"},"proxy_url":{"type":"string"},"replace_token":{"type":"string"},"staging":{"type":"string"},"tags":{"items":{"type":"string"},"maxItems":10,"type":"array"}}},"uri":{"format":"uri","type":"string"}},"required":["uri","enrollment_token"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postMigrateAgentExample":{"description":"Agent migration initiated","value":{"actionId":"action-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Migrate a single agent","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/privilege_level_change":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/privilege_level_change<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nChange the privilege level of a single agent to unprivileged.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-privilege-level-change","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The agent ID to change privilege level for","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"changeAgentPrivilegeLevelRequest":{"value":{"user_info":{"groupname":"groupname","password":"password","username":"username"}}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"user_info":{"additionalProperties":false,"type":"object","properties":{"groupname":{"type":"string"},"password":{"type":"string"},"username":{"type":"string"}}}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"actionId":"actionId"}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]},{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Change agent privilege level","tags":["Elastic Agents"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/reassign":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/reassign<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReassign an agent to a different agent policy.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-reassign","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postReassignAgentRequestExample":{"description":"Reassign an agent to a different policy","value":{"policy_id":"agent-policy-id-2"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"policy_id":{"type":"string"}},"required":["policy_id"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postReassignAgentExample":{"description":"Agent successfully reassigned","value":{}}},"schema":{"additionalProperties":false,"type":"object","properties":{}}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Reassign an agent","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/request_diagnostics":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/request_diagnostics<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRequest a diagnostics bundle from a specific agent.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"post-fleet-agents-agentid-request-diagnostics","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postRequestDiagnosticsRequestExample":{"description":"Request a diagnostics bundle from an agent","value":{"additional_metrics":["CPU"]}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"additional_metrics":{"items":{"enum":["CPU"],"type":"string"},"maxItems":1,"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postRequestDiagnosticsExample":{"description":"Diagnostics action result","value":{"actionId":"action-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"Agent agent-id-1 does not support request diagnostics action.","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Request agent diagnostics","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/rollback":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/rollback<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRollback an agent to the previous version.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-rollback","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The agent ID to rollback","in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"actionId":"actionId"}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]},{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Rollback an agent","tags":["Elastic Agent actions"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/unenroll":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/unenroll<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUnenroll a specific agent, optionally revoking its enrollment API key.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-unenroll","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postUnenrollAgentRequestExample":{"description":"Unenroll an agent, optionally revoking the enrollment API key","value":{"revoke":false}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"type":"boolean"},"revoke":{"type":"boolean"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postUnenrollAgentExample":{"description":"Agent successfully unenrolled","value":{}}}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}}}},"description":"Bad Request"}},"summary":"Unenroll an agent","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/upgrade<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpgrade a specific agent to a newer version.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-agentid-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postUpgradeAgentRequestExample":{"description":"Upgrade an agent to a specific version","value":{"version":"8.17.0"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"type":"boolean"},"skipRateLimitCheck":{"type":"boolean"},"source_uri":{"type":"string"},"version":{"type":"string"}},"required":["version"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postUpgradeAgentExample":{"description":"Agent upgrade initiated","value":{}}},"schema":{"additionalProperties":false,"type":"object","properties":{}}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Upgrade an agent","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/{agentId}\/uploads":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents\/{agentId}\/uploads<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of files uploaded by a specific agent.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-agentid-uploads","parameters":[{"in":"path","name":"agentId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentUploadsExample":{"description":"List of files uploaded by the agent","value":{"items":[{"actionId":"action-id-1","createTime":"2024-01-01T00:00:00.000Z","filePath":"\/tmp\/diagnostics-2024-01-01.zip","id":"file-id-1","name":"diagnostics-2024-01-01.zip","status":"READY"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"},"createTime":{"type":"string"},"error":{"type":"string"},"filePath":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"status":{"enum":["READY","AWAITING_UPLOAD","DELETED","EXPIRED","IN_PROGRESS","FAILED"],"type":"string"}},"required":["id","name","filePath","createTime","status","actionId"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get agent uploads","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/action_status":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents\/action_status<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the current status of recent agent actions.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-action-status","parameters":[{"in":"query","name":"page","required":false,"schema":{"default":0,"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"default":20,"type":"number"}},{"in":"query","name":"date","required":false,"schema":{"type":"string"}},{"in":"query","name":"latest","required":false,"schema":{"type":"number"}},{"in":"query","name":"errorSize","required":false,"schema":{"default":5,"type":"number"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getActionStatusExample":{"description":"Status of recent agent actions","value":{"items":[{"actionId":"action-id-1","completionTime":"2024-01-01T00:05:00.000Z","creationTime":"2024-01-01T00:00:00.000Z","nbAgentsAck":2,"nbAgentsActioned":2,"nbAgentsFailed":0,"status":"COMPLETE","type":"UPGRADE"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"},"cancellationTime":{"type":"string"},"completionTime":{"type":"string"},"creationTime":{"description":"creation time of action","type":"string"},"expiration":{"type":"string"},"hasRolloutPeriod":{"type":"boolean"},"is_automatic":{"type":"boolean"},"latestErrors":{"items":{"additionalProperties":false,"description":"latest errors that happened when the agents executed the action","type":"object","properties":{"agentId":{"type":"string"},"error":{"type":"string"},"hostname":{"type":"string"},"timestamp":{"type":"string"}},"required":["agentId","error","timestamp"]},"maxItems":10,"type":"array"},"nbAgentsAck":{"description":"number of agents that acknowledged the action","type":"number"},"nbAgentsActionCreated":{"description":"number of agents included in action from kibana","type":"number"},"nbAgentsActioned":{"description":"number of agents actioned","type":"number"},"nbAgentsFailed":{"description":"number of agents that failed to execute the action","type":"number"},"newPolicyId":{"description":"new policy id (POLICY_REASSIGN action)","type":"string"},"policyId":{"description":"policy id (POLICY_CHANGE action)","type":"string"},"revision":{"description":"new policy revision (POLICY_CHANGE action)","type":"number"},"startTime":{"description":"start time of action (scheduled actions)","type":"string"},"status":{"enum":["COMPLETE","EXPIRED","CANCELLED","FAILED","IN_PROGRESS","ROLLOUT_PASSED"],"type":"string"},"type":{"enum":["UPGRADE","UNENROLL","SETTINGS","POLICY_REASSIGN","CANCEL","FORCE_UNENROLL","REQUEST_DIAGNOSTICS","UPDATE_TAGS","POLICY_CHANGE","INPUT_ACTION","MIGRATE","PRIVILEGE_LEVEL_CHANGE","ROLLBACK"],"type":"string"},"version":{"description":"agent version number (UPGRADE action)","type":"string"}},"required":["actionId","nbAgentsActionCreated","nbAgentsAck","nbAgentsFailed","type","nbAgentsActioned","status","creationTime"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get an agent action status","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/actions\/{actionId}\/cancel":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/actions\/{actionId}\/cancel<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCancel a pending action for a specific agent.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-actions-actionid-cancel","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"actionId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postCancelActionRequestExample":{"description":"Cancel an agent action","value":{}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postCancelActionExample":{"description":"Cancellation action created","value":{"item":{"agents":["agent-id-1"],"created_at":"2024-01-01T00:00:00.000Z","id":"cancel-action-id-1","type":"CANCEL"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"ack_data":{"nullable":true},"agents":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"created_at":{"type":"string"},"data":{"nullable":true},"expiration":{"type":"string"},"id":{"type":"string"},"minimum_execution_duration":{"type":"number"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"rollout_duration_seconds":{"type":"number"},"sent_at":{"type":"string"},"source_uri":{"type":"string"},"start_time":{"type":"string"},"total":{"type":"number"},"type":{"type":"string"}},"required":["id","type","data","created_at","ack_data"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Cancel an agent action","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/available_versions":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents\/available_versions<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of Elastic Agent versions available for upgrade.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-available-versions","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getAvailableVersionsExample":{"description":"List of available agent versions for upgrade","value":{"items":["8.17.0","8.16.3","8.16.2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get available agent versions","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/bulk_migrate":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/bulk_migrate<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nBulk migrate agents to another cluster.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-migrate","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkMigrateAgentsRequestExample":{"description":"Migrate multiple agents to another cluster","value":{"agents":["agent-id-1","agent-id-2"],"enrollment_token":"enrollment-token-value","settings":{"retry_max":5},"uri":"https:\/\/fleet-server.example.com:8220"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"enrollment_token":{"type":"string"},"settings":{"additionalProperties":false,"type":"object","properties":{"ca_sha256":{"type":"string"},"certificate_authorities":{"type":"string"},"elastic_agent_cert":{"type":"string"},"elastic_agent_cert_key":{"type":"string"},"elastic_agent_cert_key_passphrase":{"type":"string"},"headers":{"additionalProperties":{"type":"string"},"type":"object"},"insecure":{"type":"boolean"},"proxy_disabled":{"type":"boolean"},"proxy_headers":{"additionalProperties":{"type":"string"},"type":"object"},"proxy_url":{"type":"string"},"staging":{"type":"string"},"tags":{"items":{"type":"string"},"maxItems":10,"type":"array"}}},"uri":{"format":"uri","type":"string"}},"required":["agents","uri","enrollment_token"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkMigrateAgentsExample":{"description":"Bulk agent migration initiated","value":{"actionId":"action-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Migrate multiple agents","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/bulk_privilege_level_change":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/bulk_privilege_level_change<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nChange multiple agents' privilege level to unprivileged.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-privilege-level-change","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"bulkChangeAgentPrivilegeLevelRequest":{"value":{"agents":"agent","user_info":{"groupname":"groupname","password":"password","username":"username"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"user_info":{"additionalProperties":false,"type":"object","properties":{"groupname":{"type":"string"},"password":{"type":"string"},"username":{"type":"string"}}}},"required":["agents"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"actionId":"actionId"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk change agent privilege level","tags":["Elastic Agents"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/bulk_reassign":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/bulk_reassign<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReassign multiple agents to a different agent policy.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-reassign","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkReassignAgentsRequestExample":{"description":"Reassign multiple agents to a different policy","value":{"agents":["agent-id-1","agent-id-2"],"policy_id":"agent-policy-id-2"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"includeInactive":{"default":false,"type":"boolean"},"policy_id":{"type":"string"}},"required":["policy_id","agents"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkReassignAgentsExample":{"description":"Bulk reassign action result","value":{"actionId":"action-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk reassign agents","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/bulk_request_diagnostics":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/bulk_request_diagnostics<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRequest diagnostics bundles from multiple agents.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"post-fleet-agents-bulk-request-diagnostics","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkRequestDiagnosticsRequestExample":{"description":"Request diagnostics bundles from multiple agents","value":{"additional_metrics":["CPU"],"agents":["agent-id-1","agent-id-2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"additional_metrics":{"items":{"enum":["CPU"],"type":"string"},"maxItems":1,"type":"array"},"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"}},"required":["agents"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkRequestDiagnosticsExample":{"description":"Bulk diagnostics action result","value":{"actionId":"action-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk request diagnostics from agents","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/bulk_rollback":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/bulk_rollback<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRollback multiple agents to the previous version.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-rollback","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"bulkRollbackAgentsRequest":{"value":{"agents":["agent-1","agent-2"],"batchSize":100,"includeInactive":false}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"includeInactive":{"default":false,"type":"boolean"}},"required":["agents"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"actionIds":["actionId1","actionId2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionIds":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["actionIds"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk rollback agents","tags":["Elastic Agent actions"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/bulk_unenroll":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/bulk_unenroll<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUnenroll multiple agents, optionally revoking their enrollment API keys.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-unenroll","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkUnenrollAgentsRequestExample":{"description":"Unenroll multiple agents","value":{"agents":["agent-id-1","agent-id-2"],"revoke":false}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"description":"list of agent IDs","type":"string"},"maxItems":10000,"type":"array"},{"description":"KQL query string, leave empty to action all agents","type":"string"}]},"batchSize":{"type":"number"},"force":{"description":"Unenrolls hosted agents too","type":"boolean"},"includeInactive":{"description":"When passing agents by KQL query, unenrolls inactive agents too","type":"boolean"},"revoke":{"description":"Revokes API keys of agents","type":"boolean"}},"required":["agents"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkUnenrollAgentsExample":{"description":"Bulk unenroll action result","value":{"actionId":"action-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk unenroll agents","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/bulk_update_agent_tags":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/bulk_update_agent_tags<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nAdd or remove tags across multiple agents.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-update-agent-tags","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkUpdateAgentTagsRequestExample":{"description":"Add and remove tags across multiple agents","value":{"agents":["agent-id-1","agent-id-2"],"tagsToAdd":["production"],"tagsToRemove":["staging"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"includeInactive":{"default":false,"type":"boolean"},"tagsToAdd":{"items":{"type":"string"},"maxItems":10,"type":"array"},"tagsToRemove":{"items":{"type":"string"},"maxItems":10,"type":"array"}},"required":["agents"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkUpdateAgentTagsExample":{"description":"Bulk action result","value":{"actionId":"action-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk update agent tags","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/bulk_upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/bulk_upgrade<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpgrade multiple agents to a newer version, with optional rollout controls.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-agents-bulk-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkUpgradeAgentsRequestExample":{"description":"Upgrade multiple agents to a specific version","value":{"agents":["agent-id-1","agent-id-2"],"rollout_duration_seconds":3600,"version":"8.17.0"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"agents":{"anyOf":[{"items":{"type":"string"},"maxItems":10000,"type":"array"},{"type":"string"}]},"batchSize":{"type":"number"},"force":{"type":"boolean"},"includeInactive":{"default":false,"type":"boolean"},"rollout_duration_seconds":{"minimum":600,"type":"number"},"skipRateLimitCheck":{"type":"boolean"},"source_uri":{"type":"string"},"start_time":{"type":"string"},"version":{"type":"string"}},"required":["agents","version"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkUpgradeAgentsExample":{"description":"Bulk upgrade action result","value":{"actionId":"action-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"actionId":{"type":"string"}},"required":["actionId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk upgrade agents","tags":["Elastic Agent actions"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/files\/{fileId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/agents\/files\/{fileId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a file uploaded by an agent.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"delete-fleet-agents-files-fileid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"fileId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteAgentUploadFileExample":{"description":"Uploaded file successfully deleted","value":{"deleted":true,"id":"file-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"deleted":{"type":"boolean"},"id":{"type":"string"}},"required":["id","deleted"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Delete an uploaded file","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/files\/{fileId}\/{fileName}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents\/files\/{fileId}\/{fileName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a file uploaded by an agent.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-files-fileid-filename","parameters":[{"in":"path","name":"fileId","required":true,"schema":{"type":"string"}},{"in":"path","name":"fileName","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentUploadFileExample":{"description":"The uploaded file content as a stream","value":""}},"schema":{"type":"object"}}},"description":"Successful response \u2014 returns the uploaded file content"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get an uploaded file","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/setup":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents\/setup<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.","operationId":"get-fleet-agents-setup","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"agentsSetupNotReadyExample":{"description":"Fleet is not ready \u2014 a Fleet Server and API keys are required","value":{"is_action_secrets_storage_enabled":false,"is_secrets_storage_enabled":false,"is_space_awareness_enabled":false,"is_ssl_secrets_storage_enabled":false,"isReady":false,"missing_optional_features":["encrypted_saved_object_encryption_key_required"],"missing_requirements":["fleet_server","api_keys"]}},"agentsSetupReadyExample":{"description":"Fleet is ready to enroll agents \u2014 all requirements are met","value":{"is_action_secrets_storage_enabled":true,"is_secrets_storage_enabled":true,"is_space_awareness_enabled":false,"is_ssl_secrets_storage_enabled":false,"isReady":true,"missing_optional_features":[],"missing_requirements":[],"package_verification_key_id":"D88DB4CC"}}},"schema":{"additionalProperties":false,"description":"A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing.","type":"object","properties":{"is_action_secrets_storage_enabled":{"type":"boolean"},"is_secrets_storage_enabled":{"type":"boolean"},"is_space_awareness_enabled":{"type":"boolean"},"is_ssl_secrets_storage_enabled":{"type":"boolean"},"isReady":{"type":"boolean"},"missing_optional_features":{"items":{"enum":["encrypted_saved_object_encryption_key_required"],"type":"string"},"maxItems":1,"type":"array"},"missing_requirements":{"items":{"enum":["security_required","tls_required","api_keys","fleet_admin_user","fleet_server"],"type":"string"},"maxItems":5,"type":"array"},"package_verification_key_id":{"type":"string"}},"required":["isReady","missing_requirements","missing_optional_features"]}}},"description":"Fleet setup status"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get agent setup info","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/agents\/setup<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInitialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.","operationId":"post-fleet-agents-setup","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"agentsSetupSuccessExample":{"description":"Fleet setup initialized successfully with no non-fatal errors","value":{"isInitialized":true,"nonFatalErrors":[]}}},"schema":{"additionalProperties":false,"description":"A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup.","type":"object","properties":{"isInitialized":{"type":"boolean"},"nonFatalErrors":{"items":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"}},"required":["name","message"]},"maxItems":10000,"type":"array"}},"required":["isInitialized","nonFatalErrors"]}}},"description":"Fleet setup completed"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Initiate Fleet setup","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/agents\/tags":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/agents\/tags<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all tags used across enrolled agents.[Required authorization] Route required privileges: fleet-agents-read.","operationId":"get-fleet-agents-tags","parameters":[{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"showInactive","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAgentTagsExample":{"description":"List of tags used across agents","value":{"items":["production","linux","datacenter-1"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get agent tags","tags":["Elastic Agents"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/check-permissions":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/check-permissions<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCheck whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges.","operationId":"get-fleet-check-permissions","parameters":[{"in":"query","name":"fleetServerSetup","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"checkPermissionsMissingPrivilegesExample":{"description":"The current user is missing Fleet privileges","value":{"error":"MISSING_PRIVILEGES","success":false}},"checkPermissionsSuccessExample":{"description":"The current user has all required Fleet permissions","value":{"success":true}}},"schema":{"additionalProperties":false,"type":"object","properties":{"error":{"enum":["MISSING_SECURITY","MISSING_PRIVILEGES","MISSING_FLEET_SERVER_SETUP_PRIVILEGES"],"type":"string"},"success":{"type":"boolean"}},"required":["success"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Check permissions","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/cloud_connectors":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/cloud_connectors<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all Fleet cloud connectors.[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read.","operationId":"get-fleet-cloud-connectors","parameters":[{"description":"The page number for pagination.","in":"query","name":"page","required":false,"schema":{"type":"string"}},{"description":"The number of items per page.","in":"query","name":"perPage","required":false,"schema":{"type":"string"}},{"description":"KQL query to filter cloud connectors.","in":"query","name":"kuery","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getCloudConnectorsExample":{"description":"List of Fleet cloud connectors","value":{"items":[{"accountType":"single-account","cloudProvider":"aws","created_at":"2024-01-15T10:00:00.000Z","id":"cloud-connector-id-1","name":"My AWS connector","packagePolicyCount":2,"updated_at":"2024-01-15T10:00:00.000Z","vars":{}}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"accountType":{"type":"string"},"cloudProvider":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"packagePolicyCount":{"type":"number"},"updated_at":{"type":"string"},"vars":{"additionalProperties":{"nullable":true},"type":"object"},"verification_failed_at":{"type":"string"},"verification_started_at":{"type":"string"},"verification_status":{"type":"string"}},"required":["id","name","cloudProvider","vars","packagePolicyCount","created_at","updated_at"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get cloud connectors","tags":["Fleet cloud connectors"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/cloud_connectors<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new Fleet cloud connector.[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all.","operationId":"post-fleet-cloud-connectors","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postCloudConnectorRequestExample":{"description":"Create a new AWS cloud connector","value":{"accountType":"single-account","cloudProvider":"aws","name":"My AWS connector","vars":{}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"accountType":{"description":"The account type: single-account (single account\/subscription) or organization-account (organization-wide).","enum":["single-account","organization-account"],"type":"string"},"cloudProvider":{"description":"The cloud provider type: aws, azure, or gcp.","enum":["aws","azure","gcp"],"type":"string"},"name":{"description":"The name of the cloud connector.","maxLength":255,"minLength":1,"type":"string"},"vars":{"additionalProperties":{"anyOf":[{"maxLength":1000,"type":"string"},{"type":"number"},{"type":"boolean"},{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"maxLength":50,"type":"string"},"value":{"anyOf":[{"maxLength":1000,"type":"string"},{"additionalProperties":false,"type":"object","properties":{"id":{"maxLength":255,"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["isSecretRef","id"]}]}},"required":["type","value"]}]},"type":"object"}},"required":["name","cloudProvider","vars"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postCloudConnectorExample":{"description":"The created Fleet cloud connector","value":{"item":{"accountType":"single-account","cloudProvider":"aws","created_at":"2024-01-15T10:00:00.000Z","id":"cloud-connector-id-2","name":"My AWS connector","packagePolicyCount":0,"updated_at":"2024-01-15T10:00:00.000Z","vars":{}}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"accountType":{"type":"string"},"cloudProvider":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"packagePolicyCount":{"type":"number"},"updated_at":{"type":"string"},"vars":{"additionalProperties":{"nullable":true},"type":"object"},"verification_failed_at":{"type":"string"},"verification_started_at":{"type":"string"},"verification_status":{"type":"string"}},"required":["id","name","cloudProvider","vars","packagePolicyCount","created_at","updated_at"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create cloud connector","tags":["Fleet cloud connectors"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/cloud_connectors\/{cloudConnectorId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/cloud_connectors\/{cloudConnectorId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all.","operationId":"delete-fleet-cloud-connectors-cloudconnectorid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the cloud connector to delete.","in":"path","name":"cloudConnectorId","required":true,"schema":{"type":"string"}},{"description":"If true, forces deletion even if the cloud connector is in use.","in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteCloudConnectorExample":{"description":"The cloud connector was successfully deleted","value":{"id":"cloud-connector-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Delete cloud connector (supports force deletion)","tags":["Fleet cloud connectors"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/cloud_connectors\/{cloudConnectorId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a cloud connector by ID.[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read.","operationId":"get-fleet-cloud-connectors-cloudconnectorid","parameters":[{"description":"The unique identifier of the cloud connector.","in":"path","name":"cloudConnectorId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getCloudConnectorExample":{"description":"A Fleet cloud connector","value":{"item":{"accountType":"single-account","cloudProvider":"aws","created_at":"2024-01-15T10:00:00.000Z","id":"cloud-connector-id-1","name":"My AWS connector","packagePolicyCount":2,"updated_at":"2024-01-15T10:00:00.000Z","vars":{}}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"accountType":{"type":"string"},"cloudProvider":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"packagePolicyCount":{"type":"number"},"updated_at":{"type":"string"},"vars":{"additionalProperties":{"nullable":true},"type":"object"},"verification_failed_at":{"type":"string"},"verification_started_at":{"type":"string"},"verification_status":{"type":"string"}},"required":["id","name","cloudProvider","vars","packagePolicyCount","created_at","updated_at"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get cloud connector","tags":["Fleet cloud connectors"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/cloud_connectors\/{cloudConnectorId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a cloud connector by ID.[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all.","operationId":"put-fleet-cloud-connectors-cloudconnectorid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The unique identifier of the cloud connector to update.","in":"path","name":"cloudConnectorId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putCloudConnectorRequestExample":{"description":"Update a Fleet cloud connector","value":{"name":"Updated AWS connector","vars":{}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"accountType":{"description":"The account type: single-account (single account\/subscription) or organization-account (organization-wide).","enum":["single-account","organization-account"],"type":"string"},"name":{"description":"The name of the cloud connector.","maxLength":255,"minLength":1,"type":"string"},"vars":{"additionalProperties":{"anyOf":[{"maxLength":1000,"type":"string"},{"type":"number"},{"type":"boolean"},{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"maxLength":50,"type":"string"},"value":{"anyOf":[{"maxLength":1000,"type":"string"},{"additionalProperties":false,"type":"object","properties":{"id":{"maxLength":255,"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["isSecretRef","id"]}]}},"required":["type","value"]}]},"type":"object"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putCloudConnectorExample":{"description":"The updated Fleet cloud connector","value":{"item":{"accountType":"single-account","cloudProvider":"aws","created_at":"2024-01-15T10:00:00.000Z","id":"cloud-connector-id-1","name":"Updated AWS connector","packagePolicyCount":2,"updated_at":"2024-01-15T11:00:00.000Z","vars":{}}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"accountType":{"type":"string"},"cloudProvider":{"type":"string"},"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"namespace":{"type":"string"},"packagePolicyCount":{"type":"number"},"updated_at":{"type":"string"},"vars":{"additionalProperties":{"nullable":true},"type":"object"},"verification_failed_at":{"type":"string"},"verification_started_at":{"type":"string"},"verification_status":{"type":"string"}},"required":["id","name","cloudProvider","vars","packagePolicyCount","created_at","updated_at"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Update cloud connector","tags":["Fleet cloud connectors"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/cloud_connectors\/{cloudConnectorId}\/usage":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/cloud_connectors\/{cloudConnectorId}\/usage<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of package policies that are using a given cloud connector.[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read.","operationId":"get-fleet-cloud-connectors-cloudconnectorid-usage","parameters":[{"description":"The unique identifier of the cloud connector.","in":"path","name":"cloudConnectorId","required":true,"schema":{"type":"string"}},{"description":"The page number for pagination.","in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"number"}},{"description":"The number of items per page.","in":"query","name":"perPage","required":false,"schema":{"minimum":1,"type":"number"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getCloudConnectorUsageResponseExample":{"description":"Example response showing package policies using the cloud connector","value":{"items":[{"created_at":"2025-01-16T09:00:00.000Z","id":"package-policy-1","name":"CSPM AWS Policy","package":{"name":"cloud_security_posture","title":"Cloud Security Posture Management","version":"3.1.1"},"policy_ids":["policy-id-123","policy-id-456"],"updated_at":"2025-01-16T09:00:00.000Z"}],"page":1,"perPage":20,"total":2}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version":{"type":"string"}},"required":["name","title","version"]},"policy_ids":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"updated_at":{"type":"string"}},"required":["id","name","policy_ids","created_at","updated_at"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"Cloud connector not found","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get cloud connector usage (package policies using the connector)","tags":["Fleet cloud connectors"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/data_streams":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/data_streams<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all Fleet-managed data streams with metadata including package, namespace, size, and last activity.[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.","operationId":"get-fleet-data-streams","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getDataStreamsExample":{"description":"List of Fleet-managed data streams","value":{"data_streams":[{"dashboards":[{"id":"nginx-overview","title":"Nginx Overview"}],"dataset":"nginx.access","index":"logs-nginx.access-default","last_activity_ms":1700000000000,"namespace":"default","package":"nginx","package_version":"1.20.0","serviceDetails":null,"size_in_bytes":1048576,"size_in_bytes_formatted":"1mb","type":"logs"},{"dashboards":[],"dataset":"system.cpu","index":"metrics-system.cpu-default","last_activity_ms":1699999000000,"namespace":"default","package":"system","package_version":"1.38.0","serviceDetails":null,"size_in_bytes":524288,"size_in_bytes_formatted":"512kb","type":"metrics"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"data_streams":{"items":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"title":{"type":"string"}},"required":["id","title"]},"maxItems":10000,"type":"array"},"dataset":{"type":"string"},"index":{"type":"string"},"last_activity_ms":{"type":"number"},"namespace":{"type":"string"},"package":{"type":"string"},"package_version":{"type":"string"},"serviceDetails":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"environment":{"type":"string"},"serviceName":{"type":"string"}},"required":["environment","serviceName"]},"size_in_bytes":{"type":"number"},"size_in_bytes_formatted":{"anyOf":[{"type":"number"},{"type":"string"}]},"type":{"type":"string"}},"required":["index","dataset","namespace","type","package","package_version","last_activity_ms","size_in_bytes","size_in_bytes_formatted","dashboards","serviceDetails"]},"maxItems":10000,"type":"array"}},"required":["data_streams"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get data streams","tags":["Data streams"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/enrollment_api_keys":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/enrollment_api_keys<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all enrollment API keys.[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.","operationId":"get-fleet-enrollment-api-keys","parameters":[{"in":"query","name":"page","required":false,"schema":{"default":1,"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"default":20,"type":"number"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getEnrollmentApiKeysExample":{"description":"List of enrollment API keys","value":{"items":[{"active":true,"api_key":"api-key-value-1","api_key_id":"api-key-id-1","created_at":"2024-01-01T00:00:00.000Z","id":"key-id-1","name":"Default policy enrollment key","policy_id":"policy-id-1"}],"list":[{"active":true,"api_key":"api-key-value-1","api_key_id":"api-key-id-1","created_at":"2024-01-01T00:00:00.000Z","id":"key-id-1","name":"Default policy enrollment key","policy_id":"policy-id-1"}],"page":1,"perPage":20,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.","type":"boolean"},"api_key":{"description":"The enrollment API key (token) used for enrolling Elastic Agents.","type":"string"},"api_key_id":{"description":"The ID of the API key in the Security API.","type":"string"},"created_at":{"type":"string"},"hidden":{"type":"boolean"},"id":{"type":"string"},"name":{"description":"The name of the enrollment API key.","type":"string"},"policy_id":{"description":"The ID of the agent policy the Elastic Agent will be enrolled in.","type":"string"}},"required":["id","api_key_id","api_key","active","created_at"]},"maxItems":10000,"type":"array"},"list":{"deprecated":true,"items":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.","type":"boolean"},"api_key":{"description":"The enrollment API key (token) used for enrolling Elastic Agents.","type":"string"},"api_key_id":{"description":"The ID of the API key in the Security API.","type":"string"},"created_at":{"type":"string"},"hidden":{"type":"boolean"},"id":{"type":"string"},"name":{"description":"The name of the enrollment API key.","type":"string"},"policy_id":{"description":"The ID of the agent policy the Elastic Agent will be enrolled in.","type":"string"}},"required":["id","api_key_id","api_key","active","created_at"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage","list"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get enrollment API keys","tags":["Fleet enrollment API keys"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/enrollment_api_keys<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate an enrollment API key for a given agent policy.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-enrollment-api-keys","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postEnrollmentApiKeyRequestExample":{"description":"Create an enrollment API key for an agent policy","value":{"expiration":"2025-01-01T00:00:00.000Z","name":"My enrollment key","policy_id":"policy-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"expiration":{"type":"string"},"name":{"type":"string"},"policy_id":{"type":"string"}},"required":["policy_id"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postEnrollmentApiKeyExample":{"description":"The created enrollment API key","value":{"action":"created","item":{"active":true,"api_key":"api-key-value-1","api_key_id":"api-key-id-1","created_at":"2024-01-01T00:00:00.000Z","id":"key-id-1","name":"My enrollment key","policy_id":"policy-id-1"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["created"],"type":"string"},"item":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.","type":"boolean"},"api_key":{"description":"The enrollment API key (token) used for enrolling Elastic Agents.","type":"string"},"api_key_id":{"description":"The ID of the API key in the Security API.","type":"string"},"created_at":{"type":"string"},"hidden":{"type":"boolean"},"id":{"type":"string"},"name":{"description":"The name of the enrollment API key.","type":"string"},"policy_id":{"description":"The ID of the agent policy the Elastic Agent will be enrolled in.","type":"string"}},"required":["id","api_key_id","api_key","active","created_at"]}},"required":["item","action"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create an enrollment API key","tags":["Fleet enrollment API keys"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/enrollment_api_keys\/{keyId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/enrollment_api_keys\/{keyId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRevoke an enrollment API key by ID by marking it as inactive.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"delete-fleet-enrollment-api-keys-keyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"keyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteEnrollmentApiKeyExample":{"description":"The enrollment API key was successfully revoked","value":{"action":"deleted"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["deleted"],"type":"string"}},"required":["action"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No enrollment API key was found with the given ID","value":{"error":"Not Found","message":"EnrollmentAPIKey key-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Revoke an enrollment API key","tags":["Fleet enrollment API keys"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/enrollment_api_keys\/{keyId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet an enrollment API key by ID.[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.","operationId":"get-fleet-enrollment-api-keys-keyid","parameters":[{"in":"path","name":"keyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getEnrollmentApiKeyExample":{"description":"An enrollment API key","value":{"item":{"active":true,"api_key":"api-key-value-1","api_key_id":"api-key-id-1","created_at":"2024-01-01T00:00:00.000Z","id":"key-id-1","name":"Default policy enrollment key","policy_id":"policy-id-1"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"active":{"description":"When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.","type":"boolean"},"api_key":{"description":"The enrollment API key (token) used for enrolling Elastic Agents.","type":"string"},"api_key_id":{"description":"The ID of the API key in the Security API.","type":"string"},"created_at":{"type":"string"},"hidden":{"type":"boolean"},"id":{"type":"string"},"name":{"description":"The name of the enrollment API key.","type":"string"},"policy_id":{"description":"The ID of the agent policy the Elastic Agent will be enrolled in.","type":"string"}},"required":["id","api_key_id","api_key","active","created_at"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No enrollment API key was found with the given ID","value":{"error":"Not Found","message":"EnrollmentAPIKey key-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get an enrollment API key","tags":["Fleet enrollment API keys"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/bulk_assets":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/bulk_assets<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve multiple Kibana saved object assets by their IDs and types.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"post-fleet-epm-bulk-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkGetAssetsRequestExample":{"description":"Retrieve multiple assets by their IDs and types","value":{"assetIds":[{"id":"dashboard-id-1","type":"dashboard"},{"id":"index-pattern-id-1","type":"index_pattern"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"assetIds":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"}},"required":["assetIds"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkGetAssetsExample":{"description":"Requested assets","value":{"items":[{"appLink":"\/app\/dashboards#\/view\/dashboard-id-1","attributes":{"title":"My Dashboard"},"id":"dashboard-id-1","type":"dashboard"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"appLink":{"type":"string"},"attributes":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"service":{"type":"string"},"title":{"type":"string"}}},"id":{"type":"string"},"type":{"type":"string"},"updatedAt":{"type":"string"}},"required":["id","type","attributes"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk get assets","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/categories":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/categories<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of integration categories.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-categories","parameters":[{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"include_policy_templates","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getCategoriesExample":{"description":"List of integration categories","value":{"items":[{"count":42,"id":"security","title":"Security"},{"count":38,"id":"observability","title":"Observability"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"id":{"type":"string"},"parent_id":{"type":"string"},"parent_title":{"type":"string"},"title":{"type":"string"}},"required":["id","title","count"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get package categories","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/custom_integrations":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/custom_integrations<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new custom integration package with user-defined data streams.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-custom-integrations","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postCreateCustomIntegrationRequestExample":{"description":"Create a new custom integration","value":{"datasets":[{"name":"my_custom_logs.access","type":"logs"}],"integrationName":"my_custom_logs"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"datasets":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"type":{"enum":["logs","metrics","traces","synthetics","profiling"],"type":"string"}},"required":["name","type"]},"maxItems":10,"type":"array"},"force":{"type":"boolean"},"integrationName":{"type":"string"}},"required":["integrationName","datasets"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postCreateCustomIntegrationExample":{"description":"Custom integration successfully created","value":{"_meta":{"install_source":"custom"},"items":[{"id":"my_custom_logs-logs-my_custom_logs.access","type":"index_template"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"_meta":{"additionalProperties":false,"type":"object","properties":{"install_source":{"type":"string"},"name":{"type":"string"}},"required":["install_source","name"]},"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items","_meta"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create a custom integration","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/custom_integrations\/{pkgName}":{"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/epm\/custom_integrations\/{pkgName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate the datasets of an existing custom integration package.[Required authorization] Route required privileges: fleet-settings-all AND integrations-all.","operationId":"put-fleet-epm-custom-integrations-pkgname","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putUpdateCustomIntegrationRequestExample":{"description":"Update a custom integration","value":{"datasets":[{"name":"my_custom_logs.access","type":"logs"}],"integrationName":"my_custom_logs"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"categories":{"items":{"type":"string"},"maxItems":10,"type":"array"},"readMeData":{"type":"string"}},"required":["readMeData"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putUpdateCustomIntegrationExample":{"description":"Custom integration successfully updated","value":{}}}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Update a custom integration","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/data_streams":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/data_streams<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of data streams created by installed integration packages.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-data-streams","parameters":[{"in":"query","name":"type","required":false,"schema":{"enum":["logs","metrics","traces","synthetics","profiling"],"type":"string"}},{"in":"query","name":"datasetQuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"sortOrder","required":false,"schema":{"default":"asc","enum":["asc","desc"],"type":"string"}},{"in":"query","name":"uncategorisedOnly","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getDataStreamsExample":{"description":"List of data streams from installed packages","value":{"data_streams":[{"ilm_policy":"logs-default","index_template":"logs-system.syslog","name":"logs-system.syslog-default","package":"system","package_version":"1.55.0","title":"System syslog logs"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get data streams","tags":["Data streams"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of integration packages available in the registry.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages","parameters":[{"in":"query","name":"category","required":false,"schema":{"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"excludeInstallStatus","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"withPackagePoliciesCount","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getPackagesExample":{"description":"List of available integration packages","value":{"items":[{"categories":["cloud"],"description":"Collect logs and metrics from Amazon Web Services","id":"aws","name":"aws","status":"not_installed","title":"AWS","version":"2.10.0"}],"searchExcluded":0,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":true,"type":"object","properties":{"categories":{"items":{"type":"string"},"maxItems":100,"type":"array"},"conditions":{"additionalProperties":true,"type":"object","properties":{"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"elastic":{"additionalProperties":true,"type":"object","properties":{"capabilities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"subscription":{"type":"string"}}},"kibana":{"additionalProperties":true,"type":"object","properties":{"version":{"type":"string"}}}}},"data_streams":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"description":{"type":"string"},"discovery":{"additionalProperties":true,"type":"object","properties":{"datasets":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"},"fields":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"}}},"download":{"type":"string"},"format_version":{"type":"string"},"icons":{"items":{"additionalProperties":true,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"id":{"type":"string"},"installationInfo":{"additionalProperties":true,"type":"object","properties":{"additional_spaces_installed_kibana":{"additionalProperties":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":100,"type":"array"},"type":"object"},"created_at":{"type":"string"},"experimental_data_stream_features":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":true,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"install_format_schema_version":{"type":"string"},"install_source":{"enum":["registry","upload","bundled","custom"],"type":"string"},"install_status":{"enum":["installed","installing","install_failed"],"type":"string"},"installed_es":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana_space_id":{"type":"string"},"is_rollback_ttl_expired":{"type":"boolean"},"latest_executed_state":{"additionalProperties":true,"type":"object","properties":{"error":{"type":"string"},"name":{"type":"string"},"started_at":{"type":"string"}}},"latest_install_failed_attempts":{"items":{"additionalProperties":true,"type":"object","properties":{"created_at":{"type":"string"},"error":{"additionalProperties":true,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"},"stack":{"type":"string"}},"required":["name","message"]},"target_version":{"type":"string"}},"required":["created_at","target_version","error"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"previous_version":{"nullable":true,"type":"string"},"rolled_back":{"type":"boolean"},"type":{"type":"string"},"updated_at":{"type":"string"},"verification_key_id":{"nullable":true,"type":"string"},"verification_status":{"enum":["unverified","verified","unknown"],"type":"string"},"version":{"type":"string"}},"required":["type","installed_kibana","installed_es","name","version","install_status","install_source","verification_status"]},"integration":{"type":"string"},"internal":{"type":"boolean"},"latestVersion":{"type":"string"},"name":{"type":"string"},"owner":{"additionalProperties":true,"type":"object","properties":{"github":{"type":"string"},"type":{"enum":["elastic","partner","community"],"type":"string"}}},"path":{"type":"string"},"policy_templates":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"readme":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"signature_path":{"type":"string"},"source":{"additionalProperties":true,"type":"object","properties":{"license":{"type":"string"}},"required":["license"]},"status":{"type":"string"},"title":{"type":"string"},"type":{"anyOf":[{"enum":["integration"],"type":"string"},{"enum":["input"],"type":"string"},{"enum":["content"],"type":"string"},{"type":"string"}]},"var_groups":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"options":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"hide_in_deployment_modes":{"items":{"enum":["default","agentless"],"type":"string"},"maxItems":2,"type":"array"},"name":{"type":"string"},"title":{"type":"string"},"vars":{"items":{"type":"string"},"maxItems":100,"type":"array"}},"required":["name","title","vars"]},"maxItems":100,"type":"array"},"selector_title":{"type":"string"},"title":{"type":"string"}},"required":["name","title","selector_title","options"]},"maxItems":100,"type":"array"},"vars":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"version":{"type":"string"}},"required":["name","version","title","id"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"ignoreMappingUpdateErrors","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"skipDataStreamRollover","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/gzip":{"examples":{"postInstallByUploadRequestExample":{"description":"Upload a .zip or .tar.gz package archive (max 100MB)","value":""}}},"application\/gzip; application\/zip":{"schema":{"format":"binary","type":"string"}}}},"responses":{"200":{"content":{"application\/gzip; application\/zip":{"schema":{"additionalProperties":false,"type":"object","properties":{"_meta":{"additionalProperties":false,"type":"object","properties":{"install_source":{"type":"string"},"name":{"type":"string"}},"required":["install_source","name"]},"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items","_meta"]}},"application\/json":{"examples":{"postInstallByUploadExample":{"description":"Package successfully installed from upload","value":{"_meta":{"install_source":"upload"},"items":[{"id":"my-custom-package-logs-default","type":"index_template"}]}}}}},"description":"Successful response"},"400":{"content":{"application\/gzip; application\/zip":{"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}},"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}}}},"description":"Bad Request"}},"summary":"Install a package by upload","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/_bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/_bulk<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall multiple packages from the Elastic Package Registry in a single request.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-bulk","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkInstallPackagesRequestExample":{"description":"Install multiple packages from the registry","value":{"packages":["system","aws"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"packages":{"items":{"anyOf":[{"type":"string"},{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"prerelease":{"type":"boolean"},"version":{"type":"string"}},"required":["name","version"]}]},"maxItems":1000,"minItems":1,"type":"array"}},"required":["packages"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkInstallPackagesExample":{"description":"Bulk install results","value":{"items":[{"name":"system","result":{"assets":[],"status":"installed"}},{"name":"aws","result":{"assets":[],"status":"installed"}}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"result":{"additionalProperties":false,"type":"object","properties":{"assets":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"},"error":{"nullable":true},"installSource":{"type":"string"},"installType":{"type":"string"},"status":{"enum":["installed","already_installed"],"type":"string"}},"required":["error","installType"]},"version":{"type":"string"}},"required":["name","version","result"]},{"additionalProperties":false,"type":"object","properties":{"error":{"anyOf":[{"type":"string"},{"nullable":true}]},"name":{"type":"string"},"statusCode":{"type":"number"}},"required":["name","statusCode"]}]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk install packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/_bulk_rollback":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/_bulk_rollback<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRollback multiple packages to their previous versions.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-bulk-rollback","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"bulkRollbackRequest":{"value":{"packages":[{"name":"system"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"packages":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"Package name to rollback","type":"string"}},"required":["name"]},"maxItems":1000,"minItems":1,"type":"array"}},"required":["packages"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"taskId":"taskId"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"taskId":{"type":"string"}},"required":["taskId"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Bulk rollback packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/_bulk_rollback\/{taskId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/_bulk_rollback\/{taskId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the status and results of a bulk package rollback operation.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"get-fleet-epm-packages-bulk-rollback-taskid","parameters":[{"description":"Task ID of the bulk operation","in":"path","name":"taskId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"status":"success"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"results":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"name":{"type":"string"},"success":{"type":"boolean"}},"required":["name","success"]},"maxItems":10000,"type":"array"},"status":{"type":"string"}},"required":["status"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get Bulk rollback packages details","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/_bulk_uninstall":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/_bulk_uninstall<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUninstall multiple packages in a single operation.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-bulk-uninstall","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkUninstallPackagesRequestExample":{"description":"Uninstall multiple packages","value":{"packages":[{"name":"aws"},{"name":"gcp"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"packages":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"version":{"type":"string"}},"required":["name","version"]},"maxItems":1000,"minItems":1,"type":"array"}},"required":["packages"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkUninstallPackagesExample":{"description":"Bulk uninstall task initiated","value":{"taskId":"task-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"taskId":{"type":"string"}},"required":["taskId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk uninstall packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/_bulk_uninstall\/{taskId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/_bulk_uninstall\/{taskId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the status and results of a bulk package uninstall operation.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"get-fleet-epm-packages-bulk-uninstall-taskid","parameters":[{"description":"Task ID of the bulk operation","in":"path","name":"taskId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getBulkOperationDetailsExample":{"description":"Details of the bulk operation task","value":{"packages":[{"name":"system","result":"installed"},{"name":"elastic_agent","result":"installed"}],"status":"success"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"results":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"name":{"type":"string"},"success":{"type":"boolean"}},"required":["name","success"]},"maxItems":10000,"type":"array"},"status":{"type":"string"}},"required":["status"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get Bulk uninstall packages details","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/_bulk_upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/_bulk_upgrade<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpgrade multiple packages to their latest versions.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-bulk-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkUpgradePackagesRequestExample":{"description":"Upgrade multiple packages to their latest versions","value":{"packages":[{"name":"system"},{"name":"elastic_agent"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"packages":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"version":{"type":"string"}},"required":["name"]},"maxItems":1000,"minItems":1,"type":"array"},"prerelease":{"type":"boolean"},"upgrade_package_policies":{"default":false,"type":"boolean"}},"required":["packages"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkUpgradePackagesExample":{"description":"Bulk upgrade task initiated","value":{"taskId":"task-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"taskId":{"type":"string"}},"required":["taskId"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk upgrade packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/_bulk_upgrade\/{taskId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/_bulk_upgrade\/{taskId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the status and results of a bulk package upgrade operation.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"get-fleet-epm-packages-bulk-upgrade-taskid","parameters":[{"description":"Task ID of the bulk operation","in":"path","name":"taskId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getBulkOperationDetailsExample":{"description":"Details of the bulk operation task","value":{"packages":[{"name":"system","result":"installed"},{"name":"elastic_agent","result":"installed"}],"status":"success"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"results":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"name":{"type":"string"},"success":{"type":"boolean"}},"required":["name","success"]},"maxItems":10000,"type":"array"},"status":{"type":"string"}},"required":["status"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get Bulk upgrade packages details","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUninstall a package and remove all its assets.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"delete-fleet-epm-packages-pkgname","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deletePackageExample":{"description":"Package successfully deleted","value":{"items":[{"id":"aws-logs-aws.cloudwatch_logs-default","type":"index_template"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Delete a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet information about a package by name, returning the latest installed or available version.","operationId":"get-fleet-epm-packages-pkgname","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"query","name":"ignoreUnverified","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"full","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"withMetadata","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getPackageInfoExample":{"description":"Package details and installation status","value":{"item":{"assets":{"kibana":{"dashboard":[],"index_pattern":[]}},"categories":["cloud"],"description":"Collect logs and metrics from Amazon Web Services","name":"aws","status":"installed","title":"AWS","version":"2.10.0"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":true,"type":"object","properties":{"agent":{"additionalProperties":false,"type":"object","properties":{"privileges":{"additionalProperties":false,"type":"object","properties":{"root":{"type":"boolean"}}}}},"asset_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"asset_ids":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"asset_types":{"items":{"type":"string"},"maxItems":100,"type":"array"},"text":{"type":"string"}},"required":["text"]},"maxItems":1000,"type":"array"},"assets":{"additionalProperties":{"nullable":true},"type":"object"},"categories":{"items":{"type":"string"},"maxItems":100,"type":"array"},"conditions":{"additionalProperties":true,"type":"object","properties":{"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"elastic":{"additionalProperties":true,"type":"object","properties":{"capabilities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"subscription":{"type":"string"}}},"kibana":{"additionalProperties":true,"type":"object","properties":{"version":{"type":"string"}}}}},"data_streams":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"description":{"type":"string"},"discovery":{"additionalProperties":true,"type":"object","properties":{"datasets":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"},"fields":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"}}},"download":{"type":"string"},"elasticsearch":{"additionalProperties":{"nullable":true},"type":"object"},"format_version":{"type":"string"},"icons":{"items":{"additionalProperties":true,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"installationInfo":{"additionalProperties":true,"type":"object","properties":{"additional_spaces_installed_kibana":{"additionalProperties":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":100,"type":"array"},"type":"object"},"created_at":{"type":"string"},"experimental_data_stream_features":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":true,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"install_format_schema_version":{"type":"string"},"install_source":{"enum":["registry","upload","bundled","custom"],"type":"string"},"install_status":{"enum":["installed","installing","install_failed"],"type":"string"},"installed_es":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana_space_id":{"type":"string"},"is_rollback_ttl_expired":{"type":"boolean"},"latest_executed_state":{"additionalProperties":true,"type":"object","properties":{"error":{"type":"string"},"name":{"type":"string"},"started_at":{"type":"string"}}},"latest_install_failed_attempts":{"items":{"additionalProperties":true,"type":"object","properties":{"created_at":{"type":"string"},"error":{"additionalProperties":true,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"},"stack":{"type":"string"}},"required":["name","message"]},"target_version":{"type":"string"}},"required":["created_at","target_version","error"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"previous_version":{"nullable":true,"type":"string"},"rolled_back":{"type":"boolean"},"type":{"type":"string"},"updated_at":{"type":"string"},"verification_key_id":{"nullable":true,"type":"string"},"verification_status":{"enum":["unverified","verified","unknown"],"type":"string"},"version":{"type":"string"}},"required":["type","installed_kibana","installed_es","name","version","install_status","install_source","verification_status"]},"internal":{"type":"boolean"},"keepPoliciesUpToDate":{"type":"boolean"},"latestVersion":{"type":"string"},"license":{"type":"string"},"licensePath":{"type":"string"},"name":{"type":"string"},"notice":{"type":"string"},"owner":{"additionalProperties":true,"type":"object","properties":{"github":{"type":"string"},"type":{"enum":["elastic","partner","community"],"type":"string"}}},"path":{"type":"string"},"policy_templates":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"readme":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"screenshots":{"items":{"additionalProperties":false,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"signature_path":{"type":"string"},"source":{"additionalProperties":true,"type":"object","properties":{"license":{"type":"string"}},"required":["license"]},"status":{"type":"string"},"title":{"type":"string"},"type":{"anyOf":[{"enum":["integration"],"type":"string"},{"enum":["input"],"type":"string"},{"enum":["content"],"type":"string"},{"type":"string"}]},"var_groups":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"options":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"hide_in_deployment_modes":{"items":{"enum":["default","agentless"],"type":"string"},"maxItems":2,"type":"array"},"name":{"type":"string"},"title":{"type":"string"},"vars":{"items":{"type":"string"},"maxItems":100,"type":"array"}},"required":["name","title","vars"]},"maxItems":100,"type":"array"},"selector_title":{"type":"string"},"title":{"type":"string"}},"required":["name","title","selector_title","options"]},"maxItems":100,"type":"array"},"vars":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"version":{"type":"string"}},"required":["name","version","title","assets"]},"metadata":{"additionalProperties":false,"type":"object","properties":{"has_policies":{"type":"boolean"}},"required":["has_policies"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall the latest version of a package from the Elastic Package Registry.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"ignoreMappingUpdateErrors","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"skipDataStreamRollover","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Skip dependency validation when installing a package with dependencies","in":"query","name":"skipDependencyCheck","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"postInstallPackageRequestExample":{"description":"Install a package, optionally ignoring constraints","value":{"ignore_constraints":false}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"ignore_constraints":{"default":false,"type":"boolean"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postInstallPackageExample":{"description":"Package successfully installed","value":{"_meta":{"install_source":"registry"},"items":[{"id":"aws-logs-aws.cloudwatch_logs-default","type":"index_template"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"_meta":{"additionalProperties":false,"type":"object","properties":{"install_source":{"type":"string"},"name":{"type":"string"}},"required":["install_source","name"]},"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items","_meta"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Install a package from the registry","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate settings for a package, such as whether policies are kept up to date automatically.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"put-fleet-epm-packages-pkgname","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putUpdatePackageRequestExample":{"description":"Update keep_policies_up_to_date setting for a package","value":{"keepPoliciesUpToDate":true}}},"schema":{"additionalProperties":false,"type":"object","properties":{"keepPoliciesUpToDate":{"type":"boolean"}},"required":["keepPoliciesUpToDate"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putUpdatePackageExample":{"description":"Updated package settings","value":{"item":{"keepPoliciesUpToDate":true,"name":"aws","version":"2.10.0"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":true,"type":"object","properties":{"agent":{"additionalProperties":false,"type":"object","properties":{"privileges":{"additionalProperties":false,"type":"object","properties":{"root":{"type":"boolean"}}}}},"asset_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"asset_ids":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"asset_types":{"items":{"type":"string"},"maxItems":100,"type":"array"},"text":{"type":"string"}},"required":["text"]},"maxItems":1000,"type":"array"},"assets":{"additionalProperties":{"nullable":true},"type":"object"},"categories":{"items":{"type":"string"},"maxItems":100,"type":"array"},"conditions":{"additionalProperties":true,"type":"object","properties":{"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"elastic":{"additionalProperties":true,"type":"object","properties":{"capabilities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"subscription":{"type":"string"}}},"kibana":{"additionalProperties":true,"type":"object","properties":{"version":{"type":"string"}}}}},"data_streams":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"description":{"type":"string"},"discovery":{"additionalProperties":true,"type":"object","properties":{"datasets":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"},"fields":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"}}},"download":{"type":"string"},"elasticsearch":{"additionalProperties":{"nullable":true},"type":"object"},"format_version":{"type":"string"},"icons":{"items":{"additionalProperties":true,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"installationInfo":{"additionalProperties":true,"type":"object","properties":{"additional_spaces_installed_kibana":{"additionalProperties":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":100,"type":"array"},"type":"object"},"created_at":{"type":"string"},"experimental_data_stream_features":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":true,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"install_format_schema_version":{"type":"string"},"install_source":{"enum":["registry","upload","bundled","custom"],"type":"string"},"install_status":{"enum":["installed","installing","install_failed"],"type":"string"},"installed_es":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana_space_id":{"type":"string"},"is_rollback_ttl_expired":{"type":"boolean"},"latest_executed_state":{"additionalProperties":true,"type":"object","properties":{"error":{"type":"string"},"name":{"type":"string"},"started_at":{"type":"string"}}},"latest_install_failed_attempts":{"items":{"additionalProperties":true,"type":"object","properties":{"created_at":{"type":"string"},"error":{"additionalProperties":true,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"},"stack":{"type":"string"}},"required":["name","message"]},"target_version":{"type":"string"}},"required":["created_at","target_version","error"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"previous_version":{"nullable":true,"type":"string"},"rolled_back":{"type":"boolean"},"type":{"type":"string"},"updated_at":{"type":"string"},"verification_key_id":{"nullable":true,"type":"string"},"verification_status":{"enum":["unverified","verified","unknown"],"type":"string"},"version":{"type":"string"}},"required":["type","installed_kibana","installed_es","name","version","install_status","install_source","verification_status"]},"internal":{"type":"boolean"},"keepPoliciesUpToDate":{"type":"boolean"},"latestVersion":{"type":"string"},"license":{"type":"string"},"licensePath":{"type":"string"},"name":{"type":"string"},"notice":{"type":"string"},"owner":{"additionalProperties":true,"type":"object","properties":{"github":{"type":"string"},"type":{"enum":["elastic","partner","community"],"type":"string"}}},"path":{"type":"string"},"policy_templates":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"readme":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"screenshots":{"items":{"additionalProperties":false,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"signature_path":{"type":"string"},"source":{"additionalProperties":true,"type":"object","properties":{"license":{"type":"string"}},"required":["license"]},"status":{"type":"string"},"title":{"type":"string"},"type":{"anyOf":[{"enum":["integration"],"type":"string"},{"enum":["input"],"type":"string"},{"enum":["content"],"type":"string"},{"type":"string"}]},"var_groups":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"options":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"hide_in_deployment_modes":{"items":{"enum":["default","agentless"],"type":"string"},"maxItems":2,"type":"array"},"name":{"type":"string"},"title":{"type":"string"},"vars":{"items":{"type":"string"},"maxItems":100,"type":"array"}},"required":["name","title","vars"]},"maxItems":100,"type":"array"},"selector_title":{"type":"string"},"title":{"type":"string"}},"required":["name","title","selector_title","options"]},"maxItems":100,"type":"array"},"vars":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"version":{"type":"string"}},"required":["name","version","title","assets"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Update package settings","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUninstall a specific version of a package and remove all its assets.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"delete-fleet-epm-packages-pkgname-pkgversion","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deletePackageExample":{"description":"Package successfully deleted","value":{"items":[{"id":"aws-logs-aws.cloudwatch_logs-default","type":"index_template"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Delete a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet information about a specific version of a package.","operationId":"get-fleet-epm-packages-pkgname-pkgversion","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"ignoreUnverified","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"full","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"withMetadata","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getPackageInfoExample":{"description":"Package details and installation status","value":{"item":{"assets":{"kibana":{"dashboard":[],"index_pattern":[]}},"categories":["cloud"],"description":"Collect logs and metrics from Amazon Web Services","name":"aws","status":"installed","title":"AWS","version":"2.10.0"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":true,"type":"object","properties":{"agent":{"additionalProperties":false,"type":"object","properties":{"privileges":{"additionalProperties":false,"type":"object","properties":{"root":{"type":"boolean"}}}}},"asset_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"asset_ids":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"asset_types":{"items":{"type":"string"},"maxItems":100,"type":"array"},"text":{"type":"string"}},"required":["text"]},"maxItems":1000,"type":"array"},"assets":{"additionalProperties":{"nullable":true},"type":"object"},"categories":{"items":{"type":"string"},"maxItems":100,"type":"array"},"conditions":{"additionalProperties":true,"type":"object","properties":{"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"elastic":{"additionalProperties":true,"type":"object","properties":{"capabilities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"subscription":{"type":"string"}}},"kibana":{"additionalProperties":true,"type":"object","properties":{"version":{"type":"string"}}}}},"data_streams":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"description":{"type":"string"},"discovery":{"additionalProperties":true,"type":"object","properties":{"datasets":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"},"fields":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"}}},"download":{"type":"string"},"elasticsearch":{"additionalProperties":{"nullable":true},"type":"object"},"format_version":{"type":"string"},"icons":{"items":{"additionalProperties":true,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"installationInfo":{"additionalProperties":true,"type":"object","properties":{"additional_spaces_installed_kibana":{"additionalProperties":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":100,"type":"array"},"type":"object"},"created_at":{"type":"string"},"experimental_data_stream_features":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":true,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"install_format_schema_version":{"type":"string"},"install_source":{"enum":["registry","upload","bundled","custom"],"type":"string"},"install_status":{"enum":["installed","installing","install_failed"],"type":"string"},"installed_es":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana_space_id":{"type":"string"},"is_rollback_ttl_expired":{"type":"boolean"},"latest_executed_state":{"additionalProperties":true,"type":"object","properties":{"error":{"type":"string"},"name":{"type":"string"},"started_at":{"type":"string"}}},"latest_install_failed_attempts":{"items":{"additionalProperties":true,"type":"object","properties":{"created_at":{"type":"string"},"error":{"additionalProperties":true,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"},"stack":{"type":"string"}},"required":["name","message"]},"target_version":{"type":"string"}},"required":["created_at","target_version","error"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"previous_version":{"nullable":true,"type":"string"},"rolled_back":{"type":"boolean"},"type":{"type":"string"},"updated_at":{"type":"string"},"verification_key_id":{"nullable":true,"type":"string"},"verification_status":{"enum":["unverified","verified","unknown"],"type":"string"},"version":{"type":"string"}},"required":["type","installed_kibana","installed_es","name","version","install_status","install_source","verification_status"]},"internal":{"type":"boolean"},"keepPoliciesUpToDate":{"type":"boolean"},"latestVersion":{"type":"string"},"license":{"type":"string"},"licensePath":{"type":"string"},"name":{"type":"string"},"notice":{"type":"string"},"owner":{"additionalProperties":true,"type":"object","properties":{"github":{"type":"string"},"type":{"enum":["elastic","partner","community"],"type":"string"}}},"path":{"type":"string"},"policy_templates":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"readme":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"screenshots":{"items":{"additionalProperties":false,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"signature_path":{"type":"string"},"source":{"additionalProperties":true,"type":"object","properties":{"license":{"type":"string"}},"required":["license"]},"status":{"type":"string"},"title":{"type":"string"},"type":{"anyOf":[{"enum":["integration"],"type":"string"},{"enum":["input"],"type":"string"},{"enum":["content"],"type":"string"},{"type":"string"}]},"var_groups":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"options":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"hide_in_deployment_modes":{"items":{"enum":["default","agentless"],"type":"string"},"maxItems":2,"type":"array"},"name":{"type":"string"},"title":{"type":"string"},"vars":{"items":{"type":"string"},"maxItems":100,"type":"array"}},"required":["name","title","vars"]},"maxItems":100,"type":"array"},"selector_title":{"type":"string"},"title":{"type":"string"}},"required":["name","title","selector_title","options"]},"maxItems":100,"type":"array"},"vars":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"version":{"type":"string"}},"required":["name","version","title","assets"]},"metadata":{"additionalProperties":false,"type":"object","properties":{"has_policies":{"type":"boolean"}},"required":["has_policies"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall a specific version of a package from the Elastic Package Registry.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-pkgversion","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"ignoreMappingUpdateErrors","required":false,"schema":{"default":false,"type":"boolean"}},{"in":"query","name":"skipDataStreamRollover","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Skip dependency validation when installing a package with dependencies","in":"query","name":"skipDependencyCheck","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"postInstallPackageRequestExample":{"description":"Install a package, optionally ignoring constraints","value":{"ignore_constraints":false}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"default":false,"type":"boolean"},"ignore_constraints":{"default":false,"type":"boolean"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postInstallPackageExample":{"description":"Package successfully installed","value":{"_meta":{"install_source":"registry"},"items":[{"id":"aws-logs-aws.cloudwatch_logs-default","type":"index_template"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"_meta":{"additionalProperties":false,"type":"object","properties":{"install_source":{"type":"string"},"name":{"type":"string"}},"required":["install_source","name"]},"items":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},{"additionalProperties":false,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]}]},"maxItems":10000,"type":"array"}},"required":["items","_meta"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Install a package from the registry","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate settings for a specific version of a package.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"put-fleet-epm-packages-pkgname-pkgversion","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putUpdatePackageRequestExample":{"description":"Update keep_policies_up_to_date setting for a package","value":{"keepPoliciesUpToDate":true}}},"schema":{"additionalProperties":false,"type":"object","properties":{"keepPoliciesUpToDate":{"type":"boolean"}},"required":["keepPoliciesUpToDate"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putUpdatePackageExample":{"description":"Updated package settings","value":{"item":{"keepPoliciesUpToDate":true,"name":"aws","version":"2.10.0"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":true,"type":"object","properties":{"agent":{"additionalProperties":false,"type":"object","properties":{"privileges":{"additionalProperties":false,"type":"object","properties":{"root":{"type":"boolean"}}}}},"asset_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"asset_ids":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"asset_types":{"items":{"type":"string"},"maxItems":100,"type":"array"},"text":{"type":"string"}},"required":["text"]},"maxItems":1000,"type":"array"},"assets":{"additionalProperties":{"nullable":true},"type":"object"},"categories":{"items":{"type":"string"},"maxItems":100,"type":"array"},"conditions":{"additionalProperties":true,"type":"object","properties":{"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"elastic":{"additionalProperties":true,"type":"object","properties":{"capabilities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"subscription":{"type":"string"}}},"kibana":{"additionalProperties":true,"type":"object","properties":{"version":{"type":"string"}}}}},"data_streams":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"deprecated":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"description":{"type":"string"},"discovery":{"additionalProperties":true,"type":"object","properties":{"datasets":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"},"fields":{"items":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"maxItems":100,"type":"array"}}},"download":{"type":"string"},"elasticsearch":{"additionalProperties":{"nullable":true},"type":"object"},"format_version":{"type":"string"},"icons":{"items":{"additionalProperties":true,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"installationInfo":{"additionalProperties":true,"type":"object","properties":{"additional_spaces_installed_kibana":{"additionalProperties":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":100,"type":"array"},"type":"object"},"created_at":{"type":"string"},"experimental_data_stream_features":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":true,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"install_format_schema_version":{"type":"string"},"install_source":{"enum":["registry","upload","bundled","custom"],"type":"string"},"install_status":{"enum":["installed","installing","install_failed"],"type":"string"},"installed_es":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"type":{"enum":["index","index_template","component_template","ingest_pipeline","ilm_policy","data_stream_ilm_policy","transform","ml_model","knowledge_base","esql_view"],"type":"string"},"version":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana":{"items":{"additionalProperties":true,"type":"object","properties":{"deferred":{"type":"boolean"},"id":{"type":"string"},"originId":{"type":"string"},"type":{"anyOf":[{"enum":["dashboard","lens","visualization","search","index-pattern","map","ml-module","security-rule","csp-rule-template","osquery-pack-asset","osquery-saved-query","tag"],"type":"string"},{"type":"string"}]}},"required":["id","type"]},"maxItems":10000,"type":"array"},"installed_kibana_space_id":{"type":"string"},"is_rollback_ttl_expired":{"type":"boolean"},"latest_executed_state":{"additionalProperties":true,"type":"object","properties":{"error":{"type":"string"},"name":{"type":"string"},"started_at":{"type":"string"}}},"latest_install_failed_attempts":{"items":{"additionalProperties":true,"type":"object","properties":{"created_at":{"type":"string"},"error":{"additionalProperties":true,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"},"stack":{"type":"string"}},"required":["name","message"]},"target_version":{"type":"string"}},"required":["created_at","target_version","error"]},"maxItems":10,"type":"array"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"previous_version":{"nullable":true,"type":"string"},"rolled_back":{"type":"boolean"},"type":{"type":"string"},"updated_at":{"type":"string"},"verification_key_id":{"nullable":true,"type":"string"},"verification_status":{"enum":["unverified","verified","unknown"],"type":"string"},"version":{"type":"string"}},"required":["type","installed_kibana","installed_es","name","version","install_status","install_source","verification_status"]},"internal":{"type":"boolean"},"keepPoliciesUpToDate":{"type":"boolean"},"latestVersion":{"type":"string"},"license":{"type":"string"},"licensePath":{"type":"string"},"name":{"type":"string"},"notice":{"type":"string"},"owner":{"additionalProperties":true,"type":"object","properties":{"github":{"type":"string"},"type":{"enum":["elastic","partner","community"],"type":"string"}}},"path":{"type":"string"},"policy_templates":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"readme":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"screenshots":{"items":{"additionalProperties":false,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"signature_path":{"type":"string"},"source":{"additionalProperties":true,"type":"object","properties":{"license":{"type":"string"}},"required":["license"]},"status":{"type":"string"},"title":{"type":"string"},"type":{"anyOf":[{"enum":["integration"],"type":"string"},{"enum":["input"],"type":"string"},{"enum":["content"],"type":"string"},{"type":"string"}]},"var_groups":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"name":{"type":"string"},"options":{"items":{"additionalProperties":true,"type":"object","properties":{"description":{"type":"string"},"hide_in_deployment_modes":{"items":{"enum":["default","agentless"],"type":"string"},"maxItems":2,"type":"array"},"name":{"type":"string"},"title":{"type":"string"},"vars":{"items":{"type":"string"},"maxItems":100,"type":"array"}},"required":["name","title","vars"]},"maxItems":100,"type":"array"},"selector_title":{"type":"string"},"title":{"type":"string"}},"required":["name","title","selector_title","options"]},"maxItems":100,"type":"array"},"vars":{"items":{"additionalProperties":{"nullable":true},"type":"object"},"maxItems":1000,"type":"array"},"version":{"type":"string"}},"required":["name","version","title","assets"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Update package settings","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/{filePath}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/{filePath}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the contents of a specific file from a package.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-pkgname-pkgversion-filepath","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"path","name":"filePath","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getPackageFileExample":{"description":"The content of the requested package file","value":""}},"schema":{}}},"description":"Successful response \u2014 returns the file content"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get a package file","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/datastream_assets":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/datastream_assets<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete datastream assets for a specific input package, by data stream name.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"packagePolicyId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deletePackageDatastreamAssetsExample":{"description":"Package datastream assets successfully deleted","value":{"items":[{"id":"logs-my_package.access-default","type":"index_template"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Delete assets for an input package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/dependencies":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/dependencies<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the list of packages that a specific package depends on.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-pkgname-pkgversion-dependencies","parameters":[{"description":"Package name","in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"description":"Package version","in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"dependenciesResponse":{"value":{"items":[{"name":"aws","title":"AWS","version":"^2.0.0"},{"name":"system","title":"System","version":"^1.0.0"}]}},"noDependenciesResponse":{"value":{"items":[]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"},"version":{"type":"string"}},"required":["name","version","title"]},"maxItems":1000,"type":"array"}},"required":["items"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"packageNotFoundResponse":{"value":{"message":"[my-package-1.0.0] package not found in registry"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Get package dependencies","tags":["Elastic Package Manager (EPM)"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/kibana_assets":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/kibana_assets<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete Kibana assets (dashboards, visualizations, etc.) for a specific package version.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteKibanaAssetsExample":{"description":"Kibana assets successfully deleted","value":{"items":[{"id":"dashboard-id-1","type":"dashboard"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Delete Kibana assets for a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/kibana_assets<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall Kibana assets (dashboards, visualizations, etc.) for a specific package version.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-pkgversion-kibana-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postInstallKibanaAssetsRequestExample":{"description":"Install Kibana assets for a specific package version","value":{}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"type":"boolean"},"space_ids":{"description":"When provided install assets in the specified spaces instead of the current space.","items":{"type":"string"},"maxItems":100,"minItems":1,"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postInstallKibanaAssetsExample":{"description":"Kibana assets successfully installed","value":{"items":[{"id":"dashboard-id-1","type":"dashboard"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Install Kibana assets for a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/rule_assets":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/rule_assets<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall Kibana alert rule assets for a specific package version.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-pkgversion-rule-assets","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postInstallRuleAssetsRequestExample":{"description":"Install alert rule assets for a specific package version","value":{}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"force":{"type":"boolean"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postInstallRuleAssetsExample":{"description":"Rule assets successfully installed","value":{"items":[{"id":"rule-asset-id-1","type":"security_rule"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Install Kibana alert rule for a package","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/transforms\/authorize":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/{pkgVersion}\/transforms\/authorize<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReauthorize Elasticsearch transforms installed by a package with secondary authorization headers.","operationId":"post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"postReauthorizeTransformsRequestExample":{"description":"Reauthorize transforms for a package","value":{"transforms":[{"destinations":[{"index":"logs-transform-dest"}],"transformId":"logs-transform-1"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"transforms":{"items":{"additionalProperties":false,"type":"object","properties":{"transformId":{"type":"string"}},"required":["transformId"]},"maxItems":1000,"type":"array"}},"required":["transforms"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postReauthorizeTransformsExample":{"description":"Transforms successfully reauthorized","value":[{"success":true,"transformId":"logs-transform-1"}]}},"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"error":{"nullable":true},"success":{"type":"boolean"},"transformId":{"type":"string"}},"required":["transformId","success","error"]},"maxItems":10000,"type":"array"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Authorize transforms","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/review_upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/review_upgrade<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReview and accept or reject a pending policy upgrade for a package that contains deprecations.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-review-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Package name to review upgrade for","in":"path","name":"pkgName","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"acceptUpgrade":{"value":{"action":"accept","target_version":"2.0.0"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["accept","decline","pending"],"type":"string"},"target_version":{"type":"string"}},"required":["action","target_version"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"success":true}}},"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"}},"required":["success"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Review a pending policy upgrade for a package with deprecations","tags":["Elastic Package Manager (EPM)"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/rollback":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/rollback<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRollback a package to its previously installed version.[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.","operationId":"post-fleet-epm-packages-pkgname-rollback","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Package name to roll back","in":"path","name":"pkgName","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"successResponse":{"value":{"success":true,"version":"1.0.0"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"success":{"type":"boolean"},"version":{"type":"string"}},"required":["version","success"]}}},"description":"OK: A successful request."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"value":{"message":"Bad Request"}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"A bad request."}},"summary":"Rollback a package to previous version","tags":["Elastic Package Manager (EPM)"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/{pkgName}\/stats":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/{pkgName}\/stats<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet usage statistics for a specific package, such as the number of agent policies using it.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-pkgname-stats","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getPackageStatsExample":{"description":"Usage stats for a specific package","value":{"response":{"agent_policy_count":3}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"response":{"additionalProperties":false,"type":"object","properties":{"agent_policy_count":{"type":"number"},"package_policy_count":{"type":"number"}},"required":["agent_policy_count","package_policy_count"]}},"required":["response"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get package stats","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/installed":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/installed<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all currently installed integration packages.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-installed","parameters":[{"in":"query","name":"dataStreamType","required":false,"schema":{"enum":["logs","metrics","traces","synthetics","profiling"],"type":"string"}},{"in":"query","name":"showOnlyActiveDataStreams","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"nameQuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"searchAfter","required":false,"schema":{"items":{"anyOf":[{"type":"string"},{"type":"number"}]},"maxItems":10,"type":"array"}},{"in":"query","name":"perPage","required":false,"schema":{"default":15,"type":"number"}},{"in":"query","name":"sortOrder","required":false,"schema":{"default":"asc","enum":["asc","desc"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getInstalledPackagesExample":{"description":"List of installed integration packages","value":{"items":[{"name":"system","status":"installed","title":"System","version":"1.55.0"},{"name":"elastic_agent","status":"installed","title":"Elastic Agent","version":"1.15.0"}],"searchExcluded":0,"total":2}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"dataStreams":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"title":{"type":"string"}},"required":["name","title"]},"maxItems":10000,"type":"array"},"description":{"type":"string"},"icons":{"items":{"additionalProperties":false,"type":"object","properties":{"dark_mode":{"type":"boolean"},"path":{"type":"string"},"size":{"type":"string"},"src":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"}},"required":["src"]},"maxItems":100,"type":"array"},"name":{"type":"string"},"status":{"type":"string"},"title":{"type":"string"},"version":{"type":"string"}},"required":["name","version","status","dataStreams"]},"maxItems":10000,"type":"array"},"searchAfter":{"items":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"nullable":true}],"nullable":true},"maxItems":2,"type":"array"},"total":{"type":"number"}},"required":["items","total"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get installed packages","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/packages\/limited":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/packages\/limited<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-packages-limited","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getLimitedPackagesExample":{"description":"List of packages that cannot be uninstalled","value":{"items":["elastic_agent","fleet_server"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"type":"string"},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get a limited package list","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/templates\/{pkgName}\/{pkgVersion}\/inputs":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/templates\/{pkgName}\/{pkgVersion}\/inputs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet an inputs template for a package, used to pre-populate package policy forms.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-templates-pkgname-pkgversion-inputs","parameters":[{"in":"path","name":"pkgName","required":true,"schema":{"type":"string"}},{"in":"path","name":"pkgVersion","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"default":"json","enum":["json","yml","yaml"],"type":"string"}},{"in":"query","name":"prerelease","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"ignoreUnverified","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getInputsTemplateExample":{"description":"Inputs template for a package","value":{"inputs":[{"description":"Collect logs from log files","title":"Collect logs from files","type":"logfile","vars":[{"name":"paths","required":true,"title":"Paths","type":"text"}]}]}}},"schema":{"anyOf":[{"type":"string"},{"additionalProperties":false,"type":"object","properties":{"connectors":{"additionalProperties":{"nullable":true},"type":"object"},"exporters":{"additionalProperties":{"nullable":true},"type":"object"},"extensions":{"additionalProperties":{"nullable":true},"type":"object"},"inputs":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"streams":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"dataset":{"type":"string"},"type":{"type":"string"}},"required":["dataset"]},"id":{"type":"string"}},"required":["id","data_stream"]},"maxItems":10000,"type":"array"},"type":{"type":"string"}},"required":["id","type"]},"maxItems":10000,"type":"array"},"processors":{"additionalProperties":{"nullable":true},"type":"object"},"receivers":{"additionalProperties":{"nullable":true},"type":"object"},"service":{"additionalProperties":false,"type":"object","properties":{"extensions":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"pipelines":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"exporters":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"processors":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"receivers":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"x-oas-optional":true},"type":"object"}}}},"required":["inputs"]}]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get an inputs template","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/epm\/verification_key_id":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/epm\/verification_key_id<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.","operationId":"get-fleet-epm-verification-key-id","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getVerificationKeyIdExample":{"description":"The GPG key ID used to verify package signatures","value":{"id":"D27D666CD88E42B4"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"nullable":true,"type":"string"}},"required":["id"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get a package signature verification key ID","tags":["Elastic Package Manager (EPM)"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/fleet_server_hosts":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/fleet_server_hosts<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all Fleet Server hosts.[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.","operationId":"get-fleet-fleet-server-hosts","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getFleetServerHostsExample":{"description":"List of Fleet Server hosts","value":{"items":[{"host_urls":["https:\/\/fleet-server.example.com:8220"],"id":"fleet-server-host-id-1","is_default":true,"is_preconfigured":false,"name":"Default Fleet Server"}],"page":1,"perPage":20,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls","id"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get Fleet Server hosts","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/fleet_server_hosts<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new Fleet Server host.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-fleet-server-hosts","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postFleetServerHostRequestExample":{"description":"Create a new Fleet Server host","value":{"host_urls":["https:\/\/fleet-server.example.com:8220"],"is_default":false,"name":"My Fleet Server"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postFleetServerHostExample":{"description":"The created Fleet Server host","value":{"item":{"host_urls":["https:\/\/fleet-server.example.com:8220"],"id":"fleet-server-host-id-2","is_default":false,"is_preconfigured":false,"name":"My Fleet Server"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls","id"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create a Fleet Server host","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/fleet_server_hosts\/{itemId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/fleet_server_hosts\/{itemId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a Fleet Server host by ID.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"delete-fleet-fleet-server-hosts-itemid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteFleetServerHostExample":{"description":"The Fleet Server host was successfully deleted","value":{"id":"fleet-server-host-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No Fleet Server host was found with the given ID","value":{"error":"Not Found","message":"Fleet server fleet-server-host-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Delete a Fleet Server host","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/fleet_server_hosts\/{itemId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a Fleet Server host by ID.[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-fleet-server-hosts-itemid","parameters":[{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getFleetServerHostExample":{"description":"A Fleet Server host","value":{"item":{"host_urls":["https:\/\/fleet-server.example.com:8220"],"id":"fleet-server-host-id-1","is_default":true,"is_preconfigured":false,"name":"Default Fleet Server"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls","id"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No Fleet Server host was found with the given ID","value":{"error":"Not Found","message":"Fleet server fleet-server-host-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get a Fleet Server host","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/fleet_server_hosts\/{itemId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a Fleet Server host by ID.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-fleet-server-hosts-itemid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putFleetServerHostRequestExample":{"description":"Update a Fleet Server host","value":{"host_urls":["https:\/\/updated-fleet-server.example.com:8220"],"is_default":false,"name":"Updated Fleet Server"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"is_default":{"type":"boolean"},"is_internal":{"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["proxy_id"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putFleetServerHostExample":{"description":"The updated Fleet Server host","value":{"item":{"host_urls":["https:\/\/updated-fleet-server.example.com:8220"],"id":"fleet-server-host-id-1","is_default":false,"is_preconfigured":false,"name":"Updated Fleet Server"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"host_urls":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"agent_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"es_key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"ssl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"agent_certificate":{"type":"string"},"agent_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"agent_key":{"type":"string"},"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"client_auth":{"enum":["optional","required","none"],"type":"string"},"es_certificate":{"type":"string"},"es_certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"es_key":{"type":"string"},"key":{"type":"string"}}}},"required":["name","host_urls","id"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No Fleet Server host was found with the given ID","value":{"error":"Not Found","message":"Fleet server fleet-server-host-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Update a Fleet Server host","tags":["Fleet Server hosts"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/health_check":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/health_check<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCheck the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-health-check","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postHealthCheckRequestExample":{"description":"Check the health of a Fleet Server instance by its host ID","value":{"id":"fleet-server-host-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postHealthCheckHealthyExample":{"description":"Fleet Server is online and healthy","value":{"name":"fleet-server-1","status":"ONLINE"}},"postHealthCheckUnreachableExample":{"description":"Fleet Server host is not reachable (request timed out or aborted)","value":{"host_id":"fleet-server-host-id-1","status":"OFFLINE"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"host_id":{"type":"string"},"name":{"type":"string"},"status":{"type":"string"}},"required":["status"]}}},"description":"Successful health check response"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"description":"The host ID exists but has no associated host URLs configured","value":{"error":"Bad Request","message":"The requested host id fleet-server-host-id-1 does not have associated host urls.","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No Fleet Server host was found with the given ID","value":{"error":"Not Found","message":"The requested host id fleet-server-host-id-1 does not exist.","statusCode":404}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Not Found"}},"summary":"Check Fleet Server health","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/kubernetes":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/kubernetes<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the Kubernetes manifest for deploying Elastic Agent.[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup.","operationId":"get-fleet-kubernetes","parameters":[{"in":"query","name":"download","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"fleetServer","required":false,"schema":{"type":"string"}},{"in":"query","name":"enrolToken","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getK8sManifestExample":{"description":"The Kubernetes manifest for deploying Elastic Agent","value":{"item":"apiVersion: v1\\nkind: ConfigMap\\nmetadata:\\n name: agent-node-datastreams\\n namespace: kube-system\\n"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"type":"string"}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get a full K8s agent manifest","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/kubernetes\/download":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/kubernetes\/download<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDownload the Kubernetes manifest for deploying Elastic Agent.[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup.","operationId":"get-fleet-kubernetes-download","parameters":[{"in":"query","name":"download","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"fleetServer","required":false,"schema":{"type":"string"}},{"in":"query","name":"enrolToken","required":false,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getDownloadK8sManifestExample":{"description":"The Kubernetes manifest download","value":"apiVersion: v1\\nkind: ConfigMap\\nmetadata:\\n name: agent-node-datastreams\\n namespace: kube-system\\n"}},"schema":{"type":"string"}}},"description":"Successful response \u2014 returns the Kubernetes manifest as a YAML file download"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No manifest was found","value":{"error":"Not Found","message":"Agent manifest not found","statusCode":404}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Not Found"}},"summary":"Download an agent manifest","tags":["Elastic Agent policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/logstash_api_keys":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/logstash_api_keys<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGenerate an API key for Logstash to use with a Fleet output.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-logstash-api-keys","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"postLogstashApiKeyExample":{"description":"The generated Logstash API key","value":{"api_key":"TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"api_key":{"type":"string"}},"required":["api_key"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Generate a Logstash API key","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/message_signing_service\/rotate_key_pair":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/message_signing_service\/rotate_key_pair<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.","operationId":"post-fleet-message-signing-service-rotate-key-pair","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"acknowledge","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"rotateKeyPairSuccessExample":{"description":"The key pair was rotated. All agents must be re-enrolled to receive the new signing key.","value":{"message":"Key pair rotated successfully."}}},"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Key pair rotated successfully"},"400":{"content":{"application\/json":{"examples":{"acknowledgeRequiredExample":{"description":"Request was rejected because the acknowledge query parameter was not set to true","value":{"error":"Bad Request","message":"Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"500":{"content":{"application\/json":{"examples":{"serviceUnavailableExample":{"description":"The message signing service is not available","value":{"error":"Internal Server Error","message":"Failed to rotate key pair. Message signing service is unavailable!","statusCode":500}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Internal Server Error"}},"summary":"Rotate a Fleet message signing key pair","tags":["Message Signing Service"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/outputs":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/outputs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all Fleet outputs.[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.","operationId":"get-fleet-outputs","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getOutputsExample":{"description":"List of Fleet outputs","value":{"items":[{"hosts":["https:\/\/elasticsearch.example.com:9200"],"id":"output-id-1","is_default":true,"is_default_monitoring":true,"name":"Default output","type":"elasticsearch"}],"page":1,"perPage":20,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_remote_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_logstash"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_kafka"}]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get outputs","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/outputs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new Fleet output.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-outputs","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postOutputRequestExample":{"description":"Create a new Elasticsearch output","value":{"hosts":["https:\/\/elasticsearch.example.com:9200"],"is_default":false,"is_default_monitoring":false,"name":"My output","type":"elasticsearch"}}},"schema":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_new_output_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_new_output_remote_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_new_output_logstash"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_new_output_kafka"}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postOutputExample":{"description":"The created Fleet output","value":{"item":{"hosts":["https:\/\/elasticsearch.example.com:9200"],"id":"output-id-2","is_default":false,"is_default_monitoring":false,"name":"My output","type":"elasticsearch"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_remote_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_logstash"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_kafka"}]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create output","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/outputs\/{outputId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/outputs\/{outputId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete output by ID.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"delete-fleet-outputs-outputid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteOutputExample":{"description":"The output was successfully deleted","value":{"id":"output-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No output was found with the given ID","value":{"error":"Not Found","message":"Output output-id-1 not found","statusCode":404}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Not Found"}},"summary":"Delete output","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/outputs\/{outputId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet output by ID.[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.","operationId":"get-fleet-outputs-outputid","parameters":[{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getOutputExample":{"description":"A Fleet output","value":{"item":{"hosts":["https:\/\/elasticsearch.example.com:9200"],"id":"output-id-1","is_default":true,"is_default_monitoring":true,"name":"Default output","type":"elasticsearch"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_remote_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_logstash"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_kafka"}]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No output was found with the given ID","value":{"error":"Not Found","message":"Output output-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get output","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/outputs\/{outputId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate output by ID.[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.","operationId":"put-fleet-outputs-outputid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putOutputRequestExample":{"description":"Update a Fleet output","value":{"hosts":["https:\/\/updated-elasticsearch.example.com:9200"],"name":"Updated output"}}},"schema":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_update_output_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_update_output_remote_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_update_output_logstash"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_update_output_kafka"}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putOutputExample":{"description":"The updated Fleet output","value":{"item":{"hosts":["https:\/\/updated-elasticsearch.example.com:9200"],"id":"output-id-1","is_default":true,"is_default_monitoring":true,"name":"Updated output","type":"elasticsearch"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_remote_elasticsearch"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_logstash"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_kafka"}]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No output was found with the given ID","value":{"error":"Not Found","message":"Output output-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Update output","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/outputs\/{outputId}\/health":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/outputs\/{outputId}\/health<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the latest health status of an output by ID.[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-outputs-outputid-health","parameters":[{"in":"path","name":"outputId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getOutputHealthExample":{"description":"The latest health status of a Fleet output","value":{"message":"","state":"HEALTHY","timestamp":"2024-01-15T10:00:00.000Z"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"description":"long message if unhealthy","type":"string"},"state":{"description":"state of output, HEALTHY or DEGRADED","type":"string"},"timestamp":{"description":"timestamp of reported state","type":"string"}},"required":["state","message","timestamp"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get the latest output health","tags":["Fleet outputs"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/package_policies":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/package_policies<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all package policies.","operationId":"get-fleet-package-policies","parameters":[{"in":"query","name":"page","required":false,"schema":{"type":"number"}},{"in":"query","name":"perPage","required":false,"schema":{"type":"number"}},{"in":"query","name":"sortField","required":false,"schema":{"type":"string"}},{"in":"query","name":"sortOrder","required":false,"schema":{"enum":["desc","asc"],"type":"string"}},{"in":"query","name":"showUpgradeable","required":false,"schema":{"type":"boolean"}},{"in":"query","name":"kuery","required":false,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}},{"in":"query","name":"withAgentCount","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getPackagePoliciesExample":{"description":"List of package policies","value":{"items":[{"created_at":"2024-01-15T10:00:00.000Z","enabled":true,"id":"package-policy-id-1","inputs":[],"name":"nginx-1","namespace":"default","package":{"name":"nginx","title":"Nginx","version":"1.20.0"},"policy_ids":["agent-policy-id-1"],"updated_at":"2024-01-15T10:00:00.000Z"}],"page":1,"perPage":20,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get package policies","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/package_policies<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new package policy and assign it to an agent policy.","operationId":"post-fleet-package-policies","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postPackagePolicyRequestExample":{"description":"Create a new nginx package policy","value":{"inputs":{},"name":"nginx-1","namespace":"default","package":{"name":"nginx","version":"1.20.0"},"policy_ids":["agent-policy-id-1"]}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"description":{"description":"Package policy description","type":"string"},"enabled":{"type":"boolean"},"force":{"description":"Force package policy creation even if the package is not verified, or if the agent policy is managed.","type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier","type":"string"},"inputs":{"items":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled"]},"maxItems":1000,"type":"array"},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["name","inputs"]},{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":100,"nullable":true,"type":"array"},"description":{"description":"Policy description.","type":"string"},"force":{"description":"Force package policy creation even if the package is not verified, or if the agent policy is managed.","type":"boolean"},"id":{"description":"Policy unique identifier.","type":"string"},"inputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object"},"name":{"description":"Unique name for the policy.","type":"string"},"namespace":{"description":"Policy namespace. When not specified, it inherits the agent policy namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"Deprecated. Use policy_ids instead.","nullable":true,"type":"string"},"policy_ids":{"description":"IDs of the agent policies which that package policy will be added to.","items":{"type":"string"},"maxItems":1000,"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}},"required":["name","package"]}],"description":"You should use inputs as an object and not use the deprecated inputs array."}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postPackagePolicyExample":{"description":"The created package policy","value":{"item":{"created_at":"2024-01-15T10:00:00.000Z","enabled":true,"id":"package-policy-id-2","inputs":[],"name":"nginx-1","namespace":"default","package":{"name":"nginx","title":"Nginx","version":"1.20.0"},"policy_ids":["agent-policy-id-1"],"updated_at":"2024-01-15T10:00:00.000Z"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"409":{"content":{"application\/json":{"examples":{"conflictExample":{"description":"A package policy with the same name already exists","value":{"error":"Conflict","message":"An error message describing what went wrong","statusCode":409}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Conflict"}},"summary":"Create a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/package_policies\/_bulk_get":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/package_policies\/_bulk_get<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet multiple package policies by ID.","operationId":"post-fleet-package-policies-bulk-get","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postBulkGetPackagePoliciesRequestExample":{"description":"Retrieve multiple package policies by ID","value":{"ids":["package-policy-id-1","package-policy-id-2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"ids":{"description":"list of package policy ids","items":{"type":"string"},"maxItems":1000,"type":"array"},"ignoreMissing":{"type":"boolean"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postBulkGetPackagePoliciesExample":{"description":"The requested package policies","value":{"items":[{"created_at":"2024-01-15T10:00:00.000Z","enabled":true,"id":"package-policy-id-1","inputs":[],"name":"nginx-1","namespace":"default","package":{"name":"nginx","title":"Nginx","version":"1.20.0"},"policy_ids":["agent-policy-id-1"],"updated_at":"2024-01-15T10:00:00.000Z"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]},"maxItems":10000,"type":"array"}},"required":["items"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"One or more package policies were not found","value":{"error":"Not Found","message":"Package policy package-policy-id-2 not found","statusCode":404}}},"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Not Found"}},"summary":"Bulk get package policies","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/package_policies\/{packagePolicyId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/package_policies\/{packagePolicyId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a package policy by ID.[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.","operationId":"delete-fleet-package-policies-packagepolicyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"packagePolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"force","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deletePackagePolicyExample":{"description":"The package policy was successfully deleted","value":{"id":"package-policy-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Delete a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/package_policies\/{packagePolicyId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a package policy by ID.","operationId":"get-fleet-package-policies-packagepolicyid","parameters":[{"in":"path","name":"packagePolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getPackagePolicyExample":{"description":"A package policy","value":{"item":{"created_at":"2024-01-15T10:00:00.000Z","enabled":true,"id":"package-policy-id-1","inputs":[],"name":"nginx-1","namespace":"default","package":{"name":"nginx","title":"Nginx","version":"1.20.0"},"policy_ids":["agent-policy-id-1"],"updated_at":"2024-01-15T10:00:00.000Z"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No package policy was found with the given ID","value":{"error":"Not Found","message":"Package policy package-policy-id-1 not found","statusCode":404}}},"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Not Found"}},"summary":"Get a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/package_policies\/{packagePolicyId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a package policy by ID.","operationId":"put-fleet-package-policies-packagepolicyid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"packagePolicyId","required":true,"schema":{"type":"string"}},{"in":"query","name":"format","required":false,"schema":{"enum":["simplified","legacy"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putPackagePolicyRequestExample":{"description":"Update a package policy","value":{"enabled":true,"inputs":{},"name":"nginx-1-updated","namespace":"default","package":{"name":"nginx","version":"1.20.0"},"policy_ids":["agent-policy-id-1"]}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"description":{"description":"Package policy description","type":"string"},"enabled":{"type":"boolean"},"force":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"inputs":{"items":{"additionalProperties":false,"type":"object","properties":{"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled"]},"maxItems":1000,"type":"array"},"is_managed":{"type":"boolean"},"name":{"type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"version":{"type":"string"}}},{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":100,"nullable":true,"type":"array"},"description":{"description":"Policy description.","type":"string"},"force":{"description":"Force package policy creation even if the package is not verified, or if the agent policy is managed.","type":"boolean"},"id":{"description":"Policy unique identifier.","type":"string"},"inputs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object"},"name":{"description":"Unique name for the policy.","type":"string"},"namespace":{"description":"Policy namespace. When not specified, it inherits the agent policy namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"Deprecated. Use policy_ids instead.","nullable":true,"type":"string"},"policy_ids":{"description":"IDs of the agent policies which that package policy will be added to.","items":{"type":"string"},"maxItems":1000,"type":"array"},"supports_agentless":{"default":false,"deprecated":true,"description":"Indicates whether the package policy belongs to an agentless agent policy. Deprecated in favor of the Fleet agentless policies API.","nullable":true,"type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}},"required":["name","package"]}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putPackagePolicyExample":{"description":"The updated package policy","value":{"item":{"created_at":"2024-01-15T10:00:00.000Z","enabled":true,"id":"package-policy-id-1","inputs":[],"name":"nginx-1-updated","namespace":"default","package":{"name":"nginx","title":"Nginx","version":"1.20.0"},"policy_ids":["agent-policy-id-1"],"updated_at":"2024-01-15T11:00:00.000Z"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"description":"Package policy unique identifier.","type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","id","revision","updated_at","updated_by","created_at","created_by"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"description":"The update is not authorized for this package","value":{"error":"Forbidden","message":"An error message describing what went wrong","statusCode":403}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Forbidden"}},"summary":"Update a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/package_policies\/delete":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/package_policies\/delete<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete multiple package policies by ID.[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.","operationId":"post-fleet-package-policies-delete","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postDeletePackagePoliciesRequestExample":{"description":"Delete multiple package policies by ID","value":{"packagePolicyIds":["package-policy-id-1","package-policy-id-2"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"force":{"type":"boolean"},"packagePolicyIds":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"required":["packagePolicyIds"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postDeletePackagePoliciesExample":{"description":"Results of the bulk delete operation","value":[{"id":"package-policy-id-1","success":true},{"id":"package-policy-id-2","success":true}]}},"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"body":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"id":{"type":"string"},"name":{"type":"string"},"output_id":{"nullable":true,"type":"string"},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"policy_id":{"deprecated":true,"description":"Use `policy_ids` instead","nullable":true,"type":"string"},"policy_ids":{"items":{"type":"string"},"maxItems":10000,"type":"array"},"statusCode":{"type":"number"},"success":{"type":"boolean"}},"required":["id","success","policy_ids","package"]},"maxItems":10000,"type":"array"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Bulk delete package policies","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/package_policies\/upgrade":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/package_policies\/upgrade<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpgrade a package policy to a newer package version.[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.","operationId":"post-fleet-package-policies-upgrade","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postUpgradePackagePoliciesRequestExample":{"description":"Upgrade package policies to the latest version","value":{"packagePolicyIds":["package-policy-id-1"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"packagePolicyIds":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},"required":["packagePolicyIds"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postUpgradePackagePoliciesExample":{"description":"Results of the upgrade operation","value":[{"id":"package-policy-id-1","name":"nginx-1","success":true}]}},"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"body":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"id":{"type":"string"},"name":{"type":"string"},"statusCode":{"type":"number"},"success":{"type":"boolean"}},"required":["id","success"]},"maxItems":10000,"type":"array"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Upgrade a package policy","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/package_policies\/upgrade\/dryrun":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/package_policies\/upgrade\/dryrun<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nPreview the changes that would be applied by upgrading a package policy to a newer package version.[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.","operationId":"post-fleet-package-policies-upgrade-dryrun","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postDryRunPackagePoliciesRequestExample":{"description":"Dry run an upgrade of a package policy","value":{"packagePolicyIds":["package-policy-id-1"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"packagePolicyIds":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"packageVersion":{"type":"string"}},"required":["packagePolicyIds"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postDryRunPackagePoliciesExample":{"description":"Preview of the package policy upgrade diff","value":[{"diff":[{"id":"package-policy-id-1","name":"nginx-1","package":{"name":"nginx","version":"1.20.0"}},{"name":"nginx-1","package":{"name":"nginx","version":"1.21.0"}}],"hasErrors":false,"name":"nginx-1"}]}},"schema":{"items":{"additionalProperties":false,"type":"object","properties":{"agent_diff":{"items":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"namespace":{"type":"string"}},"required":["namespace"]},"id":{"type":"string"},"meta":{"additionalProperties":true,"type":"object","properties":{"package":{"additionalProperties":true,"type":"object","properties":{"name":{"type":"string"},"version":{"type":"string"}},"required":["name","version"]}},"required":["package"]},"name":{"type":"string"},"package_policy_id":{"type":"string"},"processors":{"items":{"additionalProperties":true,"type":"object","properties":{"add_fields":{"additionalProperties":true,"type":"object","properties":{"fields":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"}]},"type":"object"},"target":{"type":"string"}},"required":["target","fields"]}},"required":["add_fields"]},"maxItems":10000,"type":"array"},"revision":{"type":"number"},"streams":{"items":{"additionalProperties":true,"type":"object","properties":{"data_stream":{"additionalProperties":true,"type":"object","properties":{"dataset":{"type":"string"},"type":{"type":"string"}},"required":["dataset"]},"id":{"type":"string"}},"required":["data_stream"]},"maxItems":10000,"type":"array"},"type":{"type":"string"},"use_output":{"type":"string"}},"required":["id","name","revision","type","data_stream","use_output","package_policy_id"]},"maxItems":10000,"type":"array"},"maxItems":1,"type":"array"},"body":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]},"diff":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"agents":{"type":"number"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"type":"string"},"inputs":{"anyOf":[{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that input. Defaults to `true` (enabled).","type":"boolean"},"streams":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"description":"Enable or disable that stream. Defaults to `true` (enabled).","type":"boolean"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Input streams. Refer to the integration documentation to know which streams are available.","type":"object"},"vars":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object"}}},"description":"Package policy inputs. Refer to the integration documentation to know which inputs are available.","type":"object","x-oas-optional":true}],"description":"Package policy inputs."},"is_managed":{"type":"boolean"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"description":"Package policy revision.","type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"spaceIds":{"items":{"type":"string"},"maxItems":100,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"anyOf":[{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"items":{"type":"string"},"maxItems":100,"type":"array"},{"items":{"type":"number"},"maxItems":100,"type":"array"},{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"isSecretRef":{"type":"boolean"}},"required":["id","isSecretRef"]}],"nullable":true},"description":"Input\/stream level variable. Refer to the integration documentation for more information.","type":"object","x-oas-optional":true}],"description":"Package level variable."},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs","revision","updated_at","updated_by","created_at","created_by"]},{"additionalProperties":true,"type":"object","properties":{"additional_datastreams_permissions":{"description":"Additional datastream permissions, that will be added to the agent policy.","items":{"type":"string"},"maxItems":1000,"nullable":true,"type":"array"},"cloud_connector_id":{"description":"ID of the cloud connector associated with this package policy.","nullable":true,"type":"string"},"cloud_connector_name":{"description":"Transient field for cloud connector name during creation.","maxLength":255,"minLength":1,"nullable":true,"type":"string"},"created_at":{"type":"string"},"created_by":{"type":"string"},"description":{"description":"Package policy description","type":"string"},"elasticsearch":{"additionalProperties":true,"type":"object","properties":{"privileges":{"additionalProperties":true,"type":"object","properties":{"cluster":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"enabled":{"type":"boolean"},"errors":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"message":{"type":"string"}},"required":["message"]},"maxItems":10,"type":"array"},"force":{"type":"boolean"},"global_data_tags":{"items":{"additionalProperties":false,"type":"object","properties":{"name":{"description":"The name of the custom field. Cannot contain spaces.","type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}],"description":"The value of the custom field."}},"required":["name","value"]},"maxItems":100,"nullable":true,"type":"array"},"id":{"type":"string"},"inputs":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_input":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"name":{"type":"string"},"policy_template":{"type":"string"},"streams":{"items":{"additionalProperties":false,"type":"object","properties":{"compiled_stream":{"nullable":true},"config":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"data_stream":{"additionalProperties":false,"type":"object","properties":{"dataset":{"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"dynamic_dataset":{"type":"boolean"},"dynamic_namespace":{"type":"boolean"},"privileges":{"additionalProperties":false,"type":"object","properties":{"indices":{"items":{"type":"string"},"maxItems":100,"type":"array"}}}}},"type":{"type":"string"}},"required":["dataset"]},"deprecated":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"replaced_by":{"additionalProperties":{"type":"string"},"type":"object"},"since":{"type":"string"}},"required":["description"]},"enabled":{"type":"boolean"},"id":{"type":"string"},"keep_enabled":{"type":"boolean"},"migrate_from":{"type":"string"},"release":{"enum":["ga","beta","experimental"],"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["enabled","data_stream","compiled_stream"]},"maxItems":1000,"type":"array"},"type":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"}},"required":["type","enabled","streams","compiled_input"]},"maxItems":100,"type":"array"},"is_managed":{"type":"boolean"},"missingVars":{"items":{"type":"string"},"maxItems":100,"type":"array"},"name":{"description":"Unique name for the package policy.","type":"string"},"namespace":{"description":"The package policy namespace. Leave blank to inherit the agent policy's namespace.","type":"string"},"output_id":{"nullable":true,"type":"string"},"overrides":{"additionalProperties":false,"description":"Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.","nullable":true,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"type":"object"}}},"package":{"additionalProperties":false,"type":"object","properties":{"experimental_data_stream_features":{"items":{"additionalProperties":false,"type":"object","properties":{"data_stream":{"type":"string"},"features":{"additionalProperties":false,"type":"object","properties":{"doc_value_only_numeric":{"type":"boolean"},"doc_value_only_other":{"type":"boolean"},"synthetic_source":{"type":"boolean"},"tsdb":{"type":"boolean"}}}},"required":["data_stream","features"]},"maxItems":100,"type":"array"},"fips_compatible":{"type":"boolean"},"name":{"description":"Package name","type":"string"},"requires_root":{"type":"boolean"},"title":{"type":"string"},"version":{"description":"Package version","type":"string"}},"required":["name","version"]},"package_agent_version_condition":{"type":"string"},"policy_id":{"deprecated":true,"description":"ID of the agent policy which the package policy will be added to.","nullable":true,"type":"string"},"policy_ids":{"items":{"description":"IDs of the agent policies which that package policy will be added to.","type":"string"},"maxItems":1000,"type":"array"},"revision":{"type":"number"},"secret_references":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":1000,"type":"array"},"supports_agentless":{"default":false,"description":"Indicates whether the package policy belongs to an agentless agent policy.","nullable":true,"type":"boolean"},"supports_cloud_connector":{"default":false,"description":"Indicates whether the package policy supports cloud connectors.","nullable":true,"type":"boolean"},"updated_at":{"type":"string"},"updated_by":{"type":"string"},"var_group_selections":{"additionalProperties":{"type":"string"},"description":"Variable group selections. Maps var_group name to the selected option name within that group.","type":"object"},"vars":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"frozen":{"type":"boolean"},"type":{"type":"string"},"value":{"nullable":true}},"required":["value"]},"description":"Package variable (see integration documentation for more information)","type":"object"},"version":{"description":"Package policy ES version.","type":"string"}},"required":["name","enabled","inputs"]}]},"maxItems":2,"type":"array"},"hasErrors":{"type":"boolean"},"name":{"type":"string"},"statusCode":{"type":"number"}},"required":["hasErrors"]},"maxItems":10000,"type":"array"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Dry run a package policy upgrade","tags":["Fleet package policies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/proxies":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/proxies<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList all Fleet proxies.[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-proxies","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getFleetProxiesExample":{"description":"List of Fleet proxies","value":{"items":[{"id":"proxy-id-1","is_preconfigured":false,"name":"My proxy","url":"http:\/\/proxy.example.com:3128"}],"page":1,"perPage":20,"total":1}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["id","url","name"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get proxies","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/proxies<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new Fleet proxy.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"post-fleet-proxies","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postFleetProxyRequestExample":{"description":"Create a new Fleet proxy","value":{"name":"My proxy","url":"http:\/\/proxy.example.com:3128"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["url","name"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postFleetProxyExample":{"description":"The created Fleet proxy","value":{"item":{"id":"proxy-id-2","is_preconfigured":false,"name":"My proxy","url":"http:\/\/proxy.example.com:3128"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["id","url","name"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create a proxy","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/proxies\/{itemId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/fleet\/proxies\/{itemId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a proxy by ID[Required authorization] Route required privileges: fleet-settings-all.","operationId":"delete-fleet-proxies-itemid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"deleteFleetProxyExample":{"description":"The Fleet proxy was successfully deleted","value":{"id":"proxy-id-1"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No proxy was found with the given ID","value":{"error":"Not Found","message":"Fleet proxy proxy-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Delete a proxy","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/proxies\/{itemId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a proxy by ID.[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-proxies-itemid","parameters":[{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getFleetProxyExample":{"description":"A Fleet proxy","value":{"item":{"id":"proxy-id-1","is_preconfigured":false,"name":"My proxy","url":"http:\/\/proxy.example.com:3128"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["id","url","name"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No proxy was found with the given ID","value":{"error":"Not Found","message":"Fleet proxy proxy-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get a proxy","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/proxies\/{itemId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a proxy by ID.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-proxies-itemid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"itemId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putFleetProxyRequestExample":{"description":"Update a Fleet proxy","value":{"name":"Updated proxy","url":"http:\/\/updated-proxy.example.com:3128"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["certificate_authorities","certificate","certificate_key"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putFleetProxyExample":{"description":"The updated Fleet proxy","value":{"item":{"id":"proxy-id-1","is_preconfigured":false,"name":"Updated proxy","url":"http:\/\/updated-proxy.example.com:3128"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"certificate":{"nullable":true,"type":"string"},"certificate_authorities":{"nullable":true,"type":"string"},"certificate_key":{"nullable":true,"type":"string"},"id":{"type":"string"},"is_preconfigured":{"default":false,"type":"boolean"},"name":{"type":"string"},"proxy_headers":{"additionalProperties":{"anyOf":[{"type":"string"},{"type":"boolean"},{"type":"number"}]},"nullable":true,"type":"object"},"url":{"type":"string"}},"required":["id","url","name"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No proxy was found with the given ID","value":{"error":"Not Found","message":"Proxy proxy-id-1 not found","statusCode":404}}}}},"description":"Not Found"}},"summary":"Update a proxy","tags":["Fleet proxies"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/service_tokens":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/service_tokens<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"post-fleet-service-tokens","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"postGenerateServiceTokenRequestExample":{"description":"Generate a service token for a remote Fleet Server","value":{"remote":true}}},"schema":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"remote":{"default":false,"type":"boolean"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"postGenerateServiceTokenExample":{"description":"The generated Fleet Server service token","value":{"name":"elastic\/fleet-server\/token-1234567890","value":"AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"}},"required":["name","value"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Create a service token","tags":["Fleet service tokens"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/settings":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/settings<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the global Fleet settings.[Required authorization] Route required privileges: fleet-settings-read.","operationId":"get-fleet-settings","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getSettingsExample":{"description":"The current Fleet settings","value":{"item":{"delete_unenrolled_agents":{"enabled":false,"is_preconfigured":false},"has_seen_add_data_notice":true,"id":"fleet-default-settings","output_secret_storage_requirements_met":true,"prerelease_integrations_enabled":false,"secret_storage_requirements_met":true,"version":"WzEsMV0="}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"action_secret_storage_requirements_met":{"type":"boolean"},"delete_unenrolled_agents":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"is_preconfigured":{"type":"boolean"}},"required":["enabled","is_preconfigured"]},"download_source_auth_secret_storage_requirements_met":{"type":"boolean"},"has_seen_add_data_notice":{"type":"boolean"},"id":{"type":"string"},"ilm_migration_status":{"additionalProperties":false,"type":"object","properties":{"logs":{"enum":["success"],"nullable":true,"type":"string"},"metrics":{"enum":["success"],"nullable":true,"type":"string"},"synthetics":{"enum":["success"],"nullable":true,"type":"string"}}},"integration_knowledge_enabled":{"type":"boolean"},"output_secret_storage_requirements_met":{"type":"boolean"},"preconfigured_fields":{"items":{"enum":["fleet_server_hosts"],"type":"string"},"maxItems":1,"type":"array"},"prerelease_integrations_enabled":{"type":"boolean"},"secret_storage_requirements_met":{"type":"boolean"},"ssl_secret_storage_requirements_met":{"type":"boolean"},"use_space_awareness_migration_started_at":{"nullable":true,"type":"string"},"use_space_awareness_migration_status":{"enum":["pending","success","error"],"type":"string"},"version":{"type":"string"}}}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"Fleet settings have not been initialized","value":{"error":"Not Found","message":"Settings not found","statusCode":404}}},"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Not Found"}},"summary":"Get settings","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/settings<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate the global Fleet settings.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-settings","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putSettingsRequestExample":{"description":"Update Fleet settings to enable pre-release integrations","value":{"prerelease_integrations_enabled":true}}},"schema":{"additionalProperties":false,"type":"object","properties":{"additional_yaml_config":{"deprecated":true,"type":"string"},"delete_unenrolled_agents":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"is_preconfigured":{"type":"boolean"}},"required":["enabled","is_preconfigured"]},"has_seen_add_data_notice":{"deprecated":true,"type":"boolean"},"integration_knowledge_enabled":{"type":"boolean"},"kibana_ca_sha256":{"deprecated":true,"type":"string"},"kibana_urls":{"deprecated":true,"items":{"format":"uri","type":"string"},"maxItems":10,"type":"array"},"prerelease_integrations_enabled":{"type":"boolean"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putSettingsExample":{"description":"The updated Fleet settings","value":{"item":{"delete_unenrolled_agents":{"enabled":false,"is_preconfigured":false},"has_seen_add_data_notice":true,"id":"fleet-default-settings","output_secret_storage_requirements_met":true,"prerelease_integrations_enabled":true,"secret_storage_requirements_met":true,"version":"WzIsMV0="}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"action_secret_storage_requirements_met":{"type":"boolean"},"delete_unenrolled_agents":{"additionalProperties":false,"type":"object","properties":{"enabled":{"type":"boolean"},"is_preconfigured":{"type":"boolean"}},"required":["enabled","is_preconfigured"]},"download_source_auth_secret_storage_requirements_met":{"type":"boolean"},"has_seen_add_data_notice":{"type":"boolean"},"id":{"type":"string"},"ilm_migration_status":{"additionalProperties":false,"type":"object","properties":{"logs":{"enum":["success"],"nullable":true,"type":"string"},"metrics":{"enum":["success"],"nullable":true,"type":"string"},"synthetics":{"enum":["success"],"nullable":true,"type":"string"}}},"integration_knowledge_enabled":{"type":"boolean"},"output_secret_storage_requirements_met":{"type":"boolean"},"preconfigured_fields":{"items":{"enum":["fleet_server_hosts"],"type":"string"},"maxItems":1,"type":"array"},"prerelease_integrations_enabled":{"type":"boolean"},"secret_storage_requirements_met":{"type":"boolean"},"ssl_secret_storage_requirements_met":{"type":"boolean"},"use_space_awareness_migration_started_at":{"nullable":true,"type":"string"},"use_space_awareness_migration_status":{"enum":["pending","success","error"],"type":"string"},"version":{"type":"string"}}}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"Fleet settings have not been initialized","value":{"error":"Not Found","message":"Settings not found","statusCode":404}}},"schema":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Not Found"}},"summary":"Update settings","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/setup":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/fleet\/setup<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInitialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.","operationId":"post-fleet-setup","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"fleetSetupSuccessExample":{"description":"Fleet initialized successfully with no non-fatal errors","value":{"isInitialized":true,"nonFatalErrors":[]}},"fleetSetupWithNonFatalErrorsExample":{"description":"Fleet initialized but encountered non-fatal errors during setup","value":{"isInitialized":true,"nonFatalErrors":[{"message":"Package fleet_server not found in registry","name":"PackageNotFoundError"}]}}},"schema":{"additionalProperties":false,"description":"A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup.","type":"object","properties":{"isInitialized":{"type":"boolean"},"nonFatalErrors":{"items":{"additionalProperties":false,"type":"object","properties":{"message":{"type":"string"},"name":{"type":"string"}},"required":["name","message"]},"maxItems":10000,"type":"array"}},"required":["isInitialized","nonFatalErrors"]}}},"description":"Fleet setup completed"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"500":{"content":{"application\/json":{"examples":{"internalErrorResponseExample":{"description":"Example of an internal server error response","value":{"error":"Internal Server Error","message":"An error message describing what went wrong","statusCode":500}}},"schema":{"additionalProperties":false,"description":"Internal Server Error","type":"object","properties":{"message":{"type":"string"}},"required":["message"]}}},"description":"Internal Server Error"}},"summary":"Initiate Fleet setup","tags":["Fleet internals"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/space_settings":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/space_settings<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the Fleet settings for the current Kibana space.","operationId":"get-fleet-space-settings","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getSpaceSettingsExample":{"description":"The Fleet settings for the current Kibana space","value":{"item":{"allowed_namespace_prefixes":["team-a","team-b"]}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"allowed_namespace_prefixes":{"items":{"type":"string"},"maxItems":100,"type":"array"},"managed_by":{"type":"string"}},"required":["allowed_namespace_prefixes"]}},"required":["item"]}}},"description":"Successful response"}},"summary":"Get space settings","tags":[],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/fleet\/space_settings<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate or update Fleet settings for the current Kibana space.[Required authorization] Route required privileges: fleet-settings-all.","operationId":"put-fleet-space-settings","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"putSpaceSettingsRequestExample":{"description":"Update allowed namespace prefixes for the current Kibana space","value":{"allowed_namespace_prefixes":["team-a","team-b"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"allowed_namespace_prefixes":{"items":{"type":"string"},"maxItems":10,"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"putSpaceSettingsExample":{"description":"The updated Fleet settings for the current Kibana space","value":{"item":{"allowed_namespace_prefixes":["team-a","team-b"]}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"allowed_namespace_prefixes":{"items":{"type":"string"},"maxItems":100,"type":"array"},"managed_by":{"type":"string"}},"required":["allowed_namespace_prefixes"]}},"required":["item"]}}},"description":"Successful response"}},"summary":"Create space settings","tags":[],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/uninstall_tokens":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/uninstall_tokens<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList the metadata for the latest uninstall tokens per agent policy.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"get-fleet-uninstall-tokens","parameters":[{"description":"Partial match filtering for policy IDs","in":"query","name":"policyId","required":false,"schema":{"maxLength":50,"type":"string"}},{"in":"query","name":"search","required":false,"schema":{"maxLength":50,"type":"string"}},{"description":"The number of items to return","in":"query","name":"perPage","required":false,"schema":{"minimum":5,"type":"number"}},{"in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"number"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getUninstallTokensExample":{"description":"List of uninstall token metadata for agent policies","value":{"items":[{"created_at":"2024-01-01T00:00:00.000Z","id":"token-id-1","namespaces":["default"],"policy_id":"policy-id-1","policy_name":"Default policy"},{"created_at":"2024-01-02T00:00:00.000Z","id":"token-id-2","namespaces":["production"],"policy_id":"policy-id-2","policy_name":"Production policy"}],"page":1,"perPage":20,"total":2}}},"schema":{"additionalProperties":false,"type":"object","properties":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"id":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"policy_id":{"type":"string"},"policy_name":{"nullable":true,"type":"string"}},"required":["id","policy_id","created_at"]},"maxItems":10000,"type":"array"},"page":{"type":"number"},"perPage":{"type":"number"},"total":{"type":"number"}},"required":["items","total","page","perPage"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"conflictingQueryParamsExample":{"description":"Both policyId and search query parameters were provided","value":{"error":"Bad Request","message":"Query parameters `policyId` and `search` cannot be used at the same time.","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"}},"summary":"Get metadata for latest uninstall tokens","tags":["Fleet uninstall tokens"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/fleet\/uninstall_tokens\/{uninstallTokenId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/fleet\/uninstall_tokens\/{uninstallTokenId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet one decrypted uninstall token by its ID.[Required authorization] Route required privileges: fleet-agents-all.","operationId":"get-fleet-uninstall-tokens-uninstalltokenid","parameters":[{"in":"path","name":"uninstallTokenId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getUninstallTokenExample":{"description":"Decrypted uninstall token for an agent policy","value":{"item":{"created_at":"2024-01-01T00:00:00.000Z","id":"token-id-1","namespaces":["default"],"policy_id":"policy-id-1","policy_name":"Default policy","token":"CKHJsJcBqNwIRcRBNDaE"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"item":{"additionalProperties":false,"type":"object","properties":{"created_at":{"type":"string"},"id":{"type":"string"},"namespaces":{"items":{"type":"string"},"maxItems":100,"type":"array"},"policy_id":{"type":"string"},"policy_name":{"nullable":true,"type":"string"},"token":{"type":"string"}},"required":["id","policy_id","created_at","token"]}},"required":["item"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"genericErrorResponseExample":{"description":"Example of a generic error response","value":{"error":"Bad Request","message":"An error message describing what went wrong","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Generic Error","type":"object","properties":{"attributes":{"nullable":true},"error":{"type":"string"},"errorType":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}},"required":["message","attributes"]}}},"description":"Bad Request"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No uninstall token was found with the given ID","value":{"error":"Not Found","message":"Uninstall Token not found with ID token-id-1","statusCode":404}}}}},"description":"Not Found"}},"summary":"Get a decrypted uninstall token","tags":["Fleet uninstall tokens"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/lists":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a value list using the list ID.\n> info\n> When you delete a list, all of its list items are also deleted.\n","operationId":"DeleteList","parameters":[{"description":"Value list identifier to delete, including all of its list items.","in":"query","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"}},{"description":"Determines whether exception items referencing this value list should be deleted.","in":"query","name":"deleteReferences","required":false,"schema":{"default":false,"example":false,"type":"boolean"}},{"description":"Determines whether to delete value list without performing any additional checks of where this list may be utilized.","in":"query","name":"ignoreReferences","required":false,"schema":{"default":false,"example":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ipList":{"value":{"_version":"WzIsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"List of bad internet ips.","id":"21b01cfb-058d-44b9-838c-282be16c91cd","immutable":false,"name":"Bad ips","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T05:39:39.292Z","updated_by":"elastic","version":3}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: id: Required","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE \/api\/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list id: \\\"ip_list\\\" was not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete a value list","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of a value list using the list ID.","operationId":"ReadList","parameters":[{"description":"Value list identifier (`id`) returned when the list was created.","in":"query","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzEsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"This list describes bad internet ip","id":"ip_list","immutable":false,"name":"My bad ips","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T05:21:53.843Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: id: Required","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get value list details","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate specific fields of an existing list using the list `id`.","operationId":"PatchList","requestBody":{"content":{"application\/json":{"examples":{"patchName":{"value":{"id":"ip_list","name":"Bad ips list - UPDATED"}}},"schema":{"example":{"id":"ip_list","name":"Bad ips list - UPDATED"},"type":"object","properties":{"_version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersionId"},"description":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListDescription"},"id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"},"meta":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListName"},"version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersion"}},"required":["id"]}}},"description":"Value list's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzEsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"This list describes bad internet ips","id":"ip_list","immutable":false,"name":"Bad ips list - UPDATED","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T05:21:53.843Z","updated_by":"elastic","version":2}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: name: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PATCH \/api\/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Patch a value list","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new value list.","operationId":"CreateList","requestBody":{"content":{"application\/json":{"examples":{"ip":{"value":{"description":"This list describes bad internet ips","id":"ip_list","name":"Simple list with ips","type":"ip"}},"ip_range":{"value":{"description":"This list has ip ranges","id":"ip_range_list","name":"Simple list with ip ranges","type":"ip_range"}},"keyword":{"value":{"description":"This list describes bad host names","id":"keyword_list","name":"Simple list with a keyword","type":"keyword"}},"keyword_custom_format":{"value":{"description":"This parses the first found ipv4 only","id":"keyword_custom_format_list","name":"Simple list with a keyword using a custom format","type":"keyword"}}},"schema":{"type":"object","properties":{"description":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListDescription"},"id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"},"meta":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListName"},"type":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListType"},"version":{"default":1,"minimum":1,"type":"integer"}},"required":["name","description","type"]}}},"description":"Value list's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"This list describes bad internet ips","id":"ip_list","immutable":false,"name":"Simple list with ips","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T04:47:34.273Z","updated_by":"elastic","version":1}},"ip_range":{"value":{"_version":"WzAsMV0=","@timestamp":"2025-01-09T18:23:52.241Z","created_at":"2025-01-09T18:23:52.241Z","created_by":"elastic","description":"This list has ip ranges","id":"ip_range_list","immutable":false,"name":"Simple list with ip ranges","tie_breaker_id":"74aebdaf-601f-4940-b351-155728ff7003","type":"ip_range","updated_at":"2025-01-09T18:23:52.241Z","updated_by":"elastic","version":1}},"keyword":{"value":{"_version":"WzEsMV0=","@timestamp":"2025-01-09T18:24:55.786Z","created_at":"2025-01-09T18:24:55.786Z","created_by":"elastic","description":"This list describes bad host names","id":"keyword_list","immutable":false,"name":"Simple list with a keyword","tie_breaker_id":"f7e7dbaa-daf7-4c9a-a3dc-56643923ef68","type":"keyword","updated_at":"2025-01-09T18:24:55.786Z","updated_by":"elastic","version":1}},"keyword_custom_format":{"value":{"_version":"WzIsMV0=","@timestamp":"2025-01-09T18:25:39.604Z","created_at":"2025-01-09T18:25:39.604Z","created_by":"elastic","description":"This parses the first found ipv4 only","id":"keyword_custom_format_list","immutable":false,"name":"Simple list with a keyword using a custom format","tie_breaker_id":"8247ae63-b780-47b8-9a89-948b643e9ec2","type":"keyword","updated_at":"2025-01-09T18:25:39.604Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"To create a list, the data stream must exist first. Data stream \\\".lists-default\\\" does not exist","status_code":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application\/json":{"examples":{"alreadyExists":{"value":{"message":"list id: \"keyword_custom_format_list\" already exists","status_code":409}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List already exists response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create a value list","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/lists<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted.\n> info\n> You cannot modify the `id` value.\n","operationId":"UpdateList","requestBody":{"content":{"application\/json":{"examples":{"replaceList":{"value":{"description":"Latest list of bad ips","id":"ip_list","name":"Bad ips - updated"}}},"schema":{"example":{"description":"Latest list of bad ips","id":"ip_list","name":"Bad ips - updated"},"type":"object","properties":{"_version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersionId"},"description":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListDescription"},"id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"},"meta":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListName"},"version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersion"}},"required":["id","name","description"]}}},"description":"Value list's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzIsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"Latest list of bad ips","id":"ip_list","immutable":false,"name":"Bad ips - updated","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T05:39:39.292Z","updated_by":"elastic","version":3}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PUT \/api\/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Update a value list","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/lists\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/lists\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a paginated subset of value lists. By default, the first page is returned, with 20 results per page.","operationId":"FindLists","parameters":[{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"example":1,"type":"integer"}},{"description":"The number of value lists to return per page.","in":"query","name":"per_page","required":false,"schema":{"example":20,"type":"integer"}},{"description":"Determines which field is used to sort the results.","in":"query","name":"sort_field","required":false,"schema":{"example":"name","format":"nonempty","minLength":1,"type":"string"}},{"description":"Determines the sort order, which can be `desc` or `asc`","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"example":"asc","type":"string"}},{"description":"Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly.","in":"query","name":"cursor","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_FindListsCursor"}},{"description":"Filters the returned results according to the value of the specified field,\nusing the : syntax.\n","in":"query","name":"filter","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_FindListsFilter"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ipList":{"value":{"cursor":"WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d","data":[{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:47:34.273Z\n","created_at":"2025-01-08T04:47:34.273Z\n","created_by":"elastic","description":"This list describes bad internet ip","id":"ip_list","immutable":false,"name":"Simple list with an ip","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T04:47:34.273Z\n","updated_by":"elastic","version":1}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"cursor":{"$ref":"#\/components\/schemas\/Security_Lists_API_FindListsCursor"},"data":{"items":{"$ref":"#\/components\/schemas\/Security_Lists_API_List"},"type":"array"},"page":{"minimum":0,"type":"integer"},"per_page":{"minimum":0,"type":"integer"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total","cursor"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request query]: page: Expected number, received nan","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/lists\/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get value lists","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/lists\/index":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/lists\/index<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete the `.lists` and `.items` data streams.","operationId":"DeleteListIndex","responses":{"200":{"content":{"application\/json":{"examples":{"acknowledged":{"value":{"acknowledged":true}}},"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}},"required":["acknowledged"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"message":"Unable to delete value list data streams: invalid or missing index metadata","status_code":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE \/api\/lists\/index] is not authorized; lists-all (or equivalent) is required to delete data streams","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"The value list data stream was not found in this space","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List data stream not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete value list data streams","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/lists\/index<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nVerify that `.lists` and `.items` data streams exist.","operationId":"ReadListIndex","responses":{"200":{"content":{"application\/json":{"examples":{"bothExist":{"value":{"list_index":true,"list_item_index":true}}},"schema":{"type":"object","properties":{"list_index":{"type":"boolean"},"list_item_index":{"type":"boolean"}},"required":["list_index","list_item_index"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"message":"Unable to read value list data stream status for this space","status_code":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/lists\/index] is not authorized; list read permissions are required","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"Value list backing indices were not found for this space","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List data stream(s) not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get status of value list data streams","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"deprecated":true,"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/lists\/index<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n**DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space\nare now created as part of supported workflows; calling this explicitly is rarely required.\n**WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming\nindices exist with `GET \/api\/lists\/index`.\n\nCreates the `.lists` and `.items` data streams in the current Kibana space.\n","operationId":"CreateListIndex","responses":{"200":{"content":{"application\/json":{"examples":{"acknowledged":{"value":{"acknowledged":true}}},"schema":{"type":"object","properties":{"acknowledged":{"type":"boolean"}},"required":["acknowledged"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"message":"Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists.","status_code":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]\n","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/lists\/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application\/json":{"examples":{"alreadyExists":{"value":{"message":"data stream: \\\".lists-default\\\" and \\\".items-default\\\" already exists","status_code":409}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List data stream exists response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create list data streams","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/lists\/items":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a value list item using its `id`, or its `list_id` and `value` fields.","operationId":"DeleteListItem","parameters":[{"description":"Value list item's identifier. Required if `list_id` and `value` are not specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemId"}},{"description":"Value list's identifier. Required if `id` is not specified.","in":"query","name":"list_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"}},{"description":"The value used to evaluate exceptions. Required if `id` is not specified.","in":"query","name":"value","required":false,"schema":{"example":"255.255.255.255","type":"string"}},{"description":"Determines when changes made by the request are made visible to search.","in":"query","name":"refresh","required":false,"schema":{"default":"false","enum":["true","false","wait_for"],"example":false,"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzIwLDFd","@timestamp":"2025-01-08T05:15:05.159Z","created_at":"2025-01-08T05:15:05.159Z","created_by":"elastic","id":"pd1WRJQBs4HAK3VQeHFI","list_id":"ip_list","tie_breaker_id":"eee41dc7-1666-4876-982f-8b0f7b59eca3","type":"ip","updated_at":"2025-01-08T05:44:14.009Z","updated_by":"elastic","value":"255.255.255.255"}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItem"},{"items":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItem"},"type":"array"}]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"message":"Either \\\"list_id\\\" or \\\"id\\\" needs to be defined in the request","status_code":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [DELETE \/api\/lists\/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list item with id: \\\"pd1WRJQBs4HAK3VQeHFI\\\" not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List item not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Delete a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of a value list item.","operationId":"ReadListItem","parameters":[{"description":"Value list item identifier. Required if `list_id` and `value` are not specified.","in":"query","name":"id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"}},{"description":"Value list item list's `id` identfier. Required if `id` is not specified.","in":"query","name":"list_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"}},{"description":"The value used to evaluate exceptions. Required if `id` is not specified.","in":"query","name":"value","required":false,"schema":{"example":"127.0.0.2","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzExLDFd","@timestamp":"2025-01-08T05:16:25.882Z","created_at":"2025-01-08T05:16:25.882Z","created_by":"elastic","id":"qN1XRJQBs4HAK3VQs3Gc","list_id":"ip_list","tie_breaker_id":"a9a34c02-a385-436e-86a0-02a3942f3537","type":"ip","updated_at":"2025-01-08T05:16:25.882Z","updated_by":"elastic","value":"127.0.0.2"}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItem"},{"items":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItem"},"type":"array"}]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"message":"Either \\\"list_id\\\" or \\\"id\\\" needs to be defined in the request","status_code":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/lists\/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list item id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List item not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate specific fields of an existing value list item using the item `id`.","operationId":"PatchListItem","requestBody":{"content":{"application\/json":{"examples":{"changeValue":{"value":{"id":"pd1WRJQBs4HAK3VQeHFI","value":"255.255.255.255"}}},"schema":{"type":"object","properties":{"_version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersionId"},"id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemId"},"meta":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemMetadata"},"refresh":{"description":"Determines when changes made by the request are made visible to search.","enum":["true","false","wait_for"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemValue"}},"required":["id"]}}},"description":"Value list item's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ipItem":{"value":{"_version":"WzE5LDFd","@timestamp":"2025-01-08T05:15:05.159Z","created_at":"2025-01-08T05:15:05.159Z","created_by":"elastic","id":"pd1WRJQBs4HAK3VQeHFI","list_id":"ip_list","tie_breaker_id":"eee41dc7-1666-4876-982f-8b0f7b59eca3","type":"ip","updated_at":"2025-01-08T05:23:37.602Z","updated_by":"elastic","value":"255.255.255.255"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"message":"{\"took\":15,\"timed_out\":false,\"total\":1,\"updated\":0,\"deleted\":0,\"batches\":1,\"version_conflicts\":0,\"noops\":0,\"retries\":{\"bulk\":0,\"search\":0},\"throttled_millis\":0,\"requests_per_second\":-1,\"throttled_until_millis\":0,\"failures\":[{\"index\":\".ds-.items-default-2025.01.09-000001\",\"id\":\"ip_item\",\"cause\":{\"type\":\"document_parsing_exception\",\"reason\":\"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"2 is not an IP string literal.\"}},\"status\":400}]}","status_code":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PATCH \/api\/lists\/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list item id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List item not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Patch a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a value list item and associate it with the specified value list.\n\nAll value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address.\n> info\n> Before creating a list item, you must create a list.\n","operationId":"CreateListItem","requestBody":{"content":{"application\/json":{"examples":{"ip":{"value":{"list_id":"ip_list","value":"127.0.0.1"}},"ip_range":{"value":{"list_id":"ip_range_list","value":"192.168.0.0\/16"}},"keyword":{"value":{"list_id":"keyword_list","value":"zeek"}}},"schema":{"type":"object","properties":{"id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemId"},"list_id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"},"meta":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemMetadata"},"refresh":{"description":"Determines when changes made by the request are made visible to search.","enum":["true","false","wait_for"],"example":"wait_for","type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemValue"}},"required":["list_id","value"]}}},"description":"Value list item's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:59:06.154Z","created_at":"2025-01-08T04:59:06.154Z","created_by":"elastic","id":"21b01cfb-058d-44b9-838c-282be16c91cc","list_id":"ip_list","tie_breaker_id":"b57c762c-3036-465c-9bfb-7bfb5e6e515a","type":"ip","updated_at":"2025-01-08T04:59:06.154Z","updated_by":"elastic","value":"127.0.0.1"}},"ip_range":{"value":{"_version":"WzEsMV0=","@timestamp":"2025-01-09T18:33:08.202Z","created_at":"2025-01-09T18:33:08.202Z","created_by":"elastic","id":"ip_range_item","list_id":"ip_range_list","tie_breaker_id":"ea1b4189-efda-4637-b8f9-74655a5ebb61","type":"ip_range","updated_at":"2025-01-09T18:33:08.202Z","updated_by":"elastic","value":"192.168.0.0\/16"}},"keyword":{"value":{"_version":"WzIsMV0=","@timestamp":"2025-01-09T18:34:29.422Z","created_at":"2025-01-09T18:34:29.422Z","created_by":"elastic","id":"7f24737d-1da8-4626-a568-33070591bb4e","list_id":"keyword_list","tie_breaker_id":"2108ced2-5e5d-401e-a88e-4dd69fc5fa27","type":"keyword","updated_at":"2025-01-09T18:34:29.422Z","updated_by":"elastic","value":"zeek"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"uri [\/api\/lists\/items] with method [post] exists but is not available with the current configuration","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/lists\/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"listNotFound":{"value":{"message":"list id: \\\"ip_list\\\" does not exist","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application\/json":{"examples":{"alreadyExists":{"value":{"message":"list item id: \\\"ip_item\\\" already exists","status_code":409}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List item already exists response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Create a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/lists\/items<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted.\n> info\n> You cannot modify the `id` value.\n","operationId":"UpdateListItem","requestBody":{"content":{"application\/json":{"examples":{"fullReplace":{"value":{"id":"ip_item","value":"255.255.255.255"}}},"schema":{"example":{"id":"ip_item","value":"255.255.255.255"},"type":"object","properties":{"_version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersionId"},"id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemId"},"meta":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemMetadata"},"value":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemValue"}},"required":["id","value"]}}},"description":"Value list item's properties","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzIwLDFd","@timestamp":"2025-01-08T05:15:05.159Z","created_at":"2025-01-08T05:15:05.159Z","created_by":"elastic","id":"pd1WRJQBs4HAK3VQeHFI","list_id":"ip_list","tie_breaker_id":"eee41dc7-1666-4876-982f-8b0f7b59eca3","type":"ip","updated_at":"2025-01-08T05:44:14.009Z","updated_by":"elastic","value":"255.255.255.255"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItem"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"[request body]: id: Expected string, received number","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [PATCH \/api\/lists\/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list item id: \\\"foo\\\" not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List item not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Update a value list item","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/lists\/items\/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/lists\/items\/_export<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExport list item values from the specified value list.","operationId":"ExportListItems","parameters":[{"description":"Value list's `id` to export.","in":"query","name":"list_id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"}}],"responses":{"200":{"content":{"application\/ndjson":{"examples":{"ipLines":{"value":"127.0.0.1\n127.0.0.2\n127.0.0.3\n"}},"schema":{"description":"A `.txt` file containing list items from the specified list","example":"127.0.0.1\n127.0.0.2\n127.0.0.3\n127.0.0.4\n127.0.0.5\n127.0.0.6\n127.0.0.7\n127.0.0.8\n127.0.0.9\n","format":"binary","type":"string"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request\",\"message\":\"[request query]: list_id: Required","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/lists\/items\/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"404":{"content":{"application\/json":{"examples":{"notFound":{"value":{"message":"list id: \"unknown_list\" not found","status_code":404}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List not found response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Export value list items","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/lists\/items\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/lists\/items\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet all value list items in the specified list.","operationId":"FindListItems","parameters":[{"description":"Parent value list's `id` to page through items for.","in":"query","name":"list_id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"example":1,"type":"integer"}},{"description":"The number of list items to return per page.","in":"query","name":"per_page","required":false,"schema":{"example":20,"type":"integer"}},{"description":"Determines which field is used to sort the results.","in":"query","name":"sort_field","required":false,"schema":{"example":"value","format":"nonempty","minLength":1,"type":"string"}},{"description":"Determines the sort order, which can be `desc` or `asc`","in":"query","name":"sort_order","required":false,"schema":{"enum":["desc","asc"],"example":"asc","type":"string"}},{"description":"Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request.\n","in":"query","name":"cursor","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_FindListItemsCursor"}},{"description":"Filters the returned results according to the value of the specified field,\nusing the : syntax.\n","in":"query","name":"filter","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_FindListItemsFilter"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"cursor":"WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d","data":[{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:59:06.154Z","created_at":"2025-01-08T04:59:06.154Z","created_by":"elastic","id":"21b01cfb-058d-44b9-838c-282be16c91cc","list_id":"ip_list","tie_breaker_id":"b57c762c-3036-465c-9bfb-7bfb5e6e515a","type":"ip","updated_at":"2025-01-08T04:59:06.154Z","updated_by":"elastic","value":"127.0.0.1"}],"page":1,"per_page":20,"total":1}}},"schema":{"type":"object","properties":{"cursor":{"$ref":"#\/components\/schemas\/Security_Lists_API_FindListItemsCursor"},"data":{"items":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItem"},"type":"array"},"page":{"minimum":0,"type":"integer"},"per_page":{"minimum":0,"type":"integer"},"total":{"minimum":0,"type":"integer"}},"required":["data","page","per_page","total","cursor"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request,","message":"[request query]: list_id: Required","statusCode":"400,"}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/lists\/items\/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get value list items","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/lists\/items\/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/lists\/items\/_import<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nImport value list items from a TXT or CSV file. The maximum file size is 9 million bytes.\n\nYou can import items to a new or existing list.\n","operationId":"ImportListItems","parameters":[{"description":"List's id.\n\nRequired when importing to an existing list.\n","in":"query","name":"list_id","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"}},{"description":"Type of the importing list.\n\nRequired when importing a new list whose list `id` is not specified.\n","examples":{"ip":{"value":"ip"}},"in":"query","name":"type","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListType"}},{"description":"Determines when changes made by the request are made visible to search.","in":"query","name":"refresh","required":false,"schema":{"enum":["true","false","wait_for"],"example":true,"type":"string"}}],"requestBody":{"content":{"multipart\/form-data":{"examples":{"ipLinesFile":{"value":{"file":"list_values.txt"}}},"schema":{"type":"object","properties":{"file":{"description":"A `.txt` or `.csv` file containing newline separated list items.","example":"127.0.0.1\n127.0.0.2\n127.0.0.3\n127.0.0.4\n127.0.0.5\n127.0.0.6\n127.0.0.7\n127.0.0.8\n127.0.0.9\n","format":"binary","type":"string"}}}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ip":{"value":{"_version":"WzAsMV0=","@timestamp":"2025-01-08T04:47:34.273Z","created_at":"2025-01-08T04:47:34.273Z","created_by":"elastic","description":"This list describes bad internet ip","id":"ip_list","immutable":false,"name":"Simple list with an ip","tie_breaker_id":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"ip","updated_at":"2025-01-08T04:47:34.273Z","updated_by":"elastic","version":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_List"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"message":"Either type or list_id need to be defined in the query","status_code":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [POST \/api\/lists\/items\/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"409":{"content":{"application\/json":{"examples":{"conflict":{"value":{"message":"List with the specified list_id does not exist, create the list or fix list_id to import to an existing one","status_code":409}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"List with specified list_id does not exist response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Import value list items","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/lists\/privileges":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/lists\/privileges<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application`\nprivileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list\nAPIs (`read` vs `all` operations) are available before you create or import lists.\n","operationId":"ReadListPrivileges","responses":{"200":{"content":{"application\/json":{"examples":{"privileges":{"value":{"is_authenticated":true,"listItems":{"application":{},"cluster":{"all":true,"manage":true,"manage_api_key":true,"manage_index_templates":true,"manage_ml":true,"manage_own_api_key":true,"manage_pipeline":true,"manage_security":true,"manage_transform":true,"monitor":true,"monitor_ml":true,"monitor_transform":true},"has_all_requested":true,"index":{".items-default":{"all":true,"create":true,"create_doc":true,"create_index":true,"delete":true,"delete_index":true,"index":true,"maintenance":true,"manage":true,"monitor":true,"read":true,"view_index_metadata":true,"write":true}},"username":"elastic"},"lists":{"application":{},"cluster":{"all":true,"manage":true,"manage_api_key":true,"manage_index_templates":true,"manage_ml":true,"manage_own_api_key":true,"manage_pipeline":true,"manage_security":true,"manage_transform":true,"monitor":true,"monitor_ml":true,"monitor_transform":true},"has_all_requested":true,"index":{".lists-default":{"all":true,"create":true,"create_doc":true,"create_index":true,"delete":true,"delete_index":true,"index":true,"maintenance":true,"manage":true,"monitor":true,"read":true,"view_index_metadata":true,"write":true}},"username":"elastic"}}}},"schema":{"type":"object","properties":{"is_authenticated":{"type":"boolean"},"listItems":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemPrivileges"},"lists":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListPrivileges"}},"required":["lists","listItems","is_authenticated"]}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequest":{"value":{"error":"Bad Request","message":"Unable to resolve list privileges: invalid or missing space context for this request","statusCode":400}}},"schema":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"},{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}]}}},"description":"Invalid input data response"},"401":{"content":{"application\/json":{"examples":{"unauthorized":{"value":{"error":"Unauthorized","message":"[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastic] for REST request [\/_security\/_authenticate]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Unsuccessful authentication response"},"403":{"content":{"application\/json":{"examples":{"forbidden":{"value":{"error":"Forbidden","message":"API [GET \/api\/lists\/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_PlatformErrorResponse"}}},"description":"Not enough privileges response"},"500":{"content":{"application\/json":{"examples":{"serverError":{"value":{"message":"Internal Server Error","status_code":500}}},"schema":{"$ref":"#\/components\/schemas\/Security_Lists_API_SiemErrorResponse"}}},"description":"Internal server error response"}},"summary":"Get value list privileges","tags":["Security Lists API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/maintenance_window":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/maintenance_window<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"post-maintenance-window","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createMaintenanceWindowRequest":{"description":"Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query.\n","summary":"Create a maintenance window","value":{"enabled":true,"schedule":{"custom":{"duration":"2h","recurring":{"every":"1w","occurrences":10,"onWeekDay":["MO","WE"]},"start":"2025-03-01T08:00:00.000Z","timezone":"Europe\/Amsterdam"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"infra\""}}},"title":"Weekly Maintenance Window"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","minimum":1,"type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"maximum":12,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"maximum":31,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"minItems":1,"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window.","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"title":{"description":"The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window.","type":"string"}},"required":["title","schedule"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"createMaintenanceWindowResponse":{"description":"The response returned when a maintenance window is successfully created.\n","summary":"Create a maintenance window response","value":{"created_at":"2025-02-25T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"f0cb1780-537a-4e34-8adf-3b4336862858","schedule":{"custom":{"duration":"2h","recurring":{"every":"1w","occurrences":10,"onWeekDay":["MO","WE"]},"start":"2025-03-01T08:00:00.000Z","timezone":"Europe\/Amsterdam"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"infra\""}}},"status":"upcoming","title":"Weekly Maintenance Window","updated_at":"2025-02-25T10:00:00.000Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Create a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/maintenance_window\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/maintenance_window\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: read-maintenance-window.","operationId":"get-maintenance-window-find","parameters":[{"description":"The title of the maintenance window.","in":"query","name":"title","required":false,"schema":{"type":"string"}},{"description":"The user who created the maintenance window.","in":"query","name":"created_by","required":false,"schema":{"type":"string"}},{"description":"The status of the maintenance window. It can be \"running\", \"upcoming\", \"finished\", \"archived\", or \"disabled\".","in":"query","name":"status","required":false,"schema":{"items":{"enum":["running","finished","upcoming","archived","disabled"],"type":"string"},"type":"array"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"default":1,"maximum":100,"minimum":1,"type":"number"}},{"description":"The number of maintenance windows to return per page.","in":"query","name":"per_page","required":false,"schema":{"default":10,"maximum":100,"minimum":1,"type":"number"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"findMaintenanceWindowsResponse":{"description":"The response returned when maintenance windows are successfully found.\n","summary":"Find maintenance windows response","value":{"maintenanceWindows":[{"created_at":"2025-02-25T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"f0cb1780-537a-4e34-8adf-3b4336862858","schedule":{"custom":{"duration":"2h","recurring":{"every":"1w","occurrences":10,"onWeekDay":["MO","WE"]},"start":"2025-03-01T08:00:00.000Z","timezone":"Europe\/Amsterdam"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"infra\""}}},"status":"upcoming","title":"Weekly Maintenance Window","updated_at":"2025-02-25T10:00:00.000Z","updated_by":"elastic"},{"created_at":"2025-03-10T09:00:00.000Z","created_by":"elastic","enabled":true,"id":"a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29","schedule":{"custom":{"duration":"1h","recurring":{"end":"2025-12-31T00:00:00.000Z","every":"2w","onWeekDay":["FR"]},"start":"2025-04-01T10:00:00.000Z","timezone":"US\/Eastern"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"database\""}}},"status":"upcoming","title":"Database Upgrade Window","updated_at":"2025-03-15T14:30:00.000Z","updated_by":"elastic"}],"page":1,"per_page":10,"total":2}}},"schema":{"additionalProperties":false,"type":"object","properties":{"maintenanceWindows":{"description":"The list of maintenance windows.","items":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]},"type":"array"},"page":{"description":"The current page number.","type":"number"},"per_page":{"description":"The number of maintenance windows returned per page.","type":"number"},"total":{"description":"The total number of maintenance windows that match the query.","type":"number"}},"required":["page","per_page","total","maintenanceWindows"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."}},"summary":"Search for a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/maintenance_window\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/maintenance_window\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"delete-maintenance-window-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the maintenance window to be deleted.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."}},"summary":"Delete a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/maintenance_window\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: read-maintenance-window.","operationId":"get-maintenance-window-id","parameters":[{"description":"The identifier for the maintenance window.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getMaintenanceWindowResponse":{"description":"The response returned when a maintenance window is successfully retrieved.\n","summary":"Get a maintenance window response","value":{"created_at":"2025-02-25T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"f0cb1780-537a-4e34-8adf-3b4336862858","schedule":{"custom":{"duration":"2h","recurring":{"every":"1w","occurrences":10,"onWeekDay":["MO","WE"]},"start":"2025-03-01T08:00:00.000Z","timezone":"Europe\/Amsterdam"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"infra\""}}},"status":"upcoming","title":"Weekly Maintenance Window","updated_at":"2025-02-25T10:00:00.000Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."}},"summary":"Get maintenance window details.","tags":["maintenance-window"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/maintenance_window\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"patch-maintenance-window-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the maintenance window.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"updateMaintenanceWindowRequest":{"description":"Update a maintenance window to change its title, schedule, and scope.\n","summary":"Update a maintenance window","value":{"enabled":true,"schedule":{"custom":{"duration":"1h","recurring":{"end":"2025-12-31T00:00:00.000Z","every":"2w","onWeekDay":["FR"]},"start":"2025-04-01T10:00:00.000Z","timezone":"US\/Eastern"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"database\""}}},"title":"Updated maintenance window"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","minimum":1,"type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"maximum":12,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"maximum":31,"minimum":1,"type":"number"},"minItems":1,"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"minItems":1,"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window.","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"title":{"description":"The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window.","type":"string"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateMaintenanceWindowResponse":{"description":"The response returned when a maintenance window is successfully updated.\n","summary":"Update a maintenance window response","value":{"created_at":"2025-02-25T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"f0cb1780-537a-4e34-8adf-3b4336862858","schedule":{"custom":{"duration":"1h","recurring":{"end":"2025-12-31T00:00:00.000Z","every":"2w","onWeekDay":["FR"]},"start":"2025-04-01T10:00:00.000Z","timezone":"US\/Eastern"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"database\""}}},"status":"upcoming","title":"Updated maintenance window","updated_at":"2025-03-15T14:30:00.000Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."},"409":{"description":"Indicates that the maintenance window has already been updated by another user."}},"summary":"Update a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/maintenance_window\/{id}\/_archive":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/maintenance_window\/{id}\/_archive<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"post-maintenance-window-id-archive","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the maintenance window to be archived.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"archiveMaintenanceWindowResponse":{"description":"The response returned when a maintenance window is successfully archived.\n","summary":"Archive a maintenance window response","value":{"created_at":"2025-02-25T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"f0cb1780-537a-4e34-8adf-3b4336862858","schedule":{"custom":{"duration":"2h","recurring":{"every":"1w","occurrences":10,"onWeekDay":["MO","WE"]},"start":"2025-03-01T08:00:00.000Z","timezone":"Europe\/Amsterdam"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"infra\""}}},"status":"archived","title":"Weekly Maintenance Window","updated_at":"2025-02-25T10:00:00.000Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."}},"summary":"Archive a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/maintenance_window\/{id}\/_unarchive":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/maintenance_window\/{id}\/_unarchive<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\n[Required authorization] Route required privileges: write-maintenance-window.","operationId":"post-maintenance-window-id-unarchive","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The identifier for the maintenance window to be unarchived.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"unarchiveMaintenanceWindowResponse":{"description":"The response returned when a maintenance window is successfully unarchived.\n","summary":"Unarchive a maintenance window response","value":{"created_at":"2025-02-25T10:00:00.000Z","created_by":"elastic","enabled":true,"id":"f0cb1780-537a-4e34-8adf-3b4336862858","schedule":{"custom":{"duration":"2h","recurring":{"every":"1w","occurrences":10,"onWeekDay":["MO","WE"]},"start":"2025-03-01T08:00:00.000Z","timezone":"Europe\/Amsterdam"}},"scope":{"alerting":{"query":{"kql":"kibana.alert.tags: \"infra\""}}},"status":"upcoming","title":"Weekly Maintenance Window","updated_at":"2025-02-25T10:00:00.000Z","updated_by":"elastic"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"created_at":{"description":"The date and time when the maintenance window was created.","type":"string"},"created_by":{"description":"The identifier for the user that created the maintenance window.","nullable":true,"type":"string"},"enabled":{"description":"Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.","type":"boolean"},"id":{"description":"The identifier for the maintenance window.","type":"string"},"schedule":{"additionalProperties":false,"type":"object","properties":{"custom":{"additionalProperties":false,"type":"object","properties":{"duration":{"description":"The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.","type":"string"},"recurring":{"additionalProperties":false,"type":"object","properties":{"end":{"description":"The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.","type":"string"},"every":{"description":"The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.","type":"string"},"occurrences":{"description":"The total number of recurrences of the schedule.","type":"number"},"onMonth":{"description":"The specific months for a recurring schedule. Valid values are 1-12.","items":{"type":"number"},"type":"array"},"onMonthDay":{"description":"The specific days of the month for a recurring schedule. Valid values are 1-31.","items":{"type":"number"},"type":"array"},"onWeekDay":{"description":"The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.","items":{"type":"string"},"type":"array"}}},"start":{"description":"The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.","type":"string"},"timezone":{"description":"The timezone of the schedule. The default timezone is UTC.","type":"string"}},"required":["start","duration"]}},"required":["custom"]},"scope":{"additionalProperties":false,"type":"object","properties":{"alerting":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql"]}},"required":["query"]}},"required":["alerting"]},"status":{"description":"The current status of the maintenance window.","enum":["running","upcoming","finished","archived","disabled"],"type":"string"},"title":{"description":"The name of the maintenance window.","type":"string"},"updated_at":{"description":"The date and time when the maintenance window was last updated.","type":"string"},"updated_by":{"description":"The identifier for the user that last updated this maintenance window.","nullable":true,"type":"string"}},"required":["id","title","enabled","created_by","updated_by","created_at","updated_at","status","schedule"]}}},"description":"Indicates a successful call."},"400":{"description":"Indicates an invalid schema or parameters."},"403":{"description":"Indicates that this call is forbidden."},"404":{"description":"Indicates a maintenance window with the given ID does not exist."}},"summary":"Unarchive a maintenance window.","tags":["maintenance-window"],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/ml\/saved_objects\/sync":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/ml\/saved_objects\/sync<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSynchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.\n","operationId":"mlSync","parameters":[{"$ref":"#\/components\/parameters\/Machine_learning_APIs_simulateParam"}],"responses":{"200":{"content":{"application\/json":{"examples":{"syncExample":{"$ref":"#\/components\/examples\/Machine_learning_APIs_mlSyncExample"}},"schema":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSync200Response"}}},"description":"Indicates a successful call"},"401":{"content":{"application\/json":{"examples":{"syncExample":{"$ref":"#\/components\/examples\/Machine_learning_APIs_mlSync401Example"}},"schema":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSync4xxResponse"}}},"description":"Authorization information is missing or invalid."}},"summary":"Sync saved objects in the default space","tags":["ml"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/ml\/saved_objects\/update_jobs_spaces":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/ml\/saved_objects\/update_jobs_spaces<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a list of jobs to add and\/or remove them from given spaces.","operationId":"mlUpdateJobsSpaces","requestBody":{"content":{"application\/json":{"examples":{"updateADJobSpacesRequest":{"value":{"jobIds":["test-job"],"jobType":"anomaly-detector","spacesToAdd":["default"],"spacesToRemove":["*"]}},"updateDFAJobSpacesRequest":{"value":{"jobIds":["test-job"],"jobType":"data-frame-analytics","spacesToAdd":["default"],"spacesToRemove":["*"]}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"successADResponse":{"value":{"test-job":{"success":true,"type":"anomaly-detector"}}},"successDFAResponse":{"value":{"test-job":{"success":true,"type":"data-frame-analytics"}}}}}},"description":"Indicates a successful call"}},"summary":"Update jobs spaces","tags":["ml"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/ml\/saved_objects\/update_trained_models_spaces":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/ml\/saved_objects\/update_trained_models_spaces<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a list of trained models to add and\/or remove them from given spaces.","operationId":"mlUpdateTrainedModelsSpaces","requestBody":{"content":{"application\/json":{"examples":{"updateTrainedModelsSpacesRequest":{"value":{"modelIds":["test-model"],"spacesToAdd":["default"],"spacesToRemove":["*"]}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"successTMResponse":{"value":{"test-model":{"success":true,"type":"trained-model\""}}}}}},"description":"Indicates a successful call"}},"summary":"Update trained models spaces","tags":["ml"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/note":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/note<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDeletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body.\n\nThe response has HTTP 200 with an empty body on success.\n\nRequires the **Timeline and Notes** write privilege (`notes_write`).\n","operationId":"DeleteNote","requestBody":{"content":{"application\/json":{"examples":{"deleteOne":{"summary":"Delete a single note by id","value":{"noteId":"709f99c6-89b6-4953-9160-35945c8e174e"}}},"schema":{"oneOf":[{"nullable":true,"type":"object","properties":{"noteId":{"description":"Saved object ID of the note to delete.","type":"string"}},"required":["noteId"]},{"nullable":true,"type":"object","properties":{"noteIds":{"description":"Saved object IDs of the notes to delete.","items":{"type":"string"},"nullable":true,"type":"array"}},"required":["noteIds"]}]}}},"description":"Exactly one shape: `{ \"noteId\": \"\" }` for a single delete, or `{ \"noteIds\": [\"\", ...] }` for bulk delete.\n`noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible.\n","required":true},"responses":{"200":{"description":"The notes were deleted successfully. Response body is empty."}},"summary":"Delete one or more notes","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/note<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nReturns Security Timeline notes as saved objects.\n\n**Query modes (mutually exclusive branches on the server):**\n\n1. **`documentIds` is set** \u2014 Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes).\n\n2. **`savedObjectIds` is set** \u2014 Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied.\n\n3. **Neither `documentIds` nor `savedObjectIds`** \u2014 Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`.\n\nRequires the **Timeline and Notes** read privilege (`notes_read`).\n","operationId":"GetNotes","parameters":[{"description":"Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`\/`perPage`.\n","examples":{"multiple":{"summary":"Multiple document ids (array)","value":["id-one","id-two"]},"single":{"summary":"Single document id","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b"}},"in":"query","name":"documentIds","schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_DocumentIds"}},{"description":"Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned.\n","examples":{"singleTimeline":{"summary":"Single timeline id","value":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}},"in":"query","name":"savedObjectIds","schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedObjectIds"}},{"description":"Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1.\n","example":"1","in":"query","name":"page","schema":{"nullable":true,"type":"string"}},{"description":"Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10.\n","example":"20","in":"query","name":"perPage","schema":{"nullable":true,"type":"string"}},{"description":"Search string for saved-objects find (list mode only).","in":"query","name":"search","schema":{"nullable":true,"type":"string"}},{"description":"Field to sort by for saved-objects find (list mode only).","in":"query","name":"sortField","schema":{"nullable":true,"type":"string"}},{"description":"Sort order (`asc` or `desc`) for saved-objects find (list mode only).","example":"desc","in":"query","name":"sortOrder","schema":{"nullable":true,"type":"string"}},{"description":"Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only).\n","in":"query","name":"filter","schema":{"nullable":true,"type":"string"}},{"description":"Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only).\n","example":"f1c2d3e4-5b6a-7890-abcd-ef1234567890","in":"query","name":"createdByFilter","schema":{"nullable":true,"type":"string"}},{"description":"Restricts notes by how they relate to a Timeline and\/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used.\n","in":"query","name":"associatedFilter","schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_AssociatedFilterType"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"notesPage":{"summary":"Paged notes for a timeline","value":{"notes":[{"eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"Escalated to tier-2 analyst","noteId":"709f99c6-89b6-4953-9160-35945c8e174e","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzQ2LDFd"}],"totalCount":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_GetNotesResult"}}},"description":"Notes and total count for the requested mode."}},"summary":"Get notes","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/note<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreates a new note or updates an existing one.\n\n**Create:** Send `note` and omit `noteId` to create a new saved object.\n\n**Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read.\n\nRequires the **Timeline and Notes** write privilege (`notes_write`).\n","externalDocs":{"description":"Add or update a note on a Timeline","url":"https:\/\/www.elastic.co\/guide\/en\/security\/current\/timeline-api-update.html"},"operationId":"PersistNoteRoute","requestBody":{"content":{"application\/json":{"examples":{"addNote":{"summary":"Add a note on an event","value":{"note":{"eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"Escalated to tier-2 analyst","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}}}},"schema":{"type":"object","properties":{"note":{"$ref":"#\/components\/schemas\/Security_Timeline_API_BareNote","description":"Note payload (timeline, text, optional event linkage, metadata)."},"noteId":{"description":"The `savedObjectId` of the note to update. Omit when creating a new note.","example":"709f99c6-89b6-4953-9160-35945c8e174e","nullable":true,"type":"string"},"version":{"description":"Saved object version string from a previous read; optional on update.","example":"WzQ2LDFd","nullable":true,"type":"string"}},"required":["note"]}}},"description":"Body must include the `note` object. For updates, include `noteId` (and optionally `version`).\nTo attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules.\n","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"persisted":{"summary":"Persisted note wrapper","value":{"note":{"eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","note":"Escalated to tier-2 analyst","noteId":"709f99c6-89b6-4953-9160-35945c8e174e","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzQ2LDFd"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_ResponseNote"}}},"description":"The persisted note, including `noteId` and `version`."}},"summary":"Add or update a note","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/observability_ai_assistant\/chat\/complete":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/observability_ai_assistant\/chat\/complete<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new chat completion by using the Observability AI Assistant.\n\nThe API returns the model's response based on the current conversation context.\n\nIt also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM).\n\nThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n","operationId":"observability-ai-assistant-chat-complete","requestBody":{"content":{"application\/json":{"examples":{"chatCompleteRequestExample":{"$ref":"#\/components\/examples\/Observability_AI_Assistant_API_ChatCompleteRequestExample"}},"schema":{"type":"object","properties":{"actions":{"items":{"$ref":"#\/components\/schemas\/Observability_AI_Assistant_API_Function"},"type":"array"},"connectorId":{"description":"A unique identifier for the connector.","type":"string"},"conversationId":{"description":"A unique identifier for the conversation if you are continuing an existing conversation.","type":"string"},"disableFunctions":{"description":"Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made.","type":"boolean"},"instructions":{"description":"An array of instruction objects, which can be either simple strings or detailed objects.","items":{"$ref":"#\/components\/schemas\/Observability_AI_Assistant_API_Instruction"},"type":"array"},"messages":{"description":"An array of message objects containing the conversation history.","items":{"$ref":"#\/components\/schemas\/Observability_AI_Assistant_API_Message"},"type":"array"},"persist":{"description":"Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana.","type":"boolean"},"title":{"description":"A title for the conversation.","type":"string"}},"required":["messages","connectorId","persist"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"chatCompleteResponseExample":{"$ref":"#\/components\/examples\/Observability_AI_Assistant_API_ChatCompleteResponseExample"}},"schema":{"type":"object"}}},"description":"Successful response"}},"summary":"Generate a chat completion","tags":["observability_ai_assistant"],"x-codeSamples":[{"lang":"cURL","source":"curl --request POST 'localhost:5601\/api\/observability_ai_assistant\/chat\/complete' -u : -H 'kbn-xsrf: true' -H \"Content-Type: application\/json\" --data '\n{\n\"connectorId\": \"\",\n\"disableFunctions\": false,\n \"messages\": [\n {\n \"@timestamp\": \"2025-06-25T23:45:00.000Z\",\n \"message\": {\n \"role\": \"user\",\n \"content\": \"Is my Elasticsearch cluster healthy right now?\"\n }\n }\n ],\n\"persist\": false,\n\"actions\": [\n {\n \"name\": \"get_cluster_health\",\n \"description\": \"Fetch the current Elasticsearch cluster-health status and key metrics.\",\n \"parameters\": {\n \"type\": \"object\",\n \"properties\": {\n \"includeShardStats\": {\n \"type\": \"boolean\",\n \"default\": false\n }\n }\n }\n }\n],\n\"instructions\": [\"When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English.\"]\n}'\n"}],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/history":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/history<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination.\n","operationId":"OsqueryGetUnifiedHistory","parameters":[{"description":"The number of results to return per page.","in":"query","name":"pageSize","required":false,"schema":{"default":20,"description":"The number of results to return per page.","maximum":100,"minimum":1,"type":"integer"}},{"description":"A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page.","in":"query","name":"nextPage","required":false,"schema":{"description":"A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page.","type":"string"}},{"description":"A search string to filter history entries by pack name, query text, or query ID.","in":"query","name":"kuery","required":false,"schema":{"description":"A search string to filter history entries by pack name, query text, or query ID.","type":"string"}},{"description":"Comma-separated list of user IDs to filter live query history.","in":"query","name":"userIds","required":false,"schema":{"description":"Comma-separated list of user IDs to filter live query history.","example":"elastic,admin","type":"string"}},{"description":"Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`.","in":"query","name":"sourceFilters","required":false,"schema":{"description":"Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`.","example":"live,scheduled","type":"string"}},{"description":"The start of the time range filter (ISO 8601).","in":"query","name":"startDate","required":false,"schema":{"description":"The start of the time range filter (ISO 8601).","example":"2024-01-01T00:00:00Z","type":"string"}},{"description":"The end of the time range filter (ISO 8601).","in":"query","name":"endDate","required":false,"schema":{"description":"The end of the time range filter (ISO 8601).","example":"2024-12-31T23:59:59Z","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"unifiedHistoryExample":{"summary":"Example unified history response","value":{"data":[{"actionId":"609c4c66-ba3d-43fa-afdd-53e244577aa0","agentCount":5,"errorCount":0,"id":"3c42c847-eb30-4452-80e0-728584042334","queryName":"uptime_query","queryText":"select * from uptime;","source":"Live","sourceType":"live","successCount":5,"timestamp":"2024-07-26T09:59:32.220Z","totalRows":42,"userId":"elastic"},{"agentCount":10,"errorCount":1,"executionCount":3,"id":"pack_my_pack_uptime_3","packId":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","packName":"My Pack","plannedTime":"2024-07-26T09:00:00.000Z","queryName":"uptime","queryText":"select * from uptime;","scheduleId":"pack_my_pack_uptime","source":"Scheduled","sourceType":"scheduled","successCount":9,"timestamp":"2024-07-26T09:00:00.000Z","totalRows":100}],"hasMore":true,"nextPage":"eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3..."}}},"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_GetUnifiedHistoryResponse"}}},"description":"Indicates a successful call."}},"summary":"Get unified query history","tags":["Security Osquery API"],"x-state":"Generally available; Added in 9.4.0","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/live_queries":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/live_queries<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all live queries.","operationId":"OsqueryFindLiveQueries","parameters":[{"description":"A KQL search string to filter live queries.","in":"query","name":"kuery","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_KueryOrUndefined"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageOrUndefined"}},{"description":"The number of results to return per page.","in":"query","name":"pageSize","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageSizeOrUndefined"}},{"description":"The field to sort results by.","in":"query","name":"sort","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrUndefined"}},{"description":"The sort order.","in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_FindLiveQueryResponse"}}},"description":"Indicates a successful call."}},"summary":"Get live queries","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/osquery\/live_queries<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate and run a live query.","operationId":"OsqueryCreateLiveQuery","requestBody":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_CreateLiveQueryRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_CreateLiveQueryResponse"}}},"description":"Indicates a successful call."}},"summary":"Create a live query","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/live_queries\/{id}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/live_queries\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of a live query using the query ID.","operationId":"OsqueryGetLiveQueryDetails","parameters":[{"description":"The ID of the live query.","in":"path","name":"id","required":true,"schema":{"description":"The ID of the live query result you want to retrieve.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_FindLiveQueryDetailsResponse"}}},"description":"Indicates a successful call."}},"summary":"Get live query details","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/live_queries\/{id}\/results\/{actionId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/live_queries\/{id}\/results\/{actionId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the results of a live query using the query action ID.","operationId":"OsqueryGetLiveQueryResults","parameters":[{"description":"The ID of the live query.","in":"path","name":"id","required":true,"schema":{"description":"The ID of the live query result you want to retrieve.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"}},{"description":"The ID of the query action.","in":"path","name":"actionId","required":true,"schema":{"description":"The ID of the query action that generated the live query results.","example":"609c4c66-ba3d-43fa-afdd-53e244577aa0","type":"string"}},{"description":"A KQL search string to filter results.","in":"query","name":"kuery","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_KueryOrUndefined"}},{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageOrUndefined"}},{"description":"The number of results to return per page.","in":"query","name":"pageSize","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageSizeOrUndefined"}},{"description":"The field to sort results by.","in":"query","name":"sort","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrUndefined"}},{"description":"The sort order.","in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_GetLiveQueryResultsResponse"}}},"description":"Indicates a successful call."}},"summary":"Get live query results","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/packs":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/packs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all query packs.","operationId":"OsqueryFindPacks","parameters":[{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageOrUndefined"}},{"description":"The number of results to return per page.","in":"query","name":"pageSize","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageSizeOrUndefined"}},{"description":"The field to sort results by.","in":"query","name":"sort","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrUndefined"}},{"description":"The sort order.","in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_FindPacksResponse"}}},"description":"Indicates a successful call."}},"summary":"Get packs","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/osquery\/packs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a query pack.","operationId":"OsqueryCreatePacks","requestBody":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_CreatePacksRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_CreatePacksResponse"}}},"description":"Indicates a successful call."}},"summary":"Create a pack","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/packs\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/osquery\/packs\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a query pack using the pack ID.","operationId":"OsqueryDeletePacks","parameters":[{"description":"The pack ID.","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackId"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"example":{},"type":"object","properties":{}}}},"description":"Indicates a successful call."}},"summary":"Delete a pack","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/packs\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of a query pack using the pack ID.","operationId":"OsqueryGetPacksDetails","parameters":[{"description":"The pack ID.","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackId"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_FindPackResponse"}}},"description":"Indicates a successful call."}},"summary":"Get pack details","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/osquery\/packs\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a query pack using the pack ID.\n> info\n> You cannot update a prebuilt pack.\n","operationId":"OsqueryUpdatePacks","parameters":[{"description":"The pack ID.","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackId"}}],"requestBody":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_UpdatePacksRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_UpdatePacksResponse"}}},"description":"Indicates a successful call."}},"summary":"Update a pack","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/packs\/{id}\/copy":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/osquery\/packs\/{id}\/copy<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`.","operationId":"OsqueryCopyPacks","parameters":[{"description":"The ID of the pack to copy.","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackId"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"copyPackExample":{"summary":"Example response for copying a pack","value":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"My pack","enabled":false,"name":"my_pack_copy","policy_ids":[],"queries":[{"ecs_mapping":[{"key":"client.port","value":{"field":"port"}}],"id":"ports","interval":60,"query":"SELECT * FROM listening_ports;","removed":false,"snapshot":true,"timeout":120}],"saved_object_id":"1c266590-381f-428c-878f-c80c1334f856","shards":[],"updated_at":"2025-02-26T13:37:30.452Z","updated_by":"elastic"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_CopyPacksResponse"}}},"description":"Indicates a successful call."}},"summary":"Copy a pack","tags":["Security Osquery API"],"x-state":"Generally available; Added in 9.4.0","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/saved_queries":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/saved_queries<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all saved queries.","operationId":"OsqueryFindSavedQueries","parameters":[{"description":"The page number to return.","in":"query","name":"page","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageOrUndefined"}},{"description":"The number of results to return per page.","in":"query","name":"pageSize","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageSizeOrUndefined"}},{"description":"The field to sort results by.","in":"query","name":"sort","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrUndefined"}},{"description":"The sort order.","in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_FindSavedQueryResponse"}}},"description":"Indicates a successful call."}},"summary":"Get saved queries","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/osquery\/saved_queries<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate and save a query for later use.","operationId":"OsqueryCreateSavedQuery","requestBody":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_CreateSavedQueryRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_CreateSavedQueryResponse"}}},"description":"Indicates a successful call."}},"summary":"Create a saved query","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/saved_queries\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/osquery\/saved_queries\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a saved query using the query ID.","operationId":"OsqueryDeleteSavedQuery","parameters":[{"description":"The saved query ID.","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_DefaultSuccessResponse"}}},"description":"Indicates a successful call."}},"summary":"Delete a saved query","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/saved_queries\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of a saved query using the query ID.","operationId":"OsqueryGetSavedQueryDetails","parameters":[{"description":"The saved query ID.","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_FindSavedQueryDetailResponse"}}},"description":"Indicates a successful call."}},"summary":"Get saved query details","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/osquery\/saved_queries\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate a saved query using the query ID.\n> info\n> You cannot update a prebuilt saved query.\n","operationId":"OsqueryUpdateSavedQuery","parameters":[{"description":"The saved query ID.","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"}}],"requestBody":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_UpdateSavedQueryRequestBody"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_UpdateSavedQueryResponse"}}},"description":"Indicates a successful call."}},"summary":"Update a saved query","tags":["Security Osquery API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/saved_queries\/{id}\/copy":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/osquery\/saved_queries\/{id}\/copy<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`).","operationId":"OsqueryCopySavedQuery","parameters":[{"description":"The ID of the saved query to copy.","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"copySavedQueryExample":{"summary":"Example response for copying a saved query","value":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"my_saved_query_copy","interval":"60","platform":"linux,darwin","query":"select * from uptime;","removed":false,"saved_object_id":"42ba1280-2172-11ee-8523-5765fca79a3c","snapshot":true,"timeout":120,"updated_at":"2025-02-26T13:37:30.452Z","updated_by":"elastic"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_CopySavedQueryResponse"}}},"description":"Indicates a successful call."}},"summary":"Copy a saved query","tags":["Security Osquery API"],"x-state":"Generally available; Added in 9.4.0","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/scheduled_results\/{scheduleId}\/{executionCount}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/scheduled_results\/{scheduleId}\/{executionCount}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet paginated per-agent action results for a specific scheduled query execution, with success\/failure aggregation and execution metadata (pack name, query name\/text, timestamp).\n","operationId":"OsqueryGetScheduledActionResults","parameters":[{"description":"The schedule ID of the scheduled query.","in":"path","name":"scheduleId","required":true,"schema":{"description":"The schedule ID of the scheduled query.","example":"pack_my_pack_uptime","type":"string"}},{"description":"The execution count for this scheduled query run.","in":"path","name":"executionCount","required":true,"schema":{"description":"The execution count for this scheduled query run.","example":3,"type":"integer"}},{"description":"The kuery to filter the results by.","in":"query","name":"kuery","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_KueryOrUndefined"}},{"description":"The page number to return. The default is 1.","in":"query","name":"page","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageOrUndefined"}},{"description":"The number of results to return per page. The default is 20.","in":"query","name":"pageSize","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageSizeOrUndefined"}},{"description":"The field that is used to sort the results.","in":"query","name":"sort","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrUndefined"}},{"description":"Specifies the sort order.","in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrderOrUndefined"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"scheduledActionResultsExample":{"summary":"Example scheduled action results response","value":{"aggregations":{"failed":1,"pending":0,"successful":9,"totalResponded":10,"totalRowCount":42},"currentPage":0,"edges":[{"_id":"result-001","fields":{"agent_id":"16d7caf5-efd2-4212-9b62-73dafc91fa13","rows_count":5,"status":"success"}}],"metadata":{"executionCount":3,"packId":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","packName":"My Pack","queryName":"uptime","queryText":"select * from uptime;","scheduleId":"pack_my_pack_uptime","timestamp":"2024-07-26T09:00:00.000Z"},"pageSize":20,"total":10,"totalPages":1}}},"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_GetScheduledActionResultsResponse"}}},"description":"Indicates a successful call."}},"summary":"Get scheduled action results","tags":["Security Osquery API"],"x-state":"Generally available; Added in 9.4.0","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/osquery\/scheduled_results\/{scheduleId}\/{executionCount}\/results":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/osquery\/scheduled_results\/{scheduleId}\/{executionCount}\/results<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet paginated query result rows (the actual osquery output data) for a specific scheduled query execution.\n","operationId":"OsqueryGetScheduledQueryResults","parameters":[{"description":"The schedule ID of the scheduled query.","in":"path","name":"scheduleId","required":true,"schema":{"description":"The schedule ID of the scheduled query.","example":"pack_my_pack_uptime","type":"string"}},{"description":"The execution count for this scheduled query run.","in":"path","name":"executionCount","required":true,"schema":{"description":"The execution count for this scheduled query run.","example":3,"type":"integer"}},{"description":"The kuery to filter the results by.","in":"query","name":"kuery","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_KueryOrUndefined"}},{"description":"The page number to return. The default is 1.","in":"query","name":"page","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageOrUndefined"}},{"description":"The number of results to return per page. The default is 20.","in":"query","name":"pageSize","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PageSizeOrUndefined"}},{"description":"The field that is used to sort the results.","in":"query","name":"sort","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrUndefined"}},{"description":"Specifies the sort order.","in":"query","name":"sortOrder","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SortOrderOrUndefined"}},{"description":"The start date filter (ISO 8601) to narrow down results.","in":"query","name":"startDate","required":false,"schema":{"description":"The start date filter (ISO 8601) to narrow down results.","example":"2024-01-01T00:00:00Z","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"scheduledQueryResultsExample":{"summary":"Example scheduled query results response","value":{"data":{"edges":[{"_id":"row-001","fields":{"host.uptime":["12345"]}},{"_id":"row-002","fields":{"host.uptime":["67890"]}}],"total":2}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Osquery_API_GetScheduledQueryResultsResponse"}}},"description":"Indicates a successful call."}},"summary":"Get scheduled query results","tags":["Security Osquery API"],"x-state":"Generally available; Added in 9.4.0","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/pinned_event":{"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/pinned_event<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nPin\/unpin an event to\/from an existing Timeline.","operationId":"PersistPinnedEventRoute","requestBody":{"content":{"application\/json":{"examples":{"pinEvent":{"summary":"Pin an event","value":{"eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}}},"schema":{"type":"object","properties":{"eventId":{"description":"The `_id` of the associated event for this pinned event.","example":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","type":"string"},"pinnedEventId":{"description":"The `savedObjectId` of the pinned event you want to unpin.","example":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","nullable":true,"type":"string"},"timelineId":{"description":"The `savedObjectId` of the timeline that you want this pinned event unpinned from.","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","type":"string"}},"required":["eventId","timelineId"]}}},"description":"The pinned event to add or unpin, along with additional metadata.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"pinnedSaved":{"summary":"Pinned event saved object","value":{"eventId":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","pinnedEventId":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzQ2LDFe"}},"unpinned":{"summary":"Unpin response","value":{"unpinned":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_PersistPinnedEventResponse"}}},"description":"Indicates a successful call."}},"summary":"Pin\/unpin an event","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/risk_score\/engine\/dangerously_delete_data":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/risk_score\/engine\/dangerously_delete_data<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCleaning up the the Risk Engine by removing the indices, mapping and transforms","operationId":"CleanUpRiskEngine","responses":{"200":{"content":{"application\/json":{"examples":{"CleanUpRiskEngineResponse":{"summary":"Successful cleanup response","value":{"cleanup_successful":true}}},"schema":{"type":"object","properties":{"cleanup_successful":{"type":"boolean"}}}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"taskManagerUnavailable":{"summary":"Task manager is unavailable","value":{"message":"Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_TaskManagerUnavailableResponse"}}},"description":"Task manager is unavailable"},"default":{"content":{"application\/json":{"examples":{"cleanupFailed":{"summary":"Cleanup failed","value":{"cleanup_successful":false,"errors":[{"error":"Risk engine is disabled or deleted already.","seq":1}]}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse"}}},"description":"Unexpected error"}},"summary":"Cleanup the Risk Engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/risk_score\/engine\/saved_object\/configure":{"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/risk_score\/engine\/saved_object\/configure<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nConfiguring the Risk Engine Saved Object","operationId":"ConfigureRiskEngineSavedObject","requestBody":{"content":{"application\/json":{"examples":{"ConfigureRiskEngineSavedObjectRequest":{"summary":"Configure the risk engine saved object","value":{"enable_reset_to_zero":false,"exclude_alert_statuses":["closed"],"exclude_alert_tags":["low-priority"],"filters":[{"entity_types":["host","user"],"filter":"host.name: *"}],"range":{"end":"now","start":"now-30d"}}}},"schema":{"type":"object","properties":{"enable_reset_to_zero":{"type":"boolean"},"exclude_alert_statuses":{"items":{"type":"string"},"type":"array"},"exclude_alert_tags":{"items":{"type":"string"},"type":"array"},"filters":{"items":{"type":"object","properties":{"entity_types":{"items":{"enum":["host","user","service"],"type":"string"},"type":"array"},"filter":{"description":"KQL filter string","type":"string"}},"required":["entity_types","filter"]},"type":"array"},"page_size":{"description":"Number of entities to score per page. Higher values reduce total scoring time by reducing the number of alert-index scans, but cannot exceed the ES|QL result limit (10,000 by default).\n","maximum":10000,"minimum":100,"type":"integer"},"range":{"type":"object","properties":{"end":{"type":"string"},"start":{"type":"string"}}}}}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"ConfigureRiskEngineSavedObjectResponse":{"summary":"Successful configuration response","value":{"risk_engine_saved_object_configured":true}}},"schema":{"type":"object","properties":{"risk_engine_saved_object_configured":{"type":"boolean"}}}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"taskManagerUnavailable":{"summary":"Task manager is unavailable","value":{"message":"Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_TaskManagerUnavailableResponse"}}},"description":"Task manager is unavailable"},"default":{"content":{"application\/json":{"examples":{"configureError":{"summary":"Configure saved object failed","value":{"errors":[{"error":"Internal server error","seq":1}],"risk_engine_saved_object_configured":false}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse"}}},"description":"Unexpected error"}},"summary":"Configure the Risk Engine Saved Object","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/risk_score\/engine\/schedule_now":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/risk_score\/engine\/schedule_now<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nSchedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.","operationId":"ScheduleRiskEngineNow","requestBody":{"content":{"application\/json":{"examples":{"emptyRequest":{"summary":"No request body","value":{}}},"schema":{"type":"object"}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"ScheduleRiskEngineNowResponse":{"summary":"Successful schedule response","value":{"success":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"taskManagerUnavailable":{"summary":"Task manager is unavailable","value":{"message":"Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again.","status_code":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_TaskManagerUnavailableResponse"}}},"description":"Task manager is unavailable"},"default":{"content":{"application\/json":{"examples":{"scheduleNowError":{"summary":"Schedule now failed","value":{"full_error":"{}","message":"Internal server error"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse"}}},"description":"Unexpected error"}},"summary":"Run the risk scoring engine","tags":["Security Entity Analytics API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/saved_objects\/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/saved_objects\/_export<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss.\n\nExported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.\n\nNOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions.\n\nNOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported.","operationId":"post-saved-objects-export","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"exportSavedObjectsRequest":{"summary":"Export a specific saved object","value":{"excludeExportDetails":true,"includeReferencesDeep":false,"objects":[{"id":"example-dashboard-1","type":"dashboard"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"excludeExportDetails":{"default":false,"description":"Do not add export details entry at the end of the stream.","type":"boolean"},"hasReference":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]},{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]},"maxItems":100,"type":"array"}]},"includeReferencesDeep":{"default":false,"description":"Includes all of the referenced objects in the exported objects.","type":"boolean"},"objects":{"description":"A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option","items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"type":{"type":"string"}},"required":["type","id"]},"maxItems":10000,"type":"array"},"search":{"description":"Search for documents to export using the Elasticsearch Simple Query String syntax.","type":"string"},"type":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"maxItems":100,"type":"array"}],"description":"The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`."}}}}}},"responses":{"200":{"content":{"application\/x-ndjson":{"examples":{"exportSavedObjectsResponse":{"summary":"The export response contains an NDJSON record for each exported object","value":"{\"id\":\"example-dashboard-1\",\"type\":\"dashboard\",\"attributes\":{\"title\":\"Example dashboard 1\"},\"references\":[],\"managed\":false}\n{\"exportedCount\":1,\"missingRefCount\":0,\"missingReferences\":[]}\n"}},"schema":{}}},"description":"Indicates a successfull call."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"summary":"A bad request error","value":{"error":"Bad Request","message":"Either `type` or `objects` are required.: Bad Request","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Indicates an unsuccessful response.","type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"enum":[400],"type":"integer"}},"required":["error","message","statusCode"]}}},"description":"Bad request."}},"summary":"Export saved objects","tags":["saved objects"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/saved_objects\/_export\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"objects\":[{\"type\":\"dashboard\",\"id\":\"example-dashboard-1\"}],\"includeReferencesDeep\":false,\"excludeExportDetails\":true}'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/saved_objects\/_export\n{\"objects\":[{\"type\":\"dashboard\",\"id\":\"example-dashboard-1\"}],\"includeReferencesDeep\":false,\"excludeExportDetails\":true}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/saved_objects\/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/saved_objects\/_import<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss.\n\nExported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.\n\nNOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions.","operationId":"post-saved-objects-import","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.","in":"query","name":"overwrite","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.","in":"query","name":"createNewCopies","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.","in":"query","name":"compatibilityMode","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"multipart\/form-data":{"examples":{"importObjectsRequest":{"summary":"Import saved objects from an NDJSON file","value":{"file":"file.ndjson"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"file":{"description":"A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.","type":"object"}},"required":["file"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"importObjectsResponse":{"summary":"A successful import response","value":{"errors":[],"success":true,"successCount":1,"successResults":[{"destinationId":"example-dashboard-1-copy","id":"example-dashboard-1","managed":false,"type":"dashboard"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"errors":{"description":"Indicates the import was unsuccessful and specifies the objects that failed to import.\n\nNOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error.","items":{"additionalProperties":true,"type":"object","properties":{}},"type":"array"},"success":{"description":"Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties.","type":"boolean"},"successCount":{"description":"Indicates the number of successfully imported records.","type":"number"},"successResults":{"description":"Indicates the objects that are successfully imported, with any metadata if applicable.\n\nNOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute.","items":{"additionalProperties":true,"type":"object","properties":{}},"type":"array"}},"required":["success","successCount","errors","successResults"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"summary":"A bad request error","value":{"error":"Bad Request","message":"Invalid file extension .txt","statusCode":400}}},"schema":{"additionalProperties":false,"description":"Indicates an unsuccessful response.","type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"enum":[400],"type":"integer"}},"required":["error","message","statusCode"]}}},"description":"Bad request."}},"summary":"Import saved objects","tags":["saved objects"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/saved_objects\/_import?createNewCopies=true\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n --form file=@file.ndjson\n"},{"lang":"Console","source":"POST kbn:\/\/api\/saved_objects\/_import?createNewCopies=true\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/saved_objects\/_resolve_import_errors":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/saved_objects\/_resolve_import_errors<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nTo resolve errors from the import objects API, you can retry certain saved objects, overwrite specific saved objects, and change references to different saved objects","operationId":"post-saved-objects-resolve-import-errors","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Creates copies of saved objects, regenerates each object ID, and resets the origin.","in":"query","name":"createNewCopies","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Applies adjustments to maintain compatibility between different Kibana versions.","in":"query","name":"compatibilityMode","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"multipart\/form-data":{"examples":{"resolveImportErrorsRequest":{"summary":"Resolve import errors by retrying objects","value":{"file":"file.ndjson","retries":[{"id":"example-dashboard-1","overwrite":true,"replaceReferences":[],"type":"dashboard"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"file":{"type":"object"},"retries":{"items":{"additionalProperties":false,"type":"object","properties":{"createNewCopy":{"type":"boolean"},"destinationId":{"type":"string"},"id":{"type":"string"},"ignoreMissingReferences":{"type":"boolean"},"overwrite":{"default":false,"type":"boolean"},"replaceReferences":{"default":[],"items":{"additionalProperties":false,"type":"object","properties":{"from":{"type":"string"},"to":{"type":"string"},"type":{"type":"string"}},"required":["type","from","to"]},"maxItems":100,"type":"array"},"type":{"type":"string"}},"required":["type","id"]},"maxItems":10000,"type":"array"}},"required":["file","retries"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"resolveImportErrorsResponse":{"summary":"A successful resolve import errors response","value":{"errors":[],"success":true,"successCount":1,"successResults":[{"id":"example-dashboard-1","managed":false,"type":"dashboard"}]}}}}},"description":"A successful resolve import errors response."},"400":{"content":{"application\/json":{"examples":{"badRequestResponse":{"summary":"A bad request error","value":{"error":"Bad Request","message":"Invalid file extension .txt","statusCode":400}}}}},"description":"A bad request."}},"summary":"Resolve import errors","tags":["saved objects"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/saved_objects\/_resolve_import_errors\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n --form file=@file.ndjson \\\n --form retries='[{\"type\":\"dashboard\",\"id\":\"example-dashboard-1\",\"overwrite\":true,\"replaceReferences\":[]}]'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/saved_objects\/_resolve_import_errors\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/anonymization_fields\/_bulk_action":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/anonymization_fields\/_bulk_action<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nApply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.","operationId":"PerformAnonymizationFieldsBulkAction","requestBody":{"content":{"application\/json":{"examples":{"PerformAnonymizationFieldsBulkActionRequest":{"value":{"create":[{"allowed":true,"anonymized":false,"field":"host.name"},{"allowed":false,"anonymized":true,"field":"user.name"}],"delete":{"ids":["field5","field6"],"query":"field: host.name"},"update":[{"allowed":true,"anonymized":false,"id":"field8"},{"allowed":false,"anonymized":true,"id":"field9"}]}}},"schema":{"example":{"create":[{"allowed":true,"anonymized":false,"field":"host.name"},{"allowed":false,"anonymized":true,"field":"user.name"}],"delete":{"ids":["field5","field6"],"query":"field: host.name"},"update":[{"allowed":true,"anonymized":false,"id":"field8"},{"allowed":false,"anonymized":true,"id":"field9"}]},"type":"object","properties":{"create":{"description":"Array of anonymization fields to create.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldCreateProps"},"type":"array"},"delete":{"description":"Object containing the query to filter anonymization fields and\/or an array of anonymization field IDs to delete.","type":"object","properties":{"ids":{"description":"Array of IDs to apply the action to.","example":["1234","5678"],"items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter the bulk action.","example":"status: 'inactive'","type":"string"}}},"update":{"description":"Array of anonymization fields to update.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldUpdateProps"},"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"PerformAnonymizationFieldsBulkActionResponse200Example":{"value":{"anonymization_fields_count":4,"attributes":{"results":{"created":[{"allowed":false,"anonymized":true,"createdAt":"2023-10-31T12:00:00Z","createdBy":"user1","field":"host.name","id":"field2","namespace":"default","timestamp":"2023-10-31T12:00:00Z","updatedAt":"2023-10-31T12:00:00Z","updatedBy":"user1"}],"deleted":["field3"],"skipped":[{"id":"field4","name":"user.name","skip_reason":"ANONYMIZATION_FIELD_NOT_MODIFIED"}],"updated":[{"allowed":true,"anonymized":false,"createdAt":"2023-10-31T12:00:00Z","createdBy":"user1","field":"url.domain","id":"field8","namespace":"default","timestamp":"2023-10-31T12:00:00Z","updatedAt":"2023-10-31T12:00:00Z","updatedBy":"user1"}]},"summary":{"failed":0,"skipped":1,"succeeded":3,"total":4}},"message":"Bulk action completed successfully","status_code":200,"success":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"PerformAnonymizationFieldsBulkActionResponse400Example":{"value":{"error":"Bad Request","message":"Invalid request body","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type or name.","type":"string"},"message":{"description":"Detailed error message.","type":"string"},"statusCode":{"description":"Status code of the response.","type":"number"}}}}},"description":"Bad Request response."}},"summary":"Apply a bulk action to anonymization fields","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/security_ai_assistant\/anonymization_fields\/_bulk_action' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"create\":[{\"field\":\"host.name\",\"allowed\":true,\"anonymized\":false}]}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/anonymization_fields\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/anonymization_fields\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all anonymization fields.","operationId":"FindAnonymizationFields","parameters":[{"description":"Fields to return","example":["id","field","anonymized","allowed"],"in":"query","name":"fields","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Search query","example":"field: \"user.name\"","in":"query","name":"filter","required":false,"schema":{"type":"string"}},{"description":"Field to sort by","example":"created_at","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_FindAnonymizationFieldsSortField"}},{"description":"Sort order","example":"asc","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SortOrder"}},{"description":"Page number","example":1,"in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"integer"}},{"description":"AnonymizationFields per page","example":20,"in":"query","name":"per_page","required":false,"schema":{"default":20,"minimum":0,"type":"integer"}},{"description":"If true, additionally fetch all anonymization fields, otherwise fetch only the provided page","in":"query","name":"all_data","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"FindAnonymizationFieldsResponse200Example":{"value":{"aggregations":{"field_status":{"buckets":{"allowed":{"doc_count":1},"anonymized":{"doc_count":1},"denied":{"doc_count":1}}}},"all":[{"allowed":true,"anonymized":true,"createdAt":"2023-10-31T12:00:00Z","createdBy":"user1","field":"user.name","id":"1","namespace":"default","timestamp":"2023-10-31T12:00:00Z","updatedAt":"2023-10-31T12:00:00Z","updatedBy":"user1"}],"data":[{"allowed":true,"anonymized":true,"createdAt":"2023-10-31T12:00:00Z","createdBy":"user1","field":"user.name","id":"1","namespace":"default","timestamp":"2023-10-31T12:00:00Z","updatedAt":"2023-10-31T12:00:00Z","updatedBy":"user1"}],"page":1,"perPage":20,"total":100}}},"schema":{"type":"object","properties":{"aggregations":{"type":"object","properties":{"field_status":{"type":"object","properties":{"buckets":{"type":"object","properties":{"allowed":{"type":"object","properties":{"doc_count":{"default":0,"type":"integer"}}},"anonymized":{"type":"object","properties":{"doc_count":{"default":0,"type":"integer"}}},"denied":{"type":"object","properties":{"doc_count":{"default":0,"type":"integer"}}}}}}}}},"all":{"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldResponse"},"type":"array"},"data":{"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldResponse"},"type":"array"},"page":{"type":"integer"},"perPage":{"type":"integer"},"total":{"type":"integer"}},"required":["page","perPage","total","data"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"FindAnonymizationFieldsResponse400Example":{"value":{"error":"Bad Request","message":"Invalid request parameters","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Get anonymization fields","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/security_ai_assistant\/anonymization_fields\/_find?page=1&per_page=20' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/chat\/complete":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/chat\/complete<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a model response for the given chat conversation.","operationId":"ChatComplete","parameters":[{"description":"If true, the response will not include content references.","example":false,"in":"query","name":"content_references_disabled","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"ChatCompleteRequest":{"value":{"connectorId":"conn-001","conversationId":"abc123","isStream":true,"langSmithApiKey":"","langSmithProject":"security_ai_project","messages":[{"content":"What are some common phishing techniques?","data":{"user_id":"user_789"},"fields_to_anonymize":["user.name","source.ip"],"role":"user"}],"model":"gpt-4","persist":true,"promptId":"prompt_456","responseLanguage":"en"}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ChatCompleteProps"}}},"required":true},"responses":{"200":{"content":{"application\/octet-stream":{"examples":{"ChatCompleteResponse200Example":{"value":"(streaming binary response)"}},"schema":{"format":"binary","type":"string"}}},"description":"Indicates a successful model response call."},"400":{"content":{"application\/json":{"examples":{"ChatCompleteResponse400Example":{"value":{"error":"Bad Request","message":"Invalid request payload.","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"description":"Error type.","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message.","example":"Invalid request payload.","type":"string"},"statusCode":{"description":"HTTP status code.","example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Create a model response","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/security_ai_assistant\/chat\/complete' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"connectorId\":\"conn-001\",\"persist\":true,\"messages\":[{\"role\":\"user\",\"content\":\"What are common phishing techniques?\"}]}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/current_user\/conversations":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/current_user\/conversations<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nThis endpoint allows users to permanently delete all conversations.","operationId":"DeleteAllConversations","requestBody":{"content":{"application\/json":{"examples":{"DeleteAllConversationsRequest":{"value":{"excludedIds":["abc123","def456"]}}},"schema":{"type":"object","properties":{"excludedIds":{"description":"Optional list of conversation IDs to delete.","example":["abc123","def456"],"items":{"type":"string"},"type":"array"}}}}},"required":false},"responses":{"200":{"content":{"application\/json":{"examples":{"DeleteAllConversationsResponse200Example":{"value":{"failures":[],"success":true,"totalDeleted":10}}},"schema":{"type":"object","properties":{"failures":{"items":{"type":"string"},"type":"array"},"success":{"example":true,"type":"boolean"},"totalDeleted":{"example":10,"type":"number"}}}}},"description":"Indicates a successful call. The conversations were deleted successfully."},"400":{"content":{"application\/json":{"examples":{"DeleteAllConversationsResponse400Example":{"value":{"error":"Bad Request","message":"Invalid conversation ID","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid conversation ID","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Delete conversations","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request DELETE 'http:\/\/localhost:5601\/api\/security_ai_assistant\/current_user\/conversations' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"excludedIds\":[\"abc123\"]}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/current_user\/conversations<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters.","operationId":"CreateConversation","requestBody":{"content":{"application\/json":{"examples":{"CreateConversationRequest":{"value":{"apiConfig":{"actionTypeId":"67890","connectorId":"12345"},"category":"assistant","excludeFromLastConversationStorage":false,"messages":[{"content":"Hello, how can I assist you today?","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"replacements":{},"title":"Security Discussion"}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationCreateProps"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"CreateConversationResponse200Example":{"value":{"apiConfig":{"actionTypeId":"67890","connectorId":"12345"},"category":"assistant","createdAt":"2023-10-31T12:01:00Z","createdBy":{"id":"user1","name":"John Doe"},"excludeFromLastConversationStorage":false,"id":"abc123","messages":[{"content":"Hello, how can I assist you today?","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"namespace":"default","replacements":{},"title":"Security Discussion","updatedAt":"2023-10-31T12:01:00Z","users":[{"id":"user1","name":"John Doe"}]}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationResponse"}}},"description":"Indicates a successful call. The conversation was created successfully."},"400":{"content":{"application\/json":{"examples":{"CreateConversationResponse400Example":{"value":{"error":"Bad Request","message":"Missing required parameter: title","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Missing required parameter: title","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Create a conversation","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/security_ai_assistant\/current_user\/conversations' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"title\":\"Security Discussion\",\"category\":\"assistant\",\"messages\":[{\"content\":\"Hello\",\"role\":\"system\",\"timestamp\":\"2023-10-31T12:00:00Z\"}],\"apiConfig\":{\"connectorId\":\"12345\",\"actionTypeId\":\"67890\"},\"replacements\":{},\"excludeFromLastConversationStorage\":false}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/current_user\/conversations\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/current_user\/conversations\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations.","operationId":"FindConversations","parameters":[{"description":"A list of fields to include in the response. If omitted, all fields are returned.","in":"query","name":"fields","required":false,"schema":{"example":["id","title","createdAt"],"items":{"type":"string"},"type":"array"}},{"description":"A search query to filter the conversations. Can match against titles, messages, or other conversation attributes.","in":"query","name":"filter","required":false,"schema":{"example":"Security Issue","type":"string"}},{"description":"The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`.","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_FindConversationsSortField","example":"created_at"}},{"description":"The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending.","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SortOrder","example":"desc"}},{"description":"The page number of the results to retrieve. Default is 1.","in":"query","name":"page","required":false,"schema":{"default":1,"example":1,"minimum":1,"type":"integer"}},{"description":"The number of conversations to return per page. Default is 20.","in":"query","name":"per_page","required":false,"schema":{"default":20,"example":20,"minimum":0,"type":"integer"}},{"description":"Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned.","in":"query","name":"is_owner","required":false,"schema":{"default":false,"example":true,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"FindConversationsResponse200Example":{"value":{"data":[{"category":"assistant","createdAt":"2023-10-31T12:00:00Z","createdBy":{"id":"user1","name":"John Doe"},"excludeFromLastConversationStorage":false,"id":"conv-abc123","messages":[],"namespace":"default","replacements":{},"title":"Security Discussion","updatedAt":"2023-10-31T12:05:00Z","users":[{"id":"user1","name":"John Doe"}]}],"page":1,"perPage":20,"total":5}}},"schema":{"type":"object","properties":{"data":{"description":"A list of conversations.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationResponse"},"type":"array"},"page":{"description":"The current page of the results.","example":1,"type":"integer"},"perPage":{"description":"The number of results returned per page.","example":20,"type":"integer"},"total":{"description":"The total number of conversations matching the filter criteria.","example":100,"type":"integer"}},"required":["page","perPage","total","data"]}}},"description":"Successful response, returns a paginated list of conversations matching the specified criteria."},"400":{"content":{"application\/json":{"examples":{"FindConversationsResponse400Example":{"value":{"error":"Bad Request","message":"Invalid filter parameter.","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid filter query parameter","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Get conversations","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/security_ai_assistant\/current_user\/conversations\/_find?page=1&per_page=20' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/current_user\/conversations\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/current_user\/conversations\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation.","operationId":"DeleteConversation","parameters":[{"description":"The conversation's `id` value.","example":"abc123","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"DeleteConversationResponse200Example":{"value":{"apiConfig":{"actionTypeId":"67890","connectorId":"12345"},"category":"assistant","createdAt":"2023-10-31T12:01:00Z","createdBy":{"id":"user1","name":"John Doe"},"excludeFromLastConversationStorage":false,"id":"abc123","messages":[{"content":"The conversation has been deleted.","role":"system","timestamp":"2023-10-31T12:35:00Z"}],"namespace":"default","replacements":{},"title":"Deleted Security Discussion","updatedAt":"2023-10-31T12:01:00Z","users":[{"id":"user1","name":"John Doe"}]}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationResponse"}}},"description":"Indicates a successful call. The conversation was deleted successfully."},"400":{"content":{"application\/json":{"examples":{"DeleteConversationResponse400Example":{"value":{"error":"Bad Request","message":"Invalid conversation ID","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid conversation ID","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Delete a conversation","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request DELETE 'http:\/\/localhost:5601\/api\/security_ai_assistant\/current_user\/conversations\/abc123' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/current_user\/conversations\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID.","operationId":"ReadConversation","parameters":[{"description":"The conversation's `id` value, a unique identifier for the conversation.","example":"abc123","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ReadConversationResponse200Example":{"value":{"apiConfig":{"actionTypeId":"67890","connectorId":"12345"},"category":"assistant","createdAt":"2023-10-31T12:01:00Z","createdBy":{"id":"user1","name":"John Doe"},"excludeFromLastConversationStorage":false,"id":"abc123","messages":[{"content":"Hello, how can I assist you today?","role":"system","timestamp":"2023-10-31T12:00:00Z"}],"namespace":"default","replacements":{},"title":"Security Discussion","updatedAt":"2023-10-31T12:01:00Z","users":[{"id":"user1","name":"John Doe"}]}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationResponse"}}},"description":"Indicates a successful call. The conversation details are returned."},"400":{"content":{"application\/json":{"examples":{"ReadConversationResponse400Example":{"value":{"error":"Bad Request","message":"Invalid conversation ID","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid conversation ID","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Get a conversation","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/security_ai_assistant\/current_user\/conversations\/abc123' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/current_user\/conversations\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation.","operationId":"UpdateConversation","parameters":[{"description":"The conversation's `id` value.","example":"abc123","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"}}],"requestBody":{"content":{"application\/json":{"examples":{"UpdateConversationRequest":{"value":{"apiConfig":{"actionTypeId":"09876","connectorId":"54321"},"category":"insights","excludeFromLastConversationStorage":true,"messages":[{"content":"The issue was resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"replacements":{},"title":"Updated Security Discussion"}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationUpdateProps"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"UpdateConversationResponse200Example":{"value":{"apiConfig":{"actionTypeId":"09876","connectorId":"54321"},"category":"insights","createdAt":"2023-10-31T12:01:00Z","createdBy":{"id":"user1","name":"John Doe"},"excludeFromLastConversationStorage":true,"id":"abc123","messages":[{"content":"The issue was resolved.","role":"assistant","timestamp":"2023-10-31T12:30:00Z"}],"namespace":"default","replacements":{},"title":"Updated Security Discussion","updatedAt":"2023-10-31T12:31:00Z","users":[{"id":"user1","name":"John Doe"}]}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationResponse"}}},"description":"Indicates a successful call. The conversation was updated successfully."},"400":{"content":{"application\/json":{"examples":{"UpdateConversationResponse400Example":{"value":{"error":"Bad Request","message":"Missing required field: title","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Missing required field: title","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Update a conversation","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request PUT 'http:\/\/localhost:5601\/api\/security_ai_assistant\/current_user\/conversations\/abc123' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"title\":\"Updated Security Discussion\",\"category\":\"insights\",\"messages\":[{\"content\":\"Resolved.\",\"role\":\"assistant\",\"timestamp\":\"2023-10-31T12:30:00Z\"}],\"apiConfig\":{\"connectorId\":\"54321\",\"actionTypeId\":\"09876\"},\"replacements\":{},\"excludeFromLastConversationStorage\":true}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/knowledge_base":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRead a single KB","operationId":"GetKnowledgeBase","responses":{"200":{"content":{"application\/json":{"examples":{"KnowledgeBaseReadResponse200Example2":{"summary":"A response that returns information about the knowledge base.","value":{"defend_insights_exists":true,"elser_exists":false,"is_setup_available":true,"is_setup_in_progress":true,"product_documentation_status":"installed","security_labs_exists":false,"user_data_exists":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseReadResponse200"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"GetKnowledgeBaseResponse400Example":{"value":{"error":"Bad Request","message":"Invalid resource ID provided.","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseResponse400"}}},"description":"Bad Request response."}},"summary":"Read a KnowledgeBase","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a knowledge base. Use this endpoint when no specific resource identifier is needed.","operationId":"PostKnowledgeBase","parameters":[{"description":"ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used.","example":"elser-model-001","in":"query","name":"modelId","required":false,"schema":{"type":"string"}},{"description":"Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`.","example":true,"in":"query","name":"ignoreSecurityLabs","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"KnowledgeBaseResponse200Example2":{"summary":"A response that indicates that the request was successful.","value":{"success":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseResponse"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"KnowledgeBaseResponse400Example2":{"summary":"A response for a request that failed due to an invalid query parameter value.","value":"statusCode: 400 error: Bad Request message: \"[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string\"\n"}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseResponse400"}}},"description":"Bad Request response."}},"summary":"Create a KnowledgeBase","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base?ignoreSecurityLabs=false' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/knowledge_base\/{resource}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base\/{resource}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRead a knowledge base with a specific resource identifier.","operationId":"ReadKnowledgeBase","parameters":[{"description":"The KnowledgeBase `resource` value.","example":"kb12345","in":"path","name":"resource","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"KnowledgeBaseReadResponse200Example1":{"summary":"A response that returns information about the knowledge base.","value":{"defend_insights_exists":true,"elser_exists":false,"is_setup_available":true,"is_setup_in_progress":true,"product_documentation_status":"installed","security_labs_exists":false,"user_data_exists":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseReadResponse200"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"ReadKnowledgeBaseResponse400Example":{"value":{"error":"Bad Request","message":"Invalid resource ID provided.","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseResponse400"}}},"description":"Bad Request response."}},"summary":"Read a KnowledgeBase for a resource","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base\/kb12345' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base\/{resource}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a knowledge base with a specific resource identifier.","operationId":"CreateKnowledgeBase","parameters":[{"description":"The KnowledgeBase `resource` value.","example":"kb12345","in":"path","name":"resource","required":true,"schema":{"type":"string"}},{"description":"ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used.","example":"elser-model-001","in":"query","name":"modelId","required":false,"schema":{"type":"string"}},{"description":"Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`.","example":true,"in":"query","name":"ignoreSecurityLabs","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"KnowledgeBaseResponse200Example1":{"summary":"A response that indicates that the request was successful.","value":{"success":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseResponse"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"KnowledgeBaseResponse400Example1":{"summary":"A response for a request that failed due to an invalid query parameter value.","value":"statusCode: 400 error: Bad Request message: \"[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string\"\n"}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseResponse400"}}},"description":"Bad Request response."}},"summary":"Create a KnowledgeBase for a resource","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base\/kb12345?ignoreSecurityLabs=false' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/knowledge_base\/entries":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base\/entries<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a Knowledge Base Entry","operationId":"CreateKnowledgeBaseEntry","requestBody":{"content":{"application\/json":{"examples":{"CreateKnowledgeBaseEntryRequest":{"value":{"kbResource":"user","name":"How to reset a password","source":"manual","text":"To reset your password, go to the settings page and click 'Reset Password'.","type":"document"}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"CreateKnowledgeBaseEntryResponse200Example":{"value":{"createdAt":"2024-01-15T10:00:00.000Z","createdBy":"user@example.com","global":false,"id":"12345","kbResource":"user","name":"How to reset a password","namespace":"default","source":"manual","text":"To reset your password, go to the settings page and click 'Reset Password'.","type":"document","updatedAt":"2024-01-15T10:00:00.000Z","updatedBy":"user@example.com"}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"}}},"description":"Successful request returning Knowledge Base Entries"},"400":{"content":{"application\/json":{"examples":{"CreateKnowledgeBaseEntryResponse400Example":{"value":{"error":"Invalid input","message":"The 'name' field is required."}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"Bad Request response."}},"summary":"Create a Knowledge Base Entry","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base\/entries' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"name\":\"How to reset a password\",\"type\":\"document\",\"kbResource\":\"user\",\"source\":\"manual\",\"text\":\"To reset your password, go to the settings page and click Reset Password.\"}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/knowledge_base\/entries\/_bulk_action":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base\/entries\/_bulk_action<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nThe bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs.","operationId":"PerformKnowledgeBaseEntryBulkAction","requestBody":{"content":{"application\/json":{"examples":{"PerformKnowledgeBaseEntryBulkActionRequest":{"value":{"create":[{"kbResource":"user","name":"New Entry","source":"manual","text":"This is the content of the new entry.","type":"document"}],"delete":{"ids":["789"]},"update":[{"id":"123","kbResource":"user","name":"Updated Entry","source":"manual","text":"Updated content.","type":"document"}]}}},"schema":{"type":"object","properties":{"create":{"description":"List of Knowledge Base Entries to create.","example":[{"kbResource":"user","name":"New Entry","source":"manual","text":"This is the content of the new entry.","type":"document"}],"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps"},"type":"array"},"delete":{"type":"object","properties":{"ids":{"description":"Array of Knowledge Base Entry IDs.","example":["123","456","789"],"items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter Knowledge Base Entries.","example":"status:active AND category:technology","type":"string"}}},"update":{"description":"List of Knowledge Base Entries to update.","example":[{"id":"123","kbResource":"user","name":"Updated Entry","source":"manual","text":"Updated content.","type":"document"}],"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps"},"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"PerformKnowledgeBaseEntryBulkActionResponse200Example":{"value":{"attributes":{"results":{"created":[{"createdAt":"2024-01-15T10:00:00.000Z","createdBy":"user@example.com","global":false,"id":"456","kbResource":"user","name":"New Entry","namespace":"default","source":"manual","text":"This is the content of the new entry.","type":"document","updatedAt":"2024-01-15T10:00:00.000Z","updatedBy":"user@example.com"}],"deleted":["789"],"skipped":[],"updated":[{"createdAt":"2024-01-14T09:00:00.000Z","createdBy":"user@example.com","global":false,"id":"123","kbResource":"user","name":"Updated Entry","namespace":"default","source":"manual","text":"Updated content.","type":"document","updatedAt":"2024-01-15T10:00:00.000Z","updatedBy":"user@example.com"}]},"summary":{"failed":0,"skipped":0,"succeeded":3,"total":3}},"knowledgeBaseEntriesCount":3,"message":"Bulk action completed successfully.","statusCode":200,"success":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse"}}},"description":"Successful bulk operation request"},"400":{"content":{"application\/json":{"examples":{"PerformKnowledgeBaseEntryBulkActionResponse400Example":{"value":{"error":"Bad Request","message":"Invalid request body.","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"Bad Request response."}},"summary":"Applies a bulk action to multiple Knowledge Base Entries","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base\/entries\/_bulk_action' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"create\":[{\"name\":\"Runbook\",\"type\":\"document\",\"kbResource\":\"user\",\"source\":\"manual\",\"text\":\"Steps to triage an alert.\"}]}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/knowledge_base\/entries\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base\/entries\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFinds Knowledge Base Entries that match the given query.","operationId":"FindKnowledgeBaseEntries","parameters":[{"description":"A list of fields to include in the response. If not provided, all fields will be included.","in":"query","name":"fields","required":false,"schema":{"example":["name","created_at"],"items":{"type":"string"},"type":"array"}},{"description":"Search query to filter Knowledge Base Entries by specific criteria.","in":"query","name":"filter","required":false,"schema":{"example":"error handling","type":"string"}},{"description":"Field to sort the Knowledge Base Entries by.","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField","example":"created_at"}},{"description":"Sort order for the results, either asc or desc.","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SortOrder","example":"asc"}},{"description":"Page number for paginated results. Defaults to 1.","in":"query","name":"page","required":false,"schema":{"default":1,"example":2,"minimum":1,"type":"integer"}},{"description":"Number of Knowledge Base Entries to return per page. Defaults to 20.","in":"query","name":"per_page","required":false,"schema":{"default":20,"example":10,"minimum":0,"type":"integer"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"FindKnowledgeBaseEntriesResponse200Example":{"value":{"data":[{"createdAt":"2024-01-15T10:00:00.000Z","createdBy":"user@example.com","global":false,"id":"12345","kbResource":"user","name":"How to reset a password","namespace":"default","source":"manual","text":"To reset your password, go to the settings page and click 'Reset Password'.","type":"document","updatedAt":"2024-01-15T10:00:00.000Z","updatedBy":"user@example.com"}],"page":1,"perPage":20,"total":100}}},"schema":{"type":"object","properties":{"data":{"description":"The list of Knowledge Base Entries for the current page.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"},"type":"array"},"page":{"description":"The current page number.","example":1,"type":"integer"},"perPage":{"description":"The number of Knowledge Base Entries returned per page.","example":20,"type":"integer"},"total":{"description":"The total number of Knowledge Base Entries available.","example":100,"type":"integer"}},"required":["page","perPage","total","data"]}}},"description":"Successful response containing the paginated Knowledge Base Entries."},"400":{"content":{"application\/json":{"examples":{"FindKnowledgeBaseEntriesResponse400Example":{"value":{"error":"Bad Request","message":"Invalid query parameter: sort_order","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"description":"A short description of the error.","example":"Bad Request","type":"string"},"message":{"description":"A detailed message explaining the error.","example":"Invalid query parameter: sort_order","type":"string"},"statusCode":{"description":"The HTTP status code of the error.","example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Finds Knowledge Base Entries that match the given query.","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base\/entries\/_find?page=1&per_page=20' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/knowledge_base\/entries\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base\/entries\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a Knowledge Base Entry by its unique `id`.","operationId":"DeleteKnowledgeBaseEntry","parameters":[{"description":"The unique identifier (`id`) of the Knowledge Base Entry to delete.","example":"12345","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"DeleteKnowledgeBaseEntryResponse200Example":{"value":{"id":"12345","message":"Knowledge Base Entry successfully deleted."}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DeleteResponseFields"}}},"description":"Successful request returning the `id` of the deleted Knowledge Base Entry."},"400":{"content":{"application\/json":{"examples":{"DeleteKnowledgeBaseEntryResponse400Example":{"value":{"error":"Not Found","message":"No Knowledge Base Entry found with the provided `id`."}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"Bad Request response."}},"summary":"Deletes a single Knowledge Base Entry using the `id` field","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request DELETE 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base\/entries\/12345' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base\/entries\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a Knowledge Base Entry by its unique `id`.","operationId":"ReadKnowledgeBaseEntry","parameters":[{"description":"The unique identifier (`id`) of the Knowledge Base Entry to retrieve.","example":"12345","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"ReadKnowledgeBaseEntryResponse200Example":{"value":{"createdAt":"2024-01-15T10:00:00.000Z","createdBy":"user@example.com","global":false,"id":"12345","kbResource":"user","name":"How to reset a password","namespace":"default","source":"manual","text":"To reset your password, go to the settings page and click 'Reset Password'.","type":"document","updatedAt":"2024-01-15T10:00:00.000Z","updatedBy":"user@example.com"}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"}}},"description":"Successful request returning the requested Knowledge Base Entry."},"400":{"content":{"application\/json":{"examples":{"ReadKnowledgeBaseEntryResponse400Example":{"value":{"error":"Not Found","message":"No Knowledge Base Entry found with the provided `id`."}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"Bad Request response."}},"summary":"Read a Knowledge Base Entry","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base\/entries\/12345' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/knowledge_base\/entries\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing Knowledge Base Entry by its unique `id`.","operationId":"UpdateKnowledgeBaseEntry","parameters":[{"description":"The unique identifier (`id`) of the Knowledge Base Entry to update.","example":"12345","in":"path","name":"id","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"}}],"requestBody":{"content":{"application\/json":{"examples":{"UpdateKnowledgeBaseEntryRequest":{"value":{"kbResource":"user","name":"How to reset a password (updated)","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions.","type":"document"}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"UpdateKnowledgeBaseEntryResponse200Example":{"value":{"createdAt":"2024-01-15T10:00:00.000Z","createdBy":"user@example.com","global":false,"id":"12345","kbResource":"user","name":"How to reset a password (updated)","namespace":"default","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions.","type":"document","updatedAt":"2024-01-15T10:05:00.000Z","updatedBy":"user@example.com"}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"}}},"description":"Successful request returning the updated Knowledge Base Entry."},"400":{"content":{"application\/json":{"examples":{"UpdateKnowledgeBaseEntryResponse400Example":{"value":{"error":"Invalid input","message":"The 'text' field cannot be empty."}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema"}}},"description":"Bad Request response."}},"summary":"Update a Knowledge Base Entry","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request PUT 'http:\/\/localhost:5601\/api\/security_ai_assistant\/knowledge_base\/entries\/12345' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"name\":\"How to reset a password (updated)\",\"type\":\"document\",\"kbResource\":\"user\",\"source\":\"manual\",\"text\":\"Updated: go to settings and click Reset Password, then follow the on-screen instructions.\"}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/prompts\/_bulk_action":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/prompts\/_bulk_action<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nApply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations.","operationId":"PerformPromptsBulkAction","requestBody":{"content":{"application\/json":{"examples":{"PerformPromptsBulkActionRequest":{"value":{"create":[{"content":"Please verify the security settings.","name":"New Security Prompt","promptType":"system"}],"delete":{"ids":["prompt1","prompt2"]},"update":[{"content":"Updated content for security prompt.","id":"prompt123"}]}}},"schema":{"type":"object","properties":{"create":{"description":"List of prompts to be created.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptCreateProps"},"type":"array"},"delete":{"description":"Criteria for deleting prompts in bulk.","type":"object","properties":{"ids":{"description":"Array of IDs to apply the action to.","example":["1234","5678"],"items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter the bulk action.","example":"status: 'inactive'","type":"string"}}},"update":{"description":"List of prompts to be updated.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptUpdateProps"},"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"success":{"value":{"attributes":{"errors":[],"results":{"created":[{"content":"Please verify the security settings.","id":"prompt6","name":"New Security Prompt","promptType":"system"}],"deleted":["prompt2","prompt3"],"skipped":[{"id":"prompt4","name":"Security Prompt","skip_reason":"PROMPT_FIELD_NOT_MODIFIED"}],"updated":[{"content":"Updated security settings prompt","id":"prompt1","name":"Security Prompt","promptType":"system"}]},"summary":{"failed":0,"skipped":1,"succeeded":4,"total":5}},"message":"Bulk action completed successfully.","prompts_count":5,"status_code":200,"success":true}}},"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptsBulkCrudActionResponse"}}},"description":"Indicates a successful call with the results of the bulk action."},"400":{"content":{"application\/json":{"examples":{"PerformPromptsBulkActionResponse400Example":{"value":{"error":"Bad Request","message":"Invalid prompt ID or missing required fields.","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"description":"A short error message.","example":"Bad Request","type":"string"},"message":{"description":"A detailed error message.","example":"Invalid prompt ID or missing required fields.","type":"string"},"statusCode":{"description":"The HTTP status code for the error.","example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Apply a bulk action to prompts","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request POST 'http:\/\/localhost:5601\/api\/security_ai_assistant\/prompts\/_bulk_action' \\\n --header \"Authorization: $API_KEY\" \\\n --header \"Content-Type: application\/json\" \\\n --data '{\"delete\":{\"query\":\"name: test\",\"ids\":[]}}'\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security_ai_assistant\/prompts\/_find":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security_ai_assistant\/prompts\/_find<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all prompts based on optional filters, sorting, and pagination.","operationId":"FindPrompts","parameters":[{"description":"List of specific fields to include in each returned prompt.","in":"query","name":"fields","required":false,"schema":{"example":["id","name","content"],"items":{"type":"string"},"type":"array"}},{"description":"Search query string to filter prompts by matching fields.","in":"query","name":"filter","required":false,"schema":{"example":"error handling","type":"string"}},{"description":"Field to sort prompts by.","in":"query","name":"sort_field","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_FindPromptsSortField"}},{"description":"Sort order, either asc or desc.","in":"query","name":"sort_order","required":false,"schema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SortOrder"}},{"description":"Page number for pagination.","in":"query","name":"page","required":false,"schema":{"default":1,"example":1,"minimum":1,"type":"integer"}},{"description":"Number of prompts per page.","in":"query","name":"per_page","required":false,"schema":{"default":20,"example":20,"minimum":0,"type":"integer"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"FindPromptsResponse200Example":{"value":{"data":[{"categories":["troubleshooting","logging"],"color":"#FF5733","consumer":"security","content":"If you encounter an error, check the logs and retry.","createdAt":"2025-04-20T21:00:00Z","createdBy":"jdoe","id":"prompt-123","isDefault":true,"isNewConversationDefault":false,"name":"Error Troubleshooting Prompt","namespace":"default","promptType":"standard","timestamp":"2025-04-30T22:30:00Z","updatedAt":"2025-04-30T22:45:00Z","updatedBy":"jdoe","users":[{"full_name":"John Doe","username":"jdoe"}]}],"page":1,"perPage":20,"total":142}}},"schema":{"example":{"data":[{"categories":["troubleshooting","logging"],"color":"#FF5733","consumer":"security","content":"If you encounter an error, check the logs and retry.","createdAt":"2025-04-20T21:00:00Z","createdBy":"jdoe","id":"prompt-123","isDefault":true,"isNewConversationDefault":false,"name":"Error Troubleshooting Prompt","namespace":"default","promptType":"standard","timestamp":"2025-04-30T22:30:00Z","updatedAt":"2025-04-30T22:45:00Z","updatedBy":"jdoe","users":[{"full_name":"John Doe","username":"jdoe"}]}],"page":1,"perPage":20,"total":142},"type":"object","properties":{"data":{"description":"The list of prompts returned based on the search query, sorting, and pagination.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptResponse"},"type":"array"},"page":{"description":"Current page number.","example":1,"type":"integer"},"perPage":{"description":"Number of prompts per page.","example":20,"type":"integer"},"total":{"description":"Total number of prompts matching the query.","example":142,"type":"integer"}},"required":["page","perPage","total","data"]}}},"description":"Successful response containing a list of prompts."},"400":{"content":{"application\/json":{"examples":{"FindPromptsResponse400Example":{"value":{"error":"Bad Request","message":"Invalid sort order value provided.","statusCode":400}}},"schema":{"type":"object","properties":{"error":{"description":"Short error message.","example":"Bad Request","type":"string"},"message":{"description":"Detailed description of the error.","example":"Invalid sort order value provided.","type":"string"},"statusCode":{"description":"HTTP status code for the error.","example":400,"type":"number"}}}}},"description":"Bad request due to invalid parameters or malformed query."}},"summary":"Get prompts","tags":["Security AI Assistant API"],"x-codeSamples":[{"label":"Example request","lang":"curl","source":"curl \\\n --request GET 'http:\/\/localhost:5601\/api\/security_ai_assistant\/prompts\/_find?page=1&per_page=20' \\\n --header \"Authorization: $API_KEY\"\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store":{"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/security\/entity_store<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate the Entity Store log extraction configuration.[Required authorization] Route required privileges: securitySolution.","operationId":"put-security-entity-store","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"updateLogExtractionExample":{"description":"Update the log extraction configuration with a new lookback period and frequency.","summary":"Update log extraction settings","value":{"logExtraction":{"fieldHistoryLength":15,"frequency":"10m","lookbackPeriod":"6h"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"logExtraction":{"additionalProperties":false,"type":"object","properties":{"additionalIndexPatterns":{"items":{"type":"string"},"type":"array"},"delay":{"pattern":"[smdh]$","type":"string"},"docsLimit":{"maximum":9007199254740991,"minimum":1,"type":"integer"},"fieldHistoryLength":{"maximum":9007199254740991,"minimum":-9007199254740991,"type":"integer"},"filter":{"type":"string"},"frequency":{"pattern":"[smdh]$","type":"string"},"lookbackPeriod":{"pattern":"[smdh]$","type":"string"},"maxLogsPerPage":{"maximum":9007199254740991,"minimum":1,"type":"integer"}}}},"required":["logExtraction"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateSuccessExample":{"description":"The Entity Store configuration was successfully updated.","summary":"Entity Store updated","value":{"ok":true}}}}},"description":"Indicates a successful response."},"400":{"content":{"application\/json":{"examples":{"invalidDurationExample":{"description":"A log extraction parameter has an invalid duration format.","summary":"Invalid duration parameter","value":{"error":"Bad Request","message":"[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)","statusCode":400}}}}},"description":"Bad request."},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"The Entity Store has not been installed yet.","summary":"Entity Store not installed","value":{"error":"Not Found","message":"Entity store is not installed","statusCode":404}}}}},"description":"Entity Store not found."}},"summary":"Update the Entity Store","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X PUT -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"logExtraction\":{\"lookbackPeriod\":\"6h\",\"frequency\":\"10m\",\"fieldHistoryLength\":15}}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\"\n"},{"lang":"Console","source":"PUT kbn:\/\/api\/security\/entity_store\n{\n \"logExtraction\": {\n \"lookbackPeriod\": \"6h\",\n \"frequency\": \"10m\",\n \"fieldHistoryLength\": 15\n }\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/entities":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security\/entity_store\/entities<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nList entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page\/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.[Required authorization] Route required privileges: securitySolution.","operationId":"get-security-entity-store-entities","parameters":[{"description":"A Kibana Query Language (KQL) filter for the search-after mode.","in":"query","name":"filter","required":false,"schema":{"type":"string"}},{"description":"Number of entities to return in search-after mode.","in":"query","name":"size","required":false,"schema":{"maximum":9007199254740991,"minimum":1,"type":"integer"}},{"description":"JSON-encoded search_after value for cursor-based pagination.","in":"query","name":"searchAfter","required":false,"schema":{"type":"string"}},{"description":"Fields to include in the response source.","in":"query","name":"source","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Fields to include in the response.","in":"query","name":"fields","required":false,"schema":{"items":{"type":"string"},"type":"array"}},{"description":"Field to sort results by in page mode.","in":"query","name":"sort_field","required":false,"schema":{"type":"string"}},{"description":"Sort order in page mode.","in":"query","name":"sort_order","required":false,"schema":{"enum":["asc","desc"],"type":"string"}},{"description":"Page number to return (1-indexed) in page mode.","in":"query","name":"page","required":false,"schema":{"maximum":9007199254740991,"minimum":1,"type":"integer"}},{"description":"Number of entities per page in page mode.","in":"query","name":"per_page","required":false,"schema":{"maximum":10000,"minimum":1,"type":"integer"}},{"description":"An Elasticsearch query string to filter entities in page mode.","in":"query","name":"filterQuery","required":false,"schema":{"type":"string"}},{"description":"Entity types to include in the results.","in":"query","name":"entity_types","required":false,"schema":{"items":{"enum":["user","host","service","generic"],"type":"string"},"type":"array"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"emptyResultExample":{"description":"No entities matched the query.","summary":"Empty result","value":{"page":1,"per_page":10,"records":[],"total":0}},"pageModeExample":{"description":"A paginated list of host entities sorted by timestamp in descending order, including query inspection data.","summary":"Page mode response with host entities","value":{"inspect":{"dsl":["{\"index\":[\"entities-latest-default\"],\"body\":{\"terms\":{\"entity.EngineMetadata.Type\":[\"host\"]}}}"],"response":["{\"took\":1,\"timed_out\":false,\"hits\":{\"total\":{\"value\":1,\"relation\":\"eq\"}}}"]},"page":1,"per_page":10,"records":[{"@timestamp":"2026-04-10T08:30:00.000Z","asset":{"criticality":"high_impact","environment":"production"},"entity":{"attributes":{"asset":true,"managed":true},"id":"host:web-server-prod-01","lifecycle":{"first_seen":"2026-01-15T10:00:00.000Z","last_activity":"2026-04-10T08:30:00.000Z"},"name":"web-server-prod-01","risk":{"calculated_level":"Moderate","calculated_score":47.5,"calculated_score_norm":47.5},"source":["logs"],"type":"host"},"host":{"hostname":["web-server-prod-01.example.com"],"ip":["10.0.1.42"],"name":"web-server-prod-01","os":{"name":"Ubuntu","type":"linux"}}}],"total":1}},"searchAfterModeExample":{"description":"A cursor-based response with entities and a search_after token for the next page.","summary":"Search-after mode response","value":{"entities":[{"@timestamp":"2026-04-10T08:30:00.000Z","entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user"},"user":{"email":["jane.doe@example.com"],"name":"jane.doe"}}],"nextSearchAfter":[1712736600000,1]}}}}},"description":"Indicates a successful response."},"400":{"content":{"application\/json":{"examples":{"invalidFilterExample":{"description":"The provided Kibana Query Language filter could not be parsed.","summary":"Invalid filter","value":{"error":"Bad Request","message":"Invalid filter: Expected \"(\", \"{\", value, whitespace but \":\" found.\ninvalid :: query\n---------^","statusCode":400}},"mixedModesExample":{"description":"Cannot combine page-based pagination with cursor-based pagination in the same request.","summary":"Mixed pagination modes","value":{"error":"Bad Request","message":"[request query]: Cannot combine page\/per_page with searchAfter","statusCode":400}}}}},"description":"Bad request."}},"summary":"List entities","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X GET -H \"Authorization: ApiKey ${API_KEY}\" \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/security\/entity_store\/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/entities\/":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/security\/entity_store\/entities\/<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a single entity record from the Entity Store. The entity is immediately removed from the latest index.[Required authorization] Route required privileges: securitySolution.","operationId":"delete-security-entity-store-entities","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"deleteEntityExample":{"description":"Delete a single entity from the Entity Store using its entity identifier.","summary":"Delete an entity by identifier","value":{"entityId":"host:web-server-prod-01"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"entityId":{"description":"The identifier of the entity to delete.","type":"string"}},"required":["entityId"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"deleteSuccessExample":{"description":"The entity was found and successfully removed from the latest index.","summary":"Entity deleted","value":{"deleted":true}}}}},"description":"Indicates the entity was successfully deleted."},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No entity with the specified identifier exists in the Entity Store.","summary":"Entity not found","value":{"error":"Not Found","message":"Entity ID 'host:web-server-prod-01' not found","statusCode":404}}}}},"description":"Entity not found."}},"summary":"Delete an entity","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X DELETE -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entityId\":\"host:web-server-prod-01\"}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/entities\/\"\n"},{"lang":"Console","source":"DELETE kbn:\/\/api\/security\/entity_store\/entities\/\n{\n \"entityId\": \"host:web-server-prod-01\"\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/entities\/{entityType}":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security\/entity_store\/entities\/{entityType}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new entity record in the Entity Store for the specified entity type.[Required authorization] Route required privileges: securitySolution.","operationId":"post-security-entity-store-entities-entitytype","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The entity type to create.","in":"path","name":"entityType","required":true,"schema":{"enum":["user","host","service","generic"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createHostEntityExample":{"description":"Create a new host entity record with basic host and entity fields. The entity identifier must match the auto-generated format for the entity type.","summary":"Create a host entity","value":{"asset":{"business_unit":"Engineering","criticality":"high_impact","environment":"production"},"entity":{"attributes":{"asset":true,"managed":true},"id":"host:web-server-prod-01","name":"web-server-prod-01","source":["manual"],"type":"host"},"host":{"hostname":["web-server-prod-01.example.com"],"ip":["10.0.1.42"],"name":"web-server-prod-01"}}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"tags":{"items":{"type":"string"},"type":"array"},"user":{"additionalProperties":false,"type":"object","properties":{"domain":{"items":{"type":"string"},"type":"array"},"email":{"items":{"type":"string"},"type":"array"},"full_name":{"items":{"type":"string"},"type":"array"},"hash":{"items":{"type":"string"},"type":"array"},"id":{"items":{"type":"string"},"type":"array"},"name":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"roles":{"items":{"type":"string"},"type":"array"}}}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"host":{"additionalProperties":false,"type":"object","properties":{"architecture":{"items":{"type":"string"},"type":"array"},"domain":{"items":{"type":"string"},"type":"array"},"hostname":{"items":{"type":"string"},"type":"array"},"id":{"items":{"type":"string"},"type":"array"},"ip":{"items":{"type":"string"},"type":"array"},"mac":{"items":{"type":"string"},"type":"array"},"name":{"type":"string"},"os":{"additionalProperties":false,"type":"object","properties":{"family":{"type":"string"},"full":{"type":"string"},"kernel":{"type":"string"},"name":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"platform":{"type":"string"},"type":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"version":{"type":"string"}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"type":{"items":{"type":"string"},"type":"array"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"tags":{"items":{"type":"string"},"type":"array"}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"service":{"additionalProperties":false,"type":"object","properties":{"address":{"type":"string"},"environment":{"type":"string"},"ephemeral_id":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"node":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"role":{"type":"string"},"roles":{"items":{"type":"string"},"type":"array"}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"state":{"type":"string"},"type":{"type":"string"},"version":{"type":"string"}}},"tags":{"items":{"type":"string"},"type":"array"}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"cloud":{"additionalProperties":false,"type":"object","properties":{"account":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"availability_zone":{"type":"string"},"instance":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"machine":{"additionalProperties":false,"type":"object","properties":{"type":{"type":"string"}}},"project":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"provider":{"type":"string"},"region":{"type":"string"},"service":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"}}}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"orchestrator":{"additionalProperties":false,"type":"object","properties":{"api_version":{"type":"string"},"cluster":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"url":{"type":"string"},"version":{"type":"string"}}},"namespace":{"type":"string"},"organization":{"type":"string"},"resource":{"additionalProperties":false,"type":"object","properties":{"annotation":{"type":"string"},"id":{"type":"string"},"ip":{"type":"string"},"label":{"type":"string"},"name":{"type":"string"},"parent":{"additionalProperties":false,"type":"object","properties":{"type":{"type":"string"}}},"type":{"type":"string"}}},"type":{"type":"string"}}},"tags":{"items":{"type":"string"},"type":"array"}}}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"createSuccessExample":{"description":"The entity record was successfully created in the Entity Store.","summary":"Entity created","value":{"ok":true}}}}},"description":"Indicates the entity was successfully created."},"400":{"content":{"application\/json":{"examples":{"euidMismatchExample":{"description":"The supplied entity identifier does not match the auto-generated identifier derived from the entity fields.","summary":"Entity identifier mismatch","value":{"error":"Bad Request","message":"Bad request: Supplied ID my-custom-id does not match generated EUID host:web-server-prod-01","statusCode":400}}}}},"description":"Bad request."},"409":{"content":{"application\/json":{"examples":{"conflictExample":{"description":"An entity with the specified identifier already exists.","summary":"Entity already exists","value":{"error":"Conflict","message":"Entity ID 'host:web-server-prod-01' already exists","statusCode":409}}}}},"description":"Conflict."}},"summary":"Create an entity","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X POST -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entity\":{\"id\":\"host:web-server-prod-01\",\"name\":\"web-server-prod-01\",\"type\":\"host\",\"source\":[\"manual\"],\"attributes\":{\"asset\":true}},\"host\":{\"name\":\"web-server-prod-01\",\"ip\":[\"10.0.1.42\"]}}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/entities\/host\"\n"},{"lang":"Console","source":"POST kbn:\/\/api\/security\/entity_store\/entities\/host\n{\n \"entity\": {\n \"id\": \"host:web-server-prod-01\",\n \"name\": \"web-server-prod-01\",\n \"type\": \"host\",\n \"source\": [\"manual\"],\n \"attributes\": { \"asset\": true }\n },\n \"host\": {\n \"name\": \"web-server-prod-01\",\n \"ip\": [\"10.0.1.42\"]\n }\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/security\/entity_store\/entities\/{entityType}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.[Required authorization] Route required privileges: securitySolution.","operationId":"put-security-entity-store-entities-entitytype","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The entity type to update.","in":"path","name":"entityType","required":true,"schema":{"enum":["user","host","service","generic"],"type":"string"}},{"description":"When true, allows updating protected fields.","in":"query","name":"force","required":false,"schema":{"anyOf":[{"enum":["true","false"],"type":"string"},{"type":"boolean"}],"default":false}}],"requestBody":{"content":{"application\/json":{"examples":{"updateEntityAttributesExample":{"description":"Update the attributes of an existing user entity. Fields like entity.name and entity.type are protected and require the force query parameter.","summary":"Update entity attributes","value":{"entity":{"attributes":{"managed":true,"mfa_enabled":true},"id":"user:jane.doe@example.com","lifecycle":{"last_activity":"2026-04-10T14:30:00.000Z"},"name":"jane.doe","type":"user"},"user":{"email":["jane.doe@example.com"],"name":"jane.doe","roles":["admin","analyst"]}}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"tags":{"items":{"type":"string"},"type":"array"},"user":{"additionalProperties":false,"type":"object","properties":{"domain":{"items":{"type":"string"},"type":"array"},"email":{"items":{"type":"string"},"type":"array"},"full_name":{"items":{"type":"string"},"type":"array"},"hash":{"items":{"type":"string"},"type":"array"},"id":{"items":{"type":"string"},"type":"array"},"name":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"roles":{"items":{"type":"string"},"type":"array"}}}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"host":{"additionalProperties":false,"type":"object","properties":{"architecture":{"items":{"type":"string"},"type":"array"},"domain":{"items":{"type":"string"},"type":"array"},"hostname":{"items":{"type":"string"},"type":"array"},"id":{"items":{"type":"string"},"type":"array"},"ip":{"items":{"type":"string"},"type":"array"},"mac":{"items":{"type":"string"},"type":"array"},"name":{"type":"string"},"os":{"additionalProperties":false,"type":"object","properties":{"family":{"type":"string"},"full":{"type":"string"},"kernel":{"type":"string"},"name":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"platform":{"type":"string"},"type":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"version":{"type":"string"}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"type":{"items":{"type":"string"},"type":"array"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"tags":{"items":{"type":"string"},"type":"array"}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"service":{"additionalProperties":false,"type":"object","properties":{"address":{"type":"string"},"environment":{"type":"string"},"ephemeral_id":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"node":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"role":{"type":"string"},"roles":{"items":{"type":"string"},"type":"array"}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"state":{"type":"string"},"type":{"type":"string"},"version":{"type":"string"}}},"tags":{"items":{"type":"string"},"type":"array"}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"cloud":{"additionalProperties":false,"type":"object","properties":{"account":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"availability_zone":{"type":"string"},"instance":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"machine":{"additionalProperties":false,"type":"object","properties":{"type":{"type":"string"}}},"project":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"provider":{"type":"string"},"region":{"type":"string"},"service":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"}}}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"orchestrator":{"additionalProperties":false,"type":"object","properties":{"api_version":{"type":"string"},"cluster":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"url":{"type":"string"},"version":{"type":"string"}}},"namespace":{"type":"string"},"organization":{"type":"string"},"resource":{"additionalProperties":false,"type":"object","properties":{"annotation":{"type":"string"},"id":{"type":"string"},"ip":{"type":"string"},"label":{"type":"string"},"name":{"type":"string"},"parent":{"additionalProperties":false,"type":"object","properties":{"type":{"type":"string"}}},"type":{"type":"string"}}},"type":{"type":"string"}}},"tags":{"items":{"type":"string"},"type":"array"}}}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateSuccessExample":{"description":"The entity record was successfully updated.","summary":"Entity updated","value":{"ok":true}}}}},"description":"Indicates the entity was successfully updated."},"400":{"content":{"application\/json":{"examples":{"protectedFieldsExample":{"description":"The request attempts to update protected fields without the force query parameter.","summary":"Protected fields without force","value":{"error":"Bad Request","message":"Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type","statusCode":400}}}}},"description":"Bad request."},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"No entity with the specified identifier exists.","summary":"Entity not found","value":{"error":"Not Found","message":"Entity ID 'user:jane.doe@example.com' not found","statusCode":404}}}}},"description":"Entity not found."}},"summary":"Update an entity","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X PUT -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entity\":{\"id\":\"user:jane.doe@example.com\",\"name\":\"jane.doe\",\"type\":\"user\",\"attributes\":{\"managed\":true,\"mfa_enabled\":true}},\"user\":{\"name\":\"jane.doe\"}}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/entities\/user?force=true\"\n"},{"lang":"Console","source":"PUT kbn:\/\/api\/security\/entity_store\/entities\/user?force=true\n{\n \"entity\": {\n \"id\": \"user:jane.doe@example.com\",\n \"name\": \"jane.doe\",\n \"type\": \"user\",\n \"attributes\": { \"managed\": true, \"mfa_enabled\": true }\n },\n \"user\": { \"name\": \"jane.doe\" }\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/entities\/bulk":{"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/security\/entity_store\/entities\/bulk<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate multiple entity records in the Entity Store in a single request.[Required authorization] Route required privileges: securitySolution.","operationId":"put-security-entity-store-entities-bulk","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"When true, allows updating protected fields.","in":"query","name":"force","required":false,"schema":{"anyOf":[{"enum":["true","false"],"type":"string"},{"type":"boolean"}],"default":false}}],"requestBody":{"content":{"application\/json":{"examples":{"bulkUpdateExample":{"description":"Update a host entity and a user entity in a single request.","summary":"Bulk update multiple entities","value":{"entities":[{"doc":{"entity":{"attributes":{"asset":true},"id":"host:web-server-prod-01","name":"web-server-prod-01","type":"host"},"host":{"name":"web-server-prod-01"}},"type":"host"},{"doc":{"entity":{"attributes":{"managed":true},"id":"user:jane.doe@example.com","name":"jane.doe","type":"user"},"user":{"name":"jane.doe"}},"type":"user"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"entities":{"description":"The entities to update.","items":{"type":"object","properties":{"doc":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"tags":{"items":{"type":"string"},"type":"array"},"user":{"additionalProperties":false,"type":"object","properties":{"domain":{"items":{"type":"string"},"type":"array"},"email":{"items":{"type":"string"},"type":"array"},"full_name":{"items":{"type":"string"},"type":"array"},"hash":{"items":{"type":"string"},"type":"array"},"id":{"items":{"type":"string"},"type":"array"},"name":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"roles":{"items":{"type":"string"},"type":"array"}}}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"host":{"additionalProperties":false,"type":"object","properties":{"architecture":{"items":{"type":"string"},"type":"array"},"domain":{"items":{"type":"string"},"type":"array"},"hostname":{"items":{"type":"string"},"type":"array"},"id":{"items":{"type":"string"},"type":"array"},"ip":{"items":{"type":"string"},"type":"array"},"mac":{"items":{"type":"string"},"type":"array"},"name":{"type":"string"},"os":{"additionalProperties":false,"type":"object","properties":{"family":{"type":"string"},"full":{"type":"string"},"kernel":{"type":"string"},"name":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"platform":{"type":"string"},"type":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"version":{"type":"string"}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"type":{"items":{"type":"string"},"type":"array"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"tags":{"items":{"type":"string"},"type":"array"}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"service":{"additionalProperties":false,"type":"object","properties":{"address":{"type":"string"},"environment":{"type":"string"},"ephemeral_id":{"type":"string"},"id":{"type":"string"},"name":{"type":"string"},"node":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"},"role":{"type":"string"},"roles":{"items":{"type":"string"},"type":"array"}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"state":{"type":"string"},"type":{"type":"string"},"version":{"type":"string"}}},"tags":{"items":{"type":"string"},"type":"array"}}},{"additionalProperties":false,"type":"object","properties":{"@timestamp":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"asset":{"additionalProperties":false,"type":"object","properties":{"business_unit":{"type":"string"},"criticality":{"anyOf":[{"enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},{"nullable":true}]},"environment":{"type":"string"},"id":{"type":"string"},"model":{"type":"string"},"name":{"type":"string"},"owner":{"type":"string"},"serial_number":{"type":"string"},"vendor":{"type":"string"}}},"cloud":{"additionalProperties":false,"type":"object","properties":{"account":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"availability_zone":{"type":"string"},"instance":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"machine":{"additionalProperties":false,"type":"object","properties":{"type":{"type":"string"}}},"project":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}}},"provider":{"type":"string"},"region":{"type":"string"},"service":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"}}}}},"entity":{"additionalProperties":false,"type":"object","properties":{"attributes":{"additionalProperties":false,"type":"object","properties":{"asset":{"type":"boolean"},"known_redirects":{"items":{"type":"string"},"type":"array"},"managed":{"type":"boolean"},"mfa_enabled":{"type":"boolean"},"oauth_consent_restriction":{"type":"string"},"permissions":{"items":{"type":"string"},"type":"array"},"storage_class":{"type":"string"},"watchlists":{"items":{"type":"string"},"type":"array"}}},"behaviors":{"additionalProperties":false,"type":"object","properties":{"anomaly_job_ids":{"items":{"type":"string"},"type":"array"},"rule_names":{"items":{"type":"string"},"type":"array"}}},"EngineMetadata":{"additionalProperties":false,"type":"object","properties":{"Type":{"type":"string"}}},"id":{"type":"string"},"lifecycle":{"additionalProperties":false,"type":"object","properties":{"first_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_activity":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"},"last_seen":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"name":{"type":"string"},"relationships":{"additionalProperties":false,"type":"object","properties":{"accesses_frequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"accesses_infrequently":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"administers":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"communicates_with":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"depends_on":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"owns_inferred":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}},"resolution":{"additionalProperties":false,"type":"object","properties":{"resolved_to":{"type":"string"},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}}}},"supervises":{"additionalProperties":false,"type":"object","properties":{"ids":{"items":{"type":"string"},"type":"array"},"raw_identifiers":{"additionalProperties":false,"type":"object","properties":{"entity.id":{"items":{"type":"string"},"type":"array"},"host.id":{"items":{"type":"string"},"type":"array"},"host.name":{"items":{"type":"string"},"type":"array"},"service.name":{"items":{"type":"string"},"type":"array"},"user.email":{"items":{"type":"string"},"type":"array"},"user.id":{"items":{"type":"string"},"type":"array"},"user.name":{"items":{"type":"string"},"type":"array"}}}}}}},"risk":{"additionalProperties":false,"type":"object","properties":{"calculated_level":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"calculated_score":{"type":"number"},"calculated_score_norm":{"maximum":100,"minimum":0,"type":"number"}}},"schema_version":{"type":"string"},"source":{"items":{"type":"string"},"type":"array"},"sub_type":{"type":"string"},"type":{"type":"string"},"url":{"type":"string"}}},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"format":"date-time","pattern":"^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$","type":"string"}}},"labels":{"additionalProperties":{},"type":"object","properties":{}},"orchestrator":{"additionalProperties":false,"type":"object","properties":{"api_version":{"type":"string"},"cluster":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"url":{"type":"string"},"version":{"type":"string"}}},"namespace":{"type":"string"},"organization":{"type":"string"},"resource":{"additionalProperties":false,"type":"object","properties":{"annotation":{"type":"string"},"id":{"type":"string"},"ip":{"type":"string"},"label":{"type":"string"},"name":{"type":"string"},"parent":{"additionalProperties":false,"type":"object","properties":{"type":{"type":"string"}}},"type":{"type":"string"}}},"type":{"type":"string"}}},"tags":{"items":{"type":"string"},"type":"array"}}}]},"type":{"description":"The entity type of this record.","enum":["user","host","service","generic"],"type":"string"}},"required":["type","doc"]},"type":"array"}},"required":["entities"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"bulkUpdatePartialExample":{"description":"Some entities were updated but others encountered Elasticsearch-level errors.","summary":"Partial success with errors","value":{"errors":[{"_id":"5de9f93a68a72532e736bf5a6184b06300b9cabf","reason":"[5de9f93a68a72532e736bf5a6184b06300b9cabf]: document missing","status":404,"type":"document_missing_exception"}],"ok":true}},"bulkUpdateSuccessExample":{"description":"All entities were successfully updated with no errors.","summary":"All entities updated","value":{"errors":[],"ok":true}}}}},"description":"Indicates a successful response."},"400":{"content":{"application\/json":{"examples":{"protectedFieldsExample":{"description":"The request attempts to update protected fields without the force query parameter.","summary":"Protected fields without force","value":{"error":"Bad Request","message":"Bad request: The following attributes are not allowed to be updated without forcing it (?force=true): entity.name, entity.type","statusCode":400}}}}},"description":"Bad request."}},"summary":"Bulk update entities","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X PUT -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entities\":[{\"type\":\"host\",\"doc\":{\"entity\":{\"id\":\"host:web-server-prod-01\",\"name\":\"web-server-prod-01\",\"type\":\"host\",\"attributes\":{\"asset\":true}},\"host\":{\"name\":\"web-server-prod-01\"}}}]}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/entities\/bulk?force=true\"\n"},{"lang":"Console","source":"PUT kbn:\/\/api\/security\/entity_store\/entities\/bulk?force=true\n{\n \"entities\": [\n {\n \"type\": \"host\",\n \"doc\": {\n \"entity\": {\n \"id\": \"host:web-server-prod-01\",\n \"name\": \"web-server-prod-01\",\n \"type\": \"host\",\n \"attributes\": { \"asset\": true }\n },\n \"host\": { \"name\": \"web-server-prod-01\" }\n }\n }\n ]\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/install":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security\/entity_store\/install<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall the Entity Store, creating engines for the specified entity types and configuring log extraction.[Required authorization] Route required privileges: securitySolution.","operationId":"post-security-entity-store-install","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"installDefaultExample":{"description":"Install the Entity Store for all entity types with default log extraction settings.","summary":"Install with default entity types","value":{"entityTypes":["user","host","service","generic"],"logExtraction":{}}},"installWithCustomSettingsExample":{"description":"Install the Entity Store for host entities only with a custom lookback period and field history length.","summary":"Install with custom log extraction","value":{"entityTypes":["host"],"logExtraction":{"delay":"2m","fieldHistoryLength":20,"filter":"host.os.type: linux","frequency":"5m","lookbackPeriod":"12h"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"entityTypes":{"default":["user","host","service","generic"],"items":{"enum":["user","host","service","generic"],"type":"string"},"type":"array"},"historySnapshot":{"additionalProperties":false,"type":"object","properties":{"frequency":{"default":"24h","pattern":"[smdh]$","type":"string"}}},"logExtraction":{"additionalProperties":false,"type":"object","properties":{"additionalIndexPatterns":{"default":[],"items":{"type":"string"},"type":"array"},"delay":{"default":"1m","pattern":"[smdh]$","type":"string"},"docsLimit":{"default":10000,"maximum":9007199254740991,"minimum":1,"type":"integer"},"fieldHistoryLength":{"default":10,"maximum":9007199254740991,"minimum":-9007199254740991,"type":"integer"},"filter":{"default":"","type":"string"},"frequency":{"default":"30s","pattern":"[smdh]$","type":"string"},"lookbackPeriod":{"default":"3h","pattern":"[smdh]$","type":"string"},"maxLogsPerPage":{"default":40000,"maximum":9007199254740991,"minimum":1,"type":"integer"}}}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"alreadyInstalledExample":{"description":"All requested entity types were already installed.","summary":"Already installed","value":{"ok":true}}}}},"description":"Indicates all requested entity types are already installed."},"201":{"content":{"application\/json":{"examples":{"installSuccessExample":{"description":"The Entity Store was installed and engines are being created.","summary":"Entity Store installed","value":{"ok":true}}}}},"description":"Indicates the Entity Store was successfully installed."},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"description":"The user does not have the required Elasticsearch privileges.","summary":"Insufficient privileges","value":{"error":"Forbidden","message":"User 'analyst' has insufficient privileges","statusCode":403}}}}},"description":"Insufficient privileges."}},"summary":"Install the Entity Store","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X POST -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entityTypes\":[\"user\",\"host\",\"service\",\"generic\"],\"logExtraction\":{}}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/install\"\n"},{"lang":"Console","source":"POST kbn:\/\/api\/security\/entity_store\/install\n{\n \"entityTypes\": [\"user\", \"host\", \"service\", \"generic\"],\n \"logExtraction\": {}\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/resolution\/group":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security\/entity_store\/resolution\/group<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the resolution group for a given entity, returning all linked entities. Requires an enterprise license.[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics.","operationId":"get-security-entity-store-resolution-group","parameters":[{"description":"The entity identifier to look up the resolution group for.","in":"query","name":"entity_id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"resolutionGroupExample":{"description":"Returns the resolution group for an entity, including the target entity, all aliases, and the group size.","summary":"Resolution group with linked entities","value":{"aliases":[{"@timestamp":"2026-04-10T08:25:00.000Z","entity":{"id":"user:jdoe@example.com","name":"jdoe","relationships":{"resolution":{"resolved_to":"user:jane.doe@example.com"}},"type":"user"},"user":{"name":"jdoe"}}],"group_size":2,"target":{"@timestamp":"2026-04-10T08:30:00.000Z","entity":{"id":"user:jane.doe@example.com","name":"jane.doe","type":"user"},"user":{"email":["jane.doe@example.com"],"name":"jane.doe"}}}}}}},"description":"Indicates a successful response."},"400":{"content":{"application\/json":{"examples":{"truncatedSearchExample":{"description":"The resolution search returned too many results and was truncated.","summary":"Search results truncated","value":{"error":"Bad Request","message":"Resolution search truncated","statusCode":400}}}}},"description":"Bad request."},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"The specified entity does not exist or has no resolution group.","summary":"Entity not found","value":{"error":"Not Found","message":"Entities not found: [user:nonexistent@example.com]","statusCode":404}}}}},"description":"Entity not found."}},"summary":"Get resolution group","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X GET -H \"Authorization: ApiKey ${API_KEY}\" \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/resolution\/group?entity_id=user%3Ajane.doe%40example.com\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/security\/entity_store\/resolution\/group?entity_id=user:jane.doe@example.com\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/resolution\/link":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security\/entity_store\/resolution\/link<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nLink one or more entities to a target entity, creating a resolution group. Requires an enterprise license.[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics.","operationId":"post-security-entity-store-resolution-link","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"linkEntitiesExample":{"description":"Link two user entities to a target entity, creating a resolution group.","summary":"Link entities to a target","value":{"entity_ids":["user:jdoe@example.com","user:j.doe@example.com"],"target_id":"user:jane.doe@example.com"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"entity_ids":{"description":"Entity identifiers to link to the target entity. Minimum 1, maximum 1000.","items":{"type":"string"},"maxItems":1000,"minItems":1,"type":"array"},"target_id":{"description":"The entity identifier to resolve the linked entities to.","type":"string"}},"required":["target_id","entity_ids"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"linkSuccessExample":{"description":"The entities were successfully linked to the target entity.","summary":"Entities linked","value":{"linked":["user:jdoe@example.com","user:j.doe@example.com"],"skipped":[],"target_id":"user:jane.doe@example.com"}}}}},"description":"Indicates a successful response."},"400":{"content":{"application\/json":{"examples":{"mixedTypesExample":{"description":"All entities in a resolution group must be of the same type.","summary":"Mixed entity types","value":{"error":"Bad Request","message":"Cannot link entities of different types","statusCode":400}},"selfLinkExample":{"description":"Cannot link an entity to itself.","summary":"Self-link error","value":{"error":"Bad Request","message":"Cannot link entity 'user:jane.doe@example.com' to itself.","statusCode":400}}}}},"description":"Bad request."},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"One or more of the specified entity identifiers were not found.","summary":"Entities not found","value":{"error":"Not Found","message":"Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]","statusCode":404}}}}},"description":"Entities not found."}},"summary":"Link entities","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X POST -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"target_id\":\"user:jane.doe@example.com\",\"entity_ids\":[\"user:jdoe@example.com\"]}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/resolution\/link\"\n"},{"lang":"Console","source":"POST kbn:\/\/api\/security\/entity_store\/resolution\/link\n{\n \"target_id\": \"user:jane.doe@example.com\",\n \"entity_ids\": [\"user:jdoe@example.com\"]\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/resolution\/unlink":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security\/entity_store\/resolution\/unlink<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRemove one or more entities from their resolution group. Requires an enterprise license.[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics.","operationId":"post-security-entity-store-resolution-unlink","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"unlinkEntitiesExample":{"description":"Remove entities from their resolution group, restoring them as standalone entities.","summary":"Unlink entities from their resolution group","value":{"entity_ids":["user:jdoe@example.com","user:j.doe@example.com"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"entity_ids":{"description":"Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000.","items":{"type":"string"},"maxItems":1000,"minItems":1,"type":"array"}},"required":["entity_ids"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"unlinkSuccessExample":{"description":"The entities were successfully removed from their resolution group.","summary":"Entities unlinked","value":{"skipped":[],"unlinked":["user:jdoe@example.com","user:j.doe@example.com"]}}}}},"description":"Indicates a successful response."},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"description":"One or more of the specified entity identifiers were not found.","summary":"Entities not found","value":{"error":"Not Found","message":"Entities not found: [user:nonexistent@example.com]","statusCode":404}}}}},"description":"Entities not found."}},"summary":"Unlink entities","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X POST -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entity_ids\":[\"user:jdoe@example.com\"]}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/resolution\/unlink\"\n"},{"lang":"Console","source":"POST kbn:\/\/api\/security\/entity_store\/resolution\/unlink\n{\n \"entity_ids\": [\"user:jdoe@example.com\"]\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/start":{"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/security\/entity_store\/start<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nStart previously stopped entity engines, resuming data processing for the specified entity types.[Required authorization] Route required privileges: securitySolution.","operationId":"put-security-entity-store-start","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"startAllExample":{"description":"Start all stopped entity engines.","summary":"Start all entity engines","value":{"entityTypes":["user","host","service","generic"]}},"startSingleExample":{"description":"Start only the host entity engine.","summary":"Start a single entity engine","value":{"entityTypes":["host"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"entityTypes":{"default":["user","host","service","generic"],"description":"Entity types to start. Defaults to all installed types.","items":{"enum":["user","host","service","generic"],"type":"string"},"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"startSuccessExample":{"description":"The specified entity engines were successfully started.","summary":"Engines started","value":{"ok":true}}}}},"description":"Indicates a successful response."}},"summary":"Start Entity Store engines","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X PUT -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entityTypes\":[\"user\",\"host\",\"service\",\"generic\"]}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/start\"\n"},{"lang":"Console","source":"PUT kbn:\/\/api\/security\/entity_store\/start\n{\n \"entityTypes\": [\"user\", \"host\", \"service\", \"generic\"]\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/status":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/security\/entity_store\/status<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the overall Entity Store status and per-engine statuses, optionally including component-level health details.[Required authorization] Route required privileges: securitySolution.","operationId":"get-security-entity-store-status","parameters":[{"description":"If true, returns a detailed status of each engine including all its components.","in":"query","name":"include_components","required":false,"schema":{"anyOf":[{"enum":["true","false"],"type":"string"},{"type":"boolean"}],"default":false}}],"responses":{"200":{"content":{"application\/json":{"examples":{"notInstalledExample":{"description":"The Entity Store has not been installed.","summary":"Entity Store not installed","value":{"engines":[],"status":"not_installed"}},"runningStatusExample":{"description":"The Entity Store is running with two started engines using default settings.","summary":"Entity Store running","value":{"engines":[{"delay":"1m","docsPerSecond":-1,"enrichPolicyExecutionInterval":null,"fieldHistoryLength":10,"filter":"","frequency":"30s","indexPattern":"","lastExecutionTimestamp":"2026-04-10T08:30:00.000Z","lookbackPeriod":"3h","maxPageSearchSize":10000,"status":"started","timeout":"25s","timestampField":"@timestamp","type":"host"},{"delay":"1m","docsPerSecond":-1,"enrichPolicyExecutionInterval":null,"fieldHistoryLength":10,"filter":"","frequency":"30s","indexPattern":"","lastExecutionTimestamp":"2026-04-10T08:30:00.000Z","lookbackPeriod":"3h","maxPageSearchSize":10000,"status":"started","timeout":"25s","timestampField":"@timestamp","type":"user"}],"status":"running"}}}}},"description":"Indicates a successful response."}},"summary":"Get Entity Store status","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X GET -H \"Authorization: ApiKey ${API_KEY}\" \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/status?include_components=false\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/security\/entity_store\/status?include_components=false\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/stop":{"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/security\/entity_store\/stop<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nStop running entity engines, pausing data processing for the specified entity types.[Required authorization] Route required privileges: securitySolution.","operationId":"put-security-entity-store-stop","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"stopAllExample":{"description":"Stop all running entity engines.","summary":"Stop all entity engines","value":{"entityTypes":["user","host","service","generic"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"entityTypes":{"default":["user","host","service","generic"],"description":"Entity types to stop. Defaults to all running types.","items":{"enum":["user","host","service","generic"],"type":"string"},"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"stopSuccessExample":{"description":"The specified entity engines were successfully stopped.","summary":"Engines stopped","value":{"ok":true}}}}},"description":"Indicates a successful response."}},"summary":"Stop Entity Store engines","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X PUT -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entityTypes\":[\"user\",\"host\",\"service\",\"generic\"]}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/stop\"\n"},{"lang":"Console","source":"PUT kbn:\/\/api\/security\/entity_store\/stop\n{\n \"entityTypes\": [\"user\", \"host\", \"service\", \"generic\"]\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/entity_store\/uninstall":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/security\/entity_store\/uninstall<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUninstall the Entity Store, removing engines and associated resources for the specified entity types.[Required authorization] Route required privileges: securitySolution.","operationId":"post-security-entity-store-uninstall","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"uninstallAllExample":{"description":"Uninstall all entity engines from the Entity Store.","summary":"Uninstall all entity types","value":{"entityTypes":["user","host","service","generic"]}},"uninstallSingleExample":{"description":"Uninstall only the host engine from the Entity Store.","summary":"Uninstall a single entity type","value":{"entityTypes":["host"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"entityTypes":{"default":["user","host","service","generic"],"description":"Entity types to uninstall. Defaults to all installed types.","items":{"enum":["user","host","service","generic"],"type":"string"},"type":"array"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"uninstallSuccessExample":{"description":"The specified entity engines were successfully uninstalled.","summary":"Entity Store uninstalled","value":{"ok":true}}}}},"description":"Indicates a successful response."}},"summary":"Uninstall the Entity Store","tags":["Security entity store"],"x-codeSamples":[{"lang":"curl","source":"curl -X POST -H \"kbn-xsrf: true\" -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\"entityTypes\":[\"user\",\"host\",\"service\",\"generic\"]}' \\\n \"${KIBANA_URL}\/api\/security\/entity_store\/uninstall\"\n"},{"lang":"Console","source":"POST kbn:\/\/api\/security\/entity_store\/uninstall\n{\n \"entityTypes\": [\"user\", \"host\", \"service\", \"generic\"]\n}\n"}],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/role":{"get":{"operationId":"get-security-role","parameters":[{"description":"If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.","in":"query","name":"replaceDeprecatedPrivileges","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Get all roles","tags":["roles"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/role\/_query":{"post":{"operationId":"post-security-role-query","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"filters":{"additionalProperties":false,"type":"object","properties":{"showReservedRoles":{"type":"boolean"}}},"from":{"type":"number"},"query":{"type":"string"},"size":{"type":"number"},"sort":{"additionalProperties":false,"type":"object","properties":{"direction":{"enum":["asc","desc"],"type":"string"},"field":{"type":"string"}},"required":["field","direction"]}}}}}},"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Query roles","tags":[],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/role\/{name}":{"delete":{"operationId":"delete-security-role-name","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"minLength":1,"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."}},"summary":"Delete a role","tags":["roles"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"operationId":"get-security-role-name","parameters":[{"description":"The role name.","in":"path","name":"name","required":true,"schema":{"minLength":1,"type":"string"}},{"description":"If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.","in":"query","name":"replaceDeprecatedPrivileges","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Get a role","tags":["roles"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.","operationId":"put-security-role-name","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The role name.","in":"path","name":"name","required":true,"schema":{"maxLength":1024,"minLength":1,"type":"string"}},{"description":"When true, a role is not overwritten if it already exists.","in":"query","name":"createOnly","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"A description for the role.","maxLength":2048,"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"cluster":{"items":{"description":"Cluster privileges that define the cluster level actions that users can perform.","type":"string"},"maxItems":100,"type":"array"},"indices":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_restricted_indices":{"description":"Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.","type":"boolean"},"field_security":{"additionalProperties":{"items":{"description":"The document fields that the role members have read access to.","type":"string"},"maxItems":1000,"type":"array"},"type":"object"},"names":{"items":{"description":"The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"privileges":{"items":{"description":"The index level privileges that the role members have for the data streams and indices.","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"query":{"description":"A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.","type":"string"}},"required":["names","privileges"]},"maxItems":1000,"type":"array"},"remote_cluster":{"items":{"additionalProperties":false,"type":"object","properties":{"clusters":{"items":{"description":"A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"privileges":{"items":{"description":"The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.","type":"string"},"maxItems":100,"minItems":1,"type":"array"}},"required":["privileges","clusters"]},"maxItems":100,"type":"array"},"remote_indices":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_restricted_indices":{"description":"Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.","type":"boolean"},"clusters":{"items":{"description":"A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"field_security":{"additionalProperties":{"items":{"description":"The document fields that the role members have read access to.","type":"string"},"maxItems":1000,"type":"array"},"type":"object"},"names":{"items":{"description":"A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"privileges":{"items":{"description":"The index level privileges that role members have for the specified indices.","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"query":{"description":"A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ","type":"string"}},"required":["clusters","names","privileges"]},"maxItems":1000,"type":"array"},"run_as":{"items":{"description":"A user name that the role member can impersonate.","type":"string"},"maxItems":100,"type":"array"}}},"kibana":{"items":{"additionalProperties":false,"type":"object","properties":{"base":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"items":{"description":"A base privilege that grants applies to all spaces.","type":"string"},"maxItems":50,"type":"array"},{"items":{"description":"A base privilege that applies to specific spaces.","type":"string"},"maxItems":50,"type":"array"}]},"feature":{"additionalProperties":{"items":{"description":"The privileges that the role member has for the feature.","type":"string"},"maxItems":100,"type":"array"},"type":"object"},"spaces":{"anyOf":[{"items":{"enum":["*"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},{"items":{"description":"A space that the privilege applies to.","type":"string"},"maxItems":1000,"type":"array"}],"default":["*"]}},"required":["base"]},"type":"array"},"metadata":{"additionalProperties":{"nullable":true},"type":"object"}},"required":["elasticsearch"]}}}},"responses":{"204":{"description":"Indicates a successful call."}},"summary":"Create or update a role","tags":["roles"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/security\/roles":{"post":{"operationId":"post-security-roles","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"roles":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"description":{"description":"A description for the role.","maxLength":2048,"type":"string"},"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"cluster":{"items":{"description":"Cluster privileges that define the cluster level actions that users can perform.","type":"string"},"maxItems":100,"type":"array"},"indices":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_restricted_indices":{"description":"Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.","type":"boolean"},"field_security":{"additionalProperties":{"items":{"description":"The document fields that the role members have read access to.","type":"string"},"maxItems":1000,"type":"array"},"type":"object"},"names":{"items":{"description":"The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"privileges":{"items":{"description":"The index level privileges that the role members have for the data streams and indices.","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"query":{"description":"A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.","type":"string"}},"required":["names","privileges"]},"maxItems":1000,"type":"array"},"remote_cluster":{"items":{"additionalProperties":false,"type":"object","properties":{"clusters":{"items":{"description":"A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"privileges":{"items":{"description":"The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.","type":"string"},"maxItems":100,"minItems":1,"type":"array"}},"required":["privileges","clusters"]},"maxItems":100,"type":"array"},"remote_indices":{"items":{"additionalProperties":false,"type":"object","properties":{"allow_restricted_indices":{"description":"Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.","type":"boolean"},"clusters":{"items":{"description":"A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"field_security":{"additionalProperties":{"items":{"description":"The document fields that the role members have read access to.","type":"string"},"maxItems":1000,"type":"array"},"type":"object"},"names":{"items":{"description":"A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"privileges":{"items":{"description":"The index level privileges that role members have for the specified indices.","type":"string"},"maxItems":100,"minItems":1,"type":"array"},"query":{"description":"A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ","type":"string"}},"required":["clusters","names","privileges"]},"maxItems":1000,"type":"array"},"run_as":{"items":{"description":"A user name that the role member can impersonate.","type":"string"},"maxItems":100,"type":"array"}}},"kibana":{"items":{"additionalProperties":false,"type":"object","properties":{"base":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"items":{"description":"A base privilege that grants applies to all spaces.","type":"string"},"maxItems":50,"type":"array"},{"items":{"description":"A base privilege that applies to specific spaces.","type":"string"},"maxItems":50,"type":"array"}]},"feature":{"additionalProperties":{"items":{"description":"The privileges that the role member has for the feature.","type":"string"},"maxItems":100,"type":"array"},"type":"object"},"spaces":{"anyOf":[{"items":{"enum":["*"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},{"items":{"description":"A space that the privilege applies to.","type":"string"},"maxItems":1000,"type":"array"}],"default":["*"]}},"required":["base"]},"type":"array"},"metadata":{"additionalProperties":{"nullable":true},"type":"object"}},"required":["elasticsearch"]},"type":"object"}},"required":["roles"]}}}},"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Create or update roles","tags":["roles"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/spaces\/space":{"get":{"description":"Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access.","operationId":"get-spaces-space","parameters":[{"description":"Specifies which authorization checks are applied to the API call. The default value is `any`.","in":"query","name":"purpose","required":false,"schema":{"enum":["any","copySavedObjectsIntoSpace","shareSavedObjectsIntoSpace"],"type":"string"}},{"description":"When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter.","in":"query","name":"include_authorized_purposes","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"description":"Indicates a successful call.","content":{"application\/json":{"examples":{"getSpacesResponseExample1":{"$ref":"#\/components\/examples\/get_spaces_response1"},"getSpacesResponseExample2":{"$ref":"#\/components\/examples\/get_spaces_response2"}}}}}},"summary":"Get all spaces","tags":["spaces"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"Create a new Kibana space.","operationId":"post-spaces-space","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"_reserved":{"type":"boolean"},"color":{"description":"The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.","type":"string"},"description":{"description":"A description for the space.","type":"string"},"disabledFeatures":{"default":[],"items":{"description":"The list of features that are turned off in the space.","type":"string"},"maxItems":100,"type":"array"},"id":{"description":"The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.","type":"string"},"imageUrl":{"description":"The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.","type":"string"},"initials":{"description":"One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.","maxLength":2,"type":"string"},"name":{"description":"The display name for the space. ","minLength":1,"type":"string"},"projectRouting":{"description":"Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments.","type":"string"}},"required":["id","name"]},"examples":{"createSpaceRequest":{"$ref":"#\/components\/examples\/create_space_request"}}}}},"responses":{"200":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"_reserved":{"type":"boolean"},"color":{"description":"The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.","type":"string"},"description":{"description":"A description for the space.","type":"string"},"disabledFeatures":{"default":[],"items":{"description":"The list of features that are turned off in the space.","type":"string"},"maxItems":100,"type":"array"},"id":{"description":"The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.","type":"string"},"imageUrl":{"description":"The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.","type":"string"},"initials":{"description":"One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.","maxLength":2,"type":"string"},"name":{"description":"The display name for the space. ","minLength":1,"type":"string"},"projectRouting":{"description":"Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments.","type":"string"}},"required":["id","name"]},"examples":{"createSpaceResponseExample":{"$ref":"#\/components\/examples\/get_space_response"}}}},"description":"Indicates a successful call."}},"summary":"Create a space","tags":["spaces"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/spaces\/space\/{id}":{"delete":{"description":"When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone.","operationId":"delete-spaces-space-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The space identifier.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"204":{"description":"Indicates a successful call."},"404":{"description":"Indicates that the request failed."}},"summary":"Delete a space","tags":["spaces"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"Retrieve a single Kibana space by its identifier.","operationId":"get-spaces-space-id","parameters":[{"description":"The space identifier.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Indicates a successful call.","content":{"application\/json":{"examples":{"getSpaceResponseExample":{"$ref":"#\/components\/examples\/get_space_response"}}}}}},"summary":"Get a space","tags":["spaces"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"Update an existing Kibana space.","operationId":"put-spaces-space-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The space identifier. You are unable to change the ID with the update operation.","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"_reserved":{"type":"boolean"},"color":{"description":"The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.","type":"string"},"description":{"description":"A description for the space.","type":"string"},"disabledFeatures":{"default":[],"items":{"description":"The list of features that are turned off in the space.","type":"string"},"maxItems":100,"type":"array"},"id":{"description":"The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.","type":"string"},"imageUrl":{"description":"The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.","type":"string"},"initials":{"description":"One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.","maxLength":2,"type":"string"},"name":{"description":"The display name for the space. ","minLength":1,"type":"string"},"projectRouting":{"description":"Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments.","type":"string"}},"required":["id","name"]},"examples":{"updateSpaceRequest":{"$ref":"#\/components\/examples\/update_space_request"}}}}},"responses":{"200":{"description":"Indicates a successful call."}},"summary":"Update a space","tags":["spaces"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/status":{"get":{"operationId":"get-status","parameters":[{"description":"Set to \"true\" to get the response in v7 format.","in":"query","name":"v7format","required":false,"schema":{"type":"boolean"}},{"description":"Set to \"true\" to get the response in v8 format.","in":"query","name":"v8format","required":false,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_core_status_response"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_core_status_redactedResponse"}],"description":"Kibana's operational status. A minimal response is sent for unauthorized users."}}},"description":"Overall status is OK and Kibana should be functioning normally."},"503":{"content":{"application\/json":{"schema":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_core_status_response"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_core_status_redactedResponse"}],"description":"Kibana's operational status. A minimal response is sent for unauthorized users."}}},"description":"Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable."}},"summary":"Get Kibana's current status","tags":["system"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/streams<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFetches list of all streams[Required authorization] Route required privileges: read_stream.","operationId":"get-streams","parameters":[],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"listStreams":{"value":{"streams":[{"description":"Root logs stream","ingest":{"failure_store":{"inherit":{}},"lifecycle":{"inherit":{}},"processing":{"steps":[],"updated_at":"2025-01-10T08:00:00.000Z"},"settings":{},"wired":{"fields":{"@timestamp":{"type":"date"},"log.level":{"type":"keyword"},"message":{"type":"match_only_text"}},"routing":[{"destination":"logs.nginx","status":"enabled","where":{"eq":"nginx","field":"host.name"}}]}},"name":"logs","type":"wired","updated_at":"2025-01-10T08:00:00.000Z"},{"description":"Web server access logs, routed by severity","ingest":{"failure_store":{"inherit":{}},"lifecycle":{"inherit":{}},"processing":{"steps":[],"updated_at":"2025-01-15T10:30:00.000Z"},"settings":{},"wired":{"fields":{"host.name":{"type":"keyword"},"http.response.status_code":{"type":"long"},"message":{"type":"match_only_text"}},"routing":[{"destination":"logs.nginx.errors","status":"enabled","where":{"field":"http.response.status_code","gte":500}}]}},"name":"logs.nginx","type":"wired","updated_at":"2025-01-15T10:30:00.000Z"},{"description":"Legacy application logs","ingest":{"classic":{},"failure_store":{"disabled":{}},"lifecycle":{"dsl":{"data_retention":"30d"}},"processing":{"steps":[{"action":"grok","from":"message","ignore_missing":true,"patterns":["%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}"]}],"updated_at":"2024-12-01T09:00:00.000Z"},"settings":{}},"name":"logs-myapp-default","type":"classic","updated_at":"2024-12-01T09:00:00.000Z"},{"description":"All error-level logs across every stream","name":"logs.errors","query":{"esql":"FROM logs* | WHERE log.level == \"error\"","view":"logs.errors-view"},"type":"query","updated_at":"2025-01-20T14:00:00.000Z"}]}}}}}}},"summary":"Get stream list","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/_disable":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/_disable<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDisables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-disable","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Disable streams","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/_enable":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/_enable<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nEnables wired streams[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-enable","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Enable streams","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/_resync":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/_resync<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nResyncs all streams, making sure that Elasticsearch assets are up to date[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-resync","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Resync streams","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/streams\/{name}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDeletes a stream definition and the underlying data stream[Required authorization] Route required privileges: manage_stream.","operationId":"delete-streams-name","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Delete a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/streams\/{name}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFetches a stream definition and associated dashboards[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"getWiredStream":{"value":{"dashboards":[],"data_stream_exists":true,"effective_failure_store":{"disabled":{},"from":"logs"},"effective_lifecycle":{"dsl":{"data_retention":"7d"},"from":"logs"},"effective_settings":{},"inherited_fields":{"@timestamp":{"from":"logs","type":"date"},"log.level":{"from":"logs","type":"keyword"}},"privileges":{"create_snapshot_repository":false,"lifecycle":true,"manage":true,"manage_failure_store":true,"monitor":true,"read_failure_store":true,"simulate":true,"text_structure":true,"view_index_metadata":true},"queries":[],"rules":[],"stream":{"description":"Web server access logs, routed by severity","ingest":{"failure_store":{"inherit":{}},"lifecycle":{"inherit":{}},"processing":{"steps":[],"updated_at":"2025-01-15T10:30:00.000Z"},"settings":{},"wired":{"fields":{"host.name":{"type":"keyword"},"http.response.status_code":{"type":"long"},"message":{"type":"match_only_text"}},"routing":[{"destination":"logs.nginx.errors","status":"enabled","where":{"field":"http.response.status_code","gte":500}}]}},"name":"logs.nginx","type":"wired","updated_at":"2025-01-15T10:30:00.000Z"}}}}}}}},"summary":"Get a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/streams\/{name}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreates or updates a stream definition. Classic streams can not be created through this API, only updated[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-name","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createQueryStream":{"value":{"dashboards":[],"queries":[],"rules":[],"stream":{"description":"All error-level logs across every stream","query":{"esql":"FROM logs* | WHERE log.level == \"error\"","view":"logs.errors-view"},"type":"query"}}},"createWiredStream":{"value":{"dashboards":[],"queries":[],"rules":[],"stream":{"description":"Web server access logs, routed by severity","ingest":{"failure_store":{"inherit":{}},"lifecycle":{"inherit":{}},"processing":{"steps":[]},"settings":{},"wired":{"fields":{"host.name":{"type":"keyword"},"http.response.status_code":{"type":"long"},"message":{"type":"match_only_text"}},"routing":[{"destination":"logs.nginx.errors","status":"enabled","where":{"field":"http.response.status_code","gte":500}}]}},"type":"wired"}}},"updateClassicStream":{"value":{"dashboards":[],"queries":[],"rules":[],"stream":{"description":"Legacy application logs managed as a classic data stream","ingest":{"classic":{},"failure_store":{"disabled":{}},"lifecycle":{"dsl":{"data_retention":"30d"}},"processing":{"steps":[{"action":"grok","from":"message","ignore_missing":true,"patterns":["%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}"]}]},"settings":{}},"type":"classic"}}}},"schema":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_StreamUpsertRequest"}}}},"responses":{},"summary":"Create or update a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/_fork":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/{name}\/_fork<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nForks a wired stream and creates a child stream[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-name-fork","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"forkStream":{"value":{"status":"enabled","stream":{"name":"logs.nginx.errors"},"where":{"eq":"500","field":"http.response.status_code"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"draft":{"type":"boolean"},"status":{"enum":["enabled","disabled"],"type":"string"},"stream":{"additionalProperties":false,"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition"}},"required":["stream","where"]}}}},"responses":{},"summary":"Fork a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/_ingest":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/streams\/{name}\/_ingest<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFetches the ingest settings of an ingest stream definition[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name-ingest","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"getWiredIngest":{"value":{"ingest":{"failure_store":{"inherit":{}},"lifecycle":{"inherit":{}},"processing":{"steps":[{"action":"grok","from":"message","ignore_missing":false,"patterns":["%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:@timestamp}\\] \"%{WORD:http.method} %{DATA:url.original} HTTP\/%{NUMBER:http.version}\" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)"]}],"updated_at":"2025-01-15T10:30:00.000Z"},"settings":{},"wired":{"fields":{"client.ip":{"type":"ip"},"http.method":{"type":"keyword"},"http.response.body.bytes":{"type":"long"},"http.response.status_code":{"type":"long"},"url.original":{"type":"wildcard"}},"routing":[{"destination":"logs.nginx.errors","status":"enabled","where":{"field":"http.response.status_code","gte":500}}]}}}}}}}}},"summary":"Get ingest stream settings","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/streams\/{name}\/_ingest<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpserts the ingest settings of an ingest stream definition[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-name-ingest","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"upsertWiredIngest":{"value":{"ingest":{"failure_store":{"inherit":{}},"lifecycle":{"inherit":{}},"processing":{"steps":[{"action":"grok","from":"message","ignore_missing":false,"patterns":["%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:@timestamp}\\] \"%{WORD:http.method} %{DATA:url.original} HTTP\/%{NUMBER:http.version}\" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)"]}]},"settings":{},"wired":{"fields":{"client.ip":{"type":"ip"},"http.method":{"type":"keyword"},"http.response.body.bytes":{"type":"long"},"http.response.status_code":{"type":"long"},"url.original":{"type":"wildcard"}},"routing":[{"destination":"logs.nginx.errors","status":"enabled","where":{"eq":"500","field":"http.response.status_code"}}]}}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"ingest":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"failure_store":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_FailureStore"},"lifecycle":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_IngestStreamLifecycle"},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_StreamlangStep"},"type":"array"},"updated_at":{}},"required":["steps"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}},"wired":{"additionalProperties":false,"type":"object","properties":{"draft":{"type":"boolean"},"fields":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_FieldDefinition"},"routing":{"items":{"type":"object","properties":{"destination":{"description":"A non-empty string.","minLength":1,"type":"string"},"draft":{"type":"boolean"},"status":{"enum":["enabled","disabled"],"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition"}},"required":["destination","where"]},"type":"array"}},"required":["fields","routing"]}},"required":["lifecycle","processing","settings","failure_store","wired"]},{"additionalProperties":false,"type":"object","properties":{"classic":{"additionalProperties":false,"type":"object","properties":{"field_overrides":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_ClassicFieldDefinition"}}},"failure_store":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_FailureStore"},"lifecycle":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_IngestStreamLifecycle"},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_StreamlangStep"},"type":"array"},"updated_at":{}},"required":["steps"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}}},"required":["lifecycle","processing","settings","failure_store","classic"]}]}},"required":["ingest"]}}}},"responses":{},"summary":"Update ingest stream settings","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/_query":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/streams\/{name}\/_query<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFetches the query settings of a query stream definition[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name-query","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Get query stream settings","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/streams\/{name}\/_query<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpserts the query settings of a query stream definition[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-name-query","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"upsertQueryStream":{"value":{"query":{"esql":"FROM logs* | WHERE log.level == \"error\" | KEEP @timestamp, message, host.name, log.level"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"field_descriptions":{"additionalProperties":{"type":"string"},"type":"object"},"query":{"additionalProperties":false,"type":"object","properties":{"esql":{"type":"string"}},"required":["esql"]}},"required":["query"]}}}},"responses":{},"summary":"Upsert query stream settings","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/content\/export":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/{name}\/content\/export<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExports the content associated to a stream.[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-name-content-export","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"include":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_ContentPackIncludedObjects"},"name":{"type":"string"},"version":{"type":"string"}},"required":["name","description","version","include"]}}}},"responses":{},"summary":"Export stream content","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/content\/import":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/{name}\/content\/import<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nLinks content objects to a stream.[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-name-content-import","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"multipart\/form-data":{"schema":{"additionalProperties":false,"type":"object","properties":{"content":{},"include":{"type":"string"}},"required":["include","content"]}}}},"responses":{},"summary":"Import content into a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/queries":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/streams\/{name}\/queries<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFetches all queries linked to a stream that are visible to the current user in the current space.[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name-queries","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Get stream queries","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/queries\/_bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/{name}\/queries\/_bulk<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nBulk update queries of a stream. Can add new queries and delete existing ones.[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-name-queries-bulk","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"operations":{"items":{"anyOf":[{"type":"object","properties":{"index":{"type":"object","properties":{"description":{"default":"","type":"string"},"esql":{"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"evidence":{"items":{"type":"string"},"type":"array"},"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"severity_score":{"type":"number"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["title","esql","id"]}},"required":["index"]},{"type":"object","properties":{"delete":{"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}},"required":["delete"]}]},"type":"array"}},"required":["operations"]}}}},"responses":{},"summary":"Bulk update queries","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/queries\/{queryId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/streams\/{name}\/queries\/{queryId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRemove a query from a stream. Noop if the query is not found on the stream.[Required authorization] Route required privileges: manage_stream.","operationId":"delete-streams-name-queries-queryid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"path","name":"queryId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Remove a query from a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/streams\/{name}\/queries\/{queryId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nAdds a query to a stream. Noop if the query is already present on the stream.[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-name-queries-queryid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"path","name":"queryId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"default":"","type":"string"},"esql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"evidence":{"items":{"type":"string"},"type":"array"},"severity_score":{"type":"number"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["title","esql"]}}}},"responses":{},"summary":"Upsert a query to a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/significant_events":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/streams\/{name}\/significant_events<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRead the significant events[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-name-significant-events","parameters":[{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"query","name":"from","required":true,"schema":{"type":"string"}},{"in":"query","name":"to","required":true,"schema":{"type":"string"}},{"in":"query","name":"bucketSize","required":true,"schema":{"type":"string"}},{"description":"Query string to filter significant events on metadata fields","in":"query","name":"query","required":false,"schema":{"type":"string"}},{"description":"Search mode: keyword (BM25), semantic (vector), or hybrid (RRF). Defaults to hybrid when inference is available.","in":"query","name":"searchMode","required":false,"schema":{"enum":["keyword","semantic","hybrid"],"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Read the significant events","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/significant_events\/_generate":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/{name}\/significant_events\/_generate<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGenerate significant events queries based on the stream data[Required authorization] Route required privileges: read_stream.","operationId":"post-streams-name-significant-events-generate","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"description":"Optional connector ID. If not provided, the default AI connector from settings will be used.","in":"query","name":"connectorId","required":false,"schema":{"type":"string"}},{"in":"query","name":"from","required":true,"schema":{"type":"string"}},{"in":"query","name":"to","required":true,"schema":{"type":"string"}},{"description":"Number of sample documents to use for generation from the current data of stream","in":"query","name":"sampleDocsSize","required":false,"schema":{"type":"number"}}],"requestBody":{"content":{"application\/json":{"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{},"summary":"Generate significant events","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{name}\/significant_events\/_preview":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/{name}\/significant_events\/_preview<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nPreview significant event results based on a given query[Required authorization] Route required privileges: read_stream.","operationId":"post-streams-name-significant-events-preview","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"in":"path","name":"name","required":true,"schema":{"type":"string"}},{"in":"query","name":"from","required":true,"schema":{"type":"string"}},{"in":"query","name":"to","required":true,"schema":{"type":"string"}},{"in":"query","name":"bucketSize","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"schema":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"esql":{"additionalProperties":false,"type":"object","properties":{"query":{"type":"string"}},"required":["query"]}},"required":["esql"]}},"required":["query"]}}}},"responses":{},"summary":"Preview significant events","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{streamName}\/attachments":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/streams\/{streamName}\/attachments<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.[Required authorization] Route required privileges: read_stream.","operationId":"get-streams-streamname-attachments","parameters":[{"description":"The name of the stream","in":"path","name":"streamName","required":true,"schema":{"type":"string"}},{"description":"Search query to filter attachments by title","in":"query","name":"query","required":false,"schema":{"type":"string"}},{"description":"Filter by attachment types (single value or array)","in":"query","name":"attachmentTypes","required":false,"schema":{"items":{"enum":["dashboard","rule","slo"],"type":"string"},"type":"array"}},{"description":"Filter by tags (single value or array)","in":"query","name":"tags","required":false,"schema":{"items":{"type":"string"},"type":"array"}}],"requestBody":{"content":{"application\/json":{"examples":{"listAttachmentsExample":{"value":{}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"listAttachmentsResponse":{"value":{"attachments":[{"createdAt":"2023-02-23T16:15:47.275Z","description":"Dashboard for monitoring production services","id":"dashboard-123","streamNames":["logs.awsfirehose","logs.nginx"],"tags":["monitoring","production"],"title":"My Dashboard","type":"dashboard","updatedAt":"2023-03-24T14:39:17.636Z"}]}}}}},"description":"Successfully retrieved attachments"}},"summary":"Get stream attachments","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{streamName}\/attachments\/_bulk":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/streams\/{streamName}\/attachments\/_bulk<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nBulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.[Required authorization] Route required privileges: manage_stream.","operationId":"post-streams-streamname-attachments-bulk","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The name of the stream","in":"path","name":"streamName","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"bulkAttachmentsExample":{"value":{"operations":[{"index":{"id":"dashboard-123","type":"dashboard"}},{"delete":{"id":"rule-456","type":"rule"}}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"operations":{"items":{"anyOf":[{"type":"object","properties":{"index":{"type":"object","properties":{"id":{"type":"string"},"type":{"enum":["dashboard","rule","slo"],"type":"string"}},"required":["id","type"]}},"required":["index"]},{"type":"object","properties":{"delete":{"type":"object","properties":{"id":{"type":"string"},"type":{"enum":["dashboard","rule","slo"],"type":"string"}},"required":["id","type"]}},"required":["delete"]}]},"type":"array"}},"required":["operations"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"bulkAttachmentsResponse":{"value":{"acknowledged":true}}}}},"description":"Successfully performed bulk operations"}},"summary":"Bulk update attachments","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/streams\/{streamName}\/attachments\/{attachmentType}\/{attachmentId}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/streams\/{streamName}\/attachments\/{attachmentType}\/{attachmentId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUnlinks an attachment from a stream. Noop if the attachment is not linked to the stream.[Required authorization] Route required privileges: manage_stream.","operationId":"delete-streams-streamname-attachments-attachmenttype-attachmentid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The name of the stream","in":"path","name":"streamName","required":true,"schema":{"type":"string"}},{"description":"The type of the attachment","in":"path","name":"attachmentType","required":true,"schema":{"enum":["dashboard","rule","slo"],"type":"string"}},{"description":"The ID of the attachment","in":"path","name":"attachmentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"unlinkAttachmentExample":{"value":{}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"unlinkAttachmentResponse":{"value":{"acknowledged":true}}}}},"description":"Successfully unlinked attachment"}},"summary":"Unlink an attachment from a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/streams\/{streamName}\/attachments\/{attachmentType}\/{attachmentId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nLinks an attachment to a stream. Noop if the attachment is already linked to the stream.[Required authorization] Route required privileges: manage_stream.","operationId":"put-streams-streamname-attachments-attachmenttype-attachmentid","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"The name of the stream","in":"path","name":"streamName","required":true,"schema":{"type":"string"}},{"description":"The type of the attachment","in":"path","name":"attachmentType","required":true,"schema":{"enum":["dashboard","rule","slo"],"type":"string"}},{"description":"The ID of the attachment","in":"path","name":"attachmentId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"linkAttachmentExample":{"value":{}}},"schema":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{}},{"nullable":true},{}]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"linkAttachmentResponse":{"value":{"acknowledged":true}}}}},"description":"Successfully linked attachment"}},"summary":"Link an attachment to a stream","tags":["streams"],"x-state":"Technical Preview","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/task_manager\/_health":{"get":{"description":"Get the health status of the Kibana task manager.\n","operationId":"task-manager-health","responses":{"200":{"content":{"application\/json":{"examples":{"taskManagerHealthResponse1":{"$ref":"#\/components\/examples\/Task_manager_health_Serverless_APIs_health_200response_serverless"}},"schema":{"$ref":"#\/components\/schemas\/Task_manager_health_Serverless_APIs_health_response_serverless"}}},"description":"Indicates a successful call"}},"summary":"Get the task manager health","tags":["task manager"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timeline":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/timeline<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete one or more Timelines or Timeline templates.","operationId":"DeleteTimelines","requestBody":{"content":{"application\/json":{"examples":{"deleteByIds":{"summary":"Delete timelines by saved object id","value":{"savedObjectIds":["15c1929b-0af7-42bd-85a8-56e234cc7c4e"]}},"deleteWithSearches":{"summary":"Delete Timelines and their linked saved searches","value":{"savedObjectIds":["15c1929b-0af7-42bd-85a8-56e234cc7c4e","6ce1b592-84e3-4b4a-9552-f189d4b82075"],"searchIds":["2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11"]}}},"schema":{"type":"object","properties":{"savedObjectIds":{"description":"The list of IDs of the Timelines or Timeline templates to delete","items":{"type":"string"},"maxItems":100,"type":"array"},"searchIds":{"description":"Saved search IDs that should be deleted alongside the timelines","items":{"type":"string"},"maxItems":100,"type":"array"}},"required":["savedObjectIds"]}}},"description":"The IDs of the Timelines or Timeline templates to delete.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"success":{"summary":"Success","value":{}}},"schema":{"additionalProperties":true,"type":"object"}}},"description":"Indicates a successful call."}},"summary":"Delete Timelines or Timeline templates","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/timeline<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of an existing saved Timeline or Timeline template.","operationId":"GetTimeline","parameters":[{"description":"The `savedObjectId` of the Timeline template to retrieve.","in":"query","name":"template_timeline_id","schema":{"type":"string"}},{"description":"The `savedObjectId` of the Timeline to retrieve.","in":"query","name":"id","schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"timelineDetail":{"summary":"Timeline detail","value":{"description":"User-reported suspicious email","noteIds":[],"pinnedEventIds":[],"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","status":"active","timelineType":"default","title":"Phishing investigation","version":"WzE0LDFd"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates a successful call."}},"summary":"Get Timeline or Timeline template details","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/timeline<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nUpdate an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and\/or pinned saved queries of an existing Timeline.","operationId":"PatchTimeline","requestBody":{"content":{"application\/json":{"examples":{"patchTitle":{"summary":"Update title","value":{"timeline":{"title":"Escalated case review"},"timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}}},"schema":{"type":"object","properties":{"timeline":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedTimeline","description":"The timeline object of the Timeline or Timeline template that you\u2019re updating."},"timelineId":{"description":"The `savedObjectId` of the Timeline or Timeline template that you\u2019re updating.","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","nullable":true,"type":"string"},"version":{"description":"The version of the Timeline or Timeline template that you\u2019re updating.","example":"WzE0LDFd","nullable":true,"type":"string"}},"required":["timelineId","version","timeline"]}}},"description":"The Timeline updates, along with the Timeline ID and version.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"patched":{"summary":"Updated timeline","value":{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","status":"active","timelineType":"default","title":"Escalated case review","version":"WzE1LDFd"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates a successful call."},"405":{"content":{"application\/json":{"examples":{"error":{"summary":"Error body","value":{"body":"update timeline error","statusCode":405}}},"schema":{"type":"object","properties":{"body":{"description":"The error message.","example":"update timeline error","type":"string"},"statusCode":{"example":405,"type":"number"}}}}},"description":"Indicates that the user does not have the required access to create a Timeline."}},"summary":"Update a Timeline","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/timeline<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new Timeline or Timeline template.","operationId":"CreateTimelines","requestBody":{"content":{"application\/json":{"examples":{"createDefault":{"summary":"Create a default timeline","value":{"timeline":{"status":"active","timelineType":"default","title":"Malware containment"}}}},"schema":{"type":"object","properties":{"status":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineStatus","nullable":true},"templateTimelineId":{"description":"A unique identifier for the Timeline template.","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","nullable":true,"type":"string"},"templateTimelineVersion":{"description":"Timeline template version number.","example":12,"nullable":true,"type":"number"},"timeline":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedTimeline"},"timelineId":{"description":"A unique identifier for the Timeline.","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","nullable":true,"type":"string"},"timelineType":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineType","nullable":true},"version":{"nullable":true,"type":"string"}},"required":["timeline"]}}},"description":"The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"created":{"summary":"Created timeline","value":{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","status":"active","timelineType":"default","title":"Malware containment","version":"WzE0LDFd"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates a successful call."},"405":{"content":{"application\/json":{"examples":{"error":{"summary":"Error body","value":{"body":"update timeline error","statusCode":405}}},"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"update timeline error","type":"string"},"statusCode":{"example":405,"type":"number"}}}}},"description":"Indicates that there was an error in the Timeline creation."}},"summary":"Create a Timeline or Timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timeline\/_copy":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/timeline\/_copy<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCopies and returns a timeline or timeline template.\n","operationId":"CopyTimeline","requestBody":{"content":{"application\/json":{"examples":{"copyWithTitle":{"summary":"Copy with a new title","value":{"timeline":{"timelineType":"default","title":"Copy of investigation"},"timelineIdToCopy":"15c1929b-0af7-42bd-85a8-56e234cc7c4e"}}},"schema":{"type":"object","properties":{"timeline":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedTimeline"},"timelineIdToCopy":{"description":"The `savedObjectId` of the timeline or template to duplicate.","type":"string"}},"required":["timeline","timelineIdToCopy"]}}},"description":"Source timeline id to copy plus timeline fields for the new saved object.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"copied":{"summary":"Newly saved timeline","value":{"savedObjectId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","status":"active","timelineType":"default","title":"Copy of investigation","version":"WzE1LDFd"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates a successful call."}},"summary":"Copies timeline or timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timeline\/_draft":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/timeline\/_draft<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned.","operationId":"GetDraftTimelines","parameters":[{"description":"Which draft to load (`default` investigation timeline or `template` timeline template).","in":"query","name":"timelineType","required":true,"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineType"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"draftPayload":{"summary":"Draft timeline payload","value":{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","status":"draft","timelineType":"default","title":"","version":"WzE0LDFd"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates a successful call."},"403":{"content":{"application\/json":{"examples":{"forbidden":{"summary":"Permission denied","value":{"message":"Forbidden","status_code":403}}},"schema":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"number"}}}}},"description":"If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline."},"409":{"content":{"application\/json":{"examples":{"conflict":{"summary":"Draft conflict","value":{"message":"Conflict","status_code":409}}},"schema":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"number"}}}}},"description":"This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`."}},"summary":"Get draft Timeline or Timeline template details","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/timeline\/_draft<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a clean draft Timeline or Timeline template for the current user.\n> info\n> If the user already has a draft Timeline, the existing draft Timeline is cleared and returned.\n","operationId":"CleanDraftTimelines","requestBody":{"content":{"application\/json":{"examples":{"defaultDraft":{"summary":"Create a default draft timeline","value":{"timelineType":"default"}}},"schema":{"type":"object","properties":{"timelineType":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineType"}},"required":["timelineType"]}}},"description":"The type of Timeline to create. Valid values are `default` and `template`.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"draftResponse":{"summary":"Draft after reset or creation","value":{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","status":"draft","templateTimelineId":null,"templateTimelineVersion":null,"timelineType":"default","title":"","version":"WzE0LDFd"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineResponse"}}},"description":"Indicates a successful call."},"403":{"content":{"application\/json":{"examples":{"forbidden":{"summary":"Permission denied","value":{"message":"Forbidden","status_code":403}}},"schema":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"number"}}}}},"description":"Indicates that the user does not have the required permissions to create a draft Timeline."},"409":{"content":{"application\/json":{"examples":{"conflict":{"summary":"Draft conflict","value":{"message":"Conflict","status_code":409}}},"schema":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"number"}}}}},"description":"Indicates that there is already a draft Timeline with the given `timelineId`."}},"summary":"Create a clean draft Timeline or Timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timeline\/_export":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/timeline\/_export<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExport Timelines as an NDJSON file.","operationId":"ExportTimelines","parameters":[{"description":"The name of the file to export","in":"query","name":"file_name","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"exportIds":{"summary":"Export by timeline ids","value":{"ids":["15c1929b-0af7-42bd-85a8-56e234cc7c4e"]}}},"schema":{"type":"object","properties":{"ids":{"items":{"type":"string"},"maxItems":1000,"minItems":1,"nullable":true,"type":"array"}}}}},"description":"The IDs of the Timelines to export.","required":true},"responses":{"200":{"content":{"application\/ndjson":{"examples":{"ndjsonLine":{"summary":"Single NDJSON line","value":"{\"savedObjectId\":\"15c1929b-0af7-42bd-85a8-56e234cc7c4e\",\"version\":\"WzE0LDFd\",\"title\":\"Investigation\",\"timelineType\":\"default\"}"}},"schema":{"description":"NDJSON of the exported Timelines","type":"string"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/ndjson":{"examples":{"badRequest":{"summary":"Export error","value":{"body":"Export limit exceeded","statusCode":400}}},"schema":{"type":"object","properties":{"body":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Export Timelines","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timeline\/_favorite":{"patch":{"description":"**Spaces method and path for this operation:**\n\n
patch<\/span> \/s\/{space_id}\/api\/timeline\/_favorite<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nFavorite a Timeline or Timeline template for the current user.","operationId":"PersistFavoriteRoute","requestBody":{"content":{"application\/json":{"examples":{"favoriteDefault":{"summary":"Favorite a default timeline","value":{"templateTimelineId":null,"templateTimelineVersion":null,"timelineId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","timelineType":"default"}}},"schema":{"type":"object","properties":{"templateTimelineId":{"nullable":true,"type":"string"},"templateTimelineVersion":{"nullable":true,"type":"number"},"timelineId":{"nullable":true,"type":"string"},"timelineType":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineType","nullable":true}},"required":["timelineId","templateTimelineId","templateTimelineVersion","timelineType"]}}},"description":"The required fields used to favorite a (template) Timeline.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"favoriteResponse":{"summary":"Favorite metadata updated","value":{"favorite":[{"favoriteDate":1741337636741,"userName":"elastic"}],"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","timelineType":"default","version":"WzE2LDFd"}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_FavoriteTimelineResponse"}}},"description":"Indicates a successful call."},"403":{"content":{"application\/json":{"examples":{"forbidden":{"summary":"Forbidden","value":{"body":"Forbidden","statusCode":403}}},"schema":{"type":"object","properties":{"body":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Indicates the user does not have the required permissions to persist the favorite status."}},"summary":"Favorite a Timeline or Timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timeline\/_import":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/timeline\/_import<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nImport Timelines.","operationId":"ImportTimelines","requestBody":{"content":{"application\/json":{"examples":{"multipartPlaceholder":{"summary":"Request shape (file is a stream of NDJSON lines at runtime)","value":{"file":"{\"savedObjectId\":\"15c1929b-0af7-42bd-85a8-56e234cc7c4e\",\"version\":\"WzE0LDFd\"}\\n","isImmutable":"false"}}},"schema":{"type":"object","properties":{"file":{},"isImmutable":{"description":"Whether the Timeline should be immutable","enum":["true","false"],"type":"string"}},"required":["file"]}}},"description":"The Timelines to import as a readable stream.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"importSummary":{"summary":"Import summary","value":{"errors":[],"success":true,"success_count":5,"timelines_installed":3,"timelines_updated":2}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_ImportTimelineResult"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"badRequest":{"summary":"Invalid import","value":{"body":"Invalid file extension","statusCode":400}}},"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"Invalid file extension","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Bad Request response."},"404":{"content":{"application\/json":{"examples":{"notFound":{"summary":"Saved objects client missing","value":{"body":"Unable to find saved object client","statusCode":404}}},"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"Unable to find saved object client","type":"string"},"statusCode":{"example":404,"type":"number"}}}}},"description":"Not found response."},"409":{"content":{"application\/json":{"examples":{"conflict":{"summary":"Import conflict","value":{"body":"Could not import timelines","statusCode":409}}},"schema":{"type":"object","properties":{"body":{"description":"The error message","example":"Could not import timelines","type":"string"},"statusCode":{"example":409,"type":"number"}}}}},"description":"Indicates the import of Timelines was unsuccessful."}},"summary":"Import Timelines","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timeline\/_prepackaged":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/timeline\/_prepackaged<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nInstall or update prepackaged Timelines.","operationId":"InstallPrepackedTimelines","requestBody":{"content":{"application\/json":{"examples":{"emptyArrays":{"summary":"Installer payload shape","value":{"prepackagedTimelines":[],"timelinesToInstall":[],"timelinesToUpdate":[]}}},"schema":{"type":"object","properties":{"prepackagedTimelines":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineSavedToReturnObject","nullable":true},"type":"array"},"timelinesToInstall":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_ImportTimelines","nullable":true},"type":"array"},"timelinesToUpdate":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_ImportTimelines","nullable":true},"type":"array"}},"required":["timelinesToInstall","timelinesToUpdate","prepackagedTimelines"]}}},"description":"The Timelines to install or update.","required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"installResult":{"summary":"Install result counts","value":{"errors":[],"success":true,"success_count":10,"timelines_installed":8,"timelines_updated":2}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_ImportTimelineResult"}}},"description":"Indicates a successful call."},"500":{"content":{"application\/json":{"examples":{"serverError":{"summary":"Server error","value":{"body":"Internal error","statusCode":500}}},"schema":{"type":"object","properties":{"body":{"type":"string"},"statusCode":{"type":"number"}}}}},"description":"Indicates the installation of prepackaged Timelines was unsuccessful."}},"summary":"Install prepackaged Timelines","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timeline\/resolve":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/timeline\/resolve<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nResolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates.","operationId":"ResolveTimeline","parameters":[{"description":"The ID of the template timeline to resolve","in":"query","name":"template_timeline_id","schema":{"type":"string"}},{"description":"The ID of the timeline to resolve","in":"query","name":"id","schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"exactMatch":{"description":"Timeline resolved without alias or conflict","summary":"Exact match outcome","value":{"outcome":"exactMatch","timeline":{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","timelineType":"default","title":"Investigation"}}}},"schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_ResolvedTimeline"}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"badRequest":{"summary":"Bad request","value":{}}},"schema":{"additionalProperties":true,"type":"object"}}},"description":"Bad Request response."},"404":{"content":{"application\/json":{"examples":{"notFound":{"summary":"Not found","value":{}}},"schema":{"additionalProperties":true,"type":"object"}}},"description":"The (template) Timeline was not found"}},"summary":"Resolve a Timeline or Timeline template","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/timelines":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/timelines<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nGet a list of all saved Timelines or Timeline templates.","operationId":"GetTimelines","parameters":[{"description":"If `true`, only Timelines that the current user has marked as favorite are returned.","in":"query","name":"only_user_favorite","schema":{"enum":["true","false"],"nullable":true,"type":"string"}},{"description":"Restrict results to `default` investigation timelines or `template` timeline templates.","in":"query","name":"timeline_type","schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineType","nullable":true}},{"description":"Field used to sort the list (`title`, `description`, `updated`, or `created`).","in":"query","name":"sort_field","schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SortFieldTimeline"}},{"description":"Whether to sort the results `ascending` or `descending`","in":"query","name":"sort_order","schema":{"enum":["asc","desc"],"type":"string"}},{"description":"How many results should returned at once","in":"query","name":"page_size","schema":{"nullable":true,"type":"string"}},{"description":"How many pages should be skipped","in":"query","name":"page_index","schema":{"nullable":true,"type":"string"}},{"description":"Allows to search for timelines by their title","in":"query","name":"search","schema":{"nullable":true,"type":"string"}},{"description":"Filter by timeline lifecycle state (`active`, `draft`, or `immutable`).","in":"query","name":"status","schema":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineStatus","nullable":true}}],"responses":{"200":{"content":{"application\/json":{"examples":{"timelineList":{"summary":"Example list response","value":{"customTemplateTimelineCount":0,"defaultTimelineCount":1,"elasticTemplateTimelineCount":0,"favoriteCount":0,"templateTimelineCount":0,"timeline":[{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","status":"active","timelineType":"default","title":"Phishing investigation","updated":1741344876825,"version":"WzE0LDFd"}],"totalCount":1}}},"schema":{"type":"object","properties":{"customTemplateTimelineCount":{"description":"The amount of custom Timeline templates in the results","example":2,"type":"number"},"defaultTimelineCount":{"description":"The amount of `default` type Timelines in the results","example":90,"type":"number"},"elasticTemplateTimelineCount":{"description":"The amount of Elastic's Timeline templates in the results","example":8,"type":"number"},"favoriteCount":{"description":"The amount of favorited Timelines","example":5,"type":"number"},"templateTimelineCount":{"description":"The amount of Timeline templates in the results","example":10,"type":"number"},"timeline":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineResponse"},"type":"array"},"totalCount":{"description":"The total amount of results","example":100,"type":"number"}},"required":["timeline","totalCount"]}}},"description":"Indicates a successful call."},"400":{"content":{"application\/json":{"examples":{"badRequest":{"summary":"Error response body","value":{"body":"get timeline error","statusCode":400}}},"schema":{"type":"object","properties":{"body":{"description":"The error message.","example":"get timeline error","type":"string"},"statusCode":{"example":400,"type":"number"}}}}},"description":"Bad Request response."}},"summary":"Get Timelines or Timeline templates","tags":["Security Timeline API"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/workflows<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete multiple workflows by their IDs.[Required authorization] Route required privileges: workflowsManagement:delete.","operationId":"delete-workflows","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse.","in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"bulkDeleteWorkflowsRequestExample":{"description":"Example request for deleting multiple workflows","value":{"ids":["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123","workflow-d4e5f6a7-b8c9-0123-defa-345678901234"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"ids":{"description":"Array of workflow IDs to delete.","items":{"description":"Workflow ID to delete.","type":"string"},"maxItems":1000,"type":"array"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"bulkDeleteWorkflowsResponseExample":{"description":"Example response after deleting multiple workflows","value":{"deleted":2,"failures":[],"total":2}}}}},"description":"Indicates a successful response"}},"summary":"Bulk delete workflows","tags":["workflows"],"x-codeSamples":[{"label":"Soft delete (default)","lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/workflows\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"ids\": [\"workflow-c3d4e5f6-a7b8-9012-cdef-234567890123\", \"workflow-d4e5f6a7-b8c9-0123-defa-345678901234\"]\n }'\n"},{"label":"Hard delete (permanent)","lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/workflows?force=true\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"ids\": [\"workflow-c3d4e5f6-a7b8-9012-cdef-234567890123\", \"workflow-d4e5f6a7-b8c9-0123-defa-345678901234\"]\n }'\n"},{"lang":"Console","source":"DELETE kbn:\/\/api\/workflows\n{\n \"ids\": [\"workflow-c3d4e5f6-a7b8-9012-cdef-234567890123\", \"workflow-d4e5f6a7-b8c9-0123-defa-345678901234\"]\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a paginated list of workflows with optional filtering.[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution.","operationId":"get-workflows","parameters":[{"description":"Free-text search query.","in":"query","name":"query","required":false,"schema":{"type":"string"}},{"description":"Number of results per page.","in":"query","name":"size","required":false,"schema":{"minimum":1,"type":"number"}},{"description":"Page number.","in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"number"}},{"description":"Filter by enabled state.","in":"query","name":"enabled","required":false,"schema":{"items":{"type":"boolean"},"maxItems":2,"type":"array"}},{"description":"Filter by creator.","in":"query","name":"createdBy","required":false,"schema":{"items":{"type":"string"},"maxItems":1000,"type":"array"}},{"description":"Filter by tags.","in":"query","name":"tags","required":false,"schema":{"items":{"type":"string"},"maxItems":1000,"type":"array"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getWorkflowsResponseExample":{"description":"Example response returning a paginated list of workflows","value":{"page":1,"results":[{"createdAt":"2025-11-20T10:30:00.000Z","definition":{"description":"This is a workflow example","enabled":true,"inputs":[{"default":"hello world","name":"message","type":"string"}],"name":"Example definition","steps":[{"name":"hello_world_step","type":"console","with":{"message":"{{ inputs.message }}"}}],"triggers":[{"type":"manual"}]},"description":"This is a workflow example","enabled":true,"history":[{"duration":5000,"finishedAt":"2025-11-20T12:00:05.000Z","id":"exec-001","startedAt":"2025-11-20T12:00:00.000Z","status":"completed","workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","workflowName":"Example definition"}],"id":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","name":"Example definition","tags":["example"],"valid":true}],"size":20,"total":1}}}}},"description":"Indicates a successful response"}},"summary":"Get workflows","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows?size=20&page=1\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows?size=20&page=1\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate multiple workflows in a single request. Optionally overwrite existing workflows.[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update.","operationId":"post-workflows","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Whether to overwrite existing workflows.","in":"query","name":"overwrite","required":false,"schema":{"default":false,"type":"boolean"}}],"requestBody":{"content":{"application\/json":{"examples":{"bulkCreateWorkflowsRequestExample":{"description":"Example request for creating multiple workflows at once","value":{"workflows":[{"yaml":"name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"},{"id":"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901","yaml":"name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n"}]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"workflows":{"items":{"type":"object","properties":{"id":{"maxLength":255,"minLength":3,"pattern":"^[a-z0-9]([a-z0-9-]*[a-z0-9])?$","type":"string"},"yaml":{"maxLength":1048576,"type":"string"}},"required":["yaml"]},"maxItems":500,"type":"array"}},"required":["workflows"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"bulkCreateWorkflowsResponseExample":{"description":"Example response after creating multiple workflows","value":{"created":[{"id":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","name":"Example definition"},{"id":"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901","name":"Second workflow"}],"failures":[],"total":2}}}}},"description":"Indicates a successful response"}},"summary":"Bulk create workflows","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows?overwrite=false\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"workflows\": [\n { \"yaml\": \"name: Example definition\\nenabled: true\\ndescription: This is a workflow example\\ntriggers:\\n - type: manual\\ninputs:\\n - name: message\\n type: string\\n default: \\\"hello world\\\"\\nsteps:\\n - name: hello_world_step\\n type: console\\n with:\\n message: \\\"{{ inputs.message }}\\\"\\n\" },\n { \"id\": \"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901\", \"yaml\": \"name: Second workflow\\nenabled: false\\ndescription: Another workflow\\ntriggers:\\n - type: manual\\nsteps:\\n - name: log_step\\n type: console\\n with:\\n message: \\\"Hello from second workflow\\\"\\n\" }\n ]\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows?overwrite=false\n{\n \"workflows\": [\n { \"yaml\": \"name: Example definition\\nenabled: true\\ndescription: This is a workflow example\\ntriggers:\\n - type: manual\\ninputs:\\n - name: message\\n type: string\\n default: \\\"hello world\\\"\\nsteps:\\n - name: hello_world_step\\n type: console\\n with:\\n message: \\\"{{ inputs.message }}\\\"\\n\" },\n { \"id\": \"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901\", \"yaml\": \"name: Second workflow\\nenabled: false\\ndescription: Another workflow\\ntriggers:\\n - type: manual\\nsteps:\\n - name: log_step\\n type: console\\n with:\\n message: \\\"Hello from second workflow\\\"\\n\" }\n ]\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/aggs":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/aggs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.[Required authorization] Route required privileges: workflowsManagement:read.","operationId":"get-workflows-aggs","parameters":[{"description":"Field or fields to aggregate on.","in":"query","name":"fields","required":true,"schema":{"description":"Fields to aggregate on.","items":{"description":"Field name to aggregate.","type":"string"},"maxItems":25,"type":"array"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getAggsResponseExample":{"description":"Example response with tag and createdBy aggregations","value":{"createdBy":[{"doc_count":2,"key":"elastic"}],"tags":[{"doc_count":1,"key":"reporting"},{"doc_count":1,"key":"security"},{"doc_count":1,"key":"triage"}]}}}}},"description":"Indicates a successful response"}},"summary":"Get workflow aggregations","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/aggs?fields=tags&fields=createdBy\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/aggs?fields=tags&fields=createdBy\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/connectors":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/connectors<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.[Required authorization] Route required privileges: workflowsManagement:read.","operationId":"get-workflows-connectors","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getConnectorsResponseExample":{"description":"Example response with available connector types and their instances","value":{"connectorTypes":{".email":{"actionTypeId":".email","displayName":"Email","enabled":true,"enabledInConfig":true,"enabledInLicense":true,"instances":[],"minimumLicenseRequired":"gold","subActions":[{"displayName":"Send","name":"send"}]},".slack_api":{"actionTypeId":".slack_api","displayName":"Slack","enabled":true,"enabledInConfig":true,"enabledInLicense":true,"instances":[{"id":"slack-connector-1","isDeprecated":false,"isPreconfigured":false,"name":"Team Notifications"}],"minimumLicenseRequired":"gold","subActions":[{"displayName":"Post Message","name":"postMessage"}]}},"totalConnectors":1}}}}},"description":"Indicates a successful response"}},"summary":"Get available connectors","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/connectors\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/connectors\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/executions\/{executionId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/executions\/{executionId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve details of a single workflow execution by its ID.[Required authorization] Route required privileges: workflowsManagement:readExecution.","operationId":"get-workflows-executions-executionid","parameters":[{"description":"Workflow execution ID","in":"path","name":"executionId","required":true,"schema":{"type":"string"}},{"description":"Include execution input data.","in":"query","name":"includeInput","required":false,"schema":{"default":false,"type":"boolean"}},{"description":"Include execution output data.","in":"query","name":"includeOutput","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getExecutionResponseExample":{"description":"Example response returning a workflow execution with step details","value":{"duration":3000,"executedBy":"elastic","finishedAt":"2025-11-20T12:00:03.000Z","id":"exec-a1b2c3d4-e5f6-7890","input":{"message":"hello world"},"isTestRun":false,"output":"hello world","spaceId":"default","startedAt":"2025-11-20T12:00:00.000Z","status":"completed","stepExecutions":[{"executionTimeMs":1000,"finishedAt":"2025-11-20T12:00:02.000Z","globalExecutionIndex":0,"id":"step-exec-001","isTestRun":false,"scopeStack":[],"spaceId":"default","startedAt":"2025-11-20T12:00:01.000Z","status":"completed","stepExecutionIndex":0,"stepId":"hello_world_step","stepType":"console","topologicalIndex":0,"workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","workflowRunId":"exec-a1b2c3d4-e5f6-7890"}],"triggeredBy":"manual","workflowDefinition":{"description":"This is a workflow example","enabled":true,"inputs":[{"default":"hello world","name":"message","type":"string"}],"name":"Example definition","steps":[{"name":"hello_world_step","type":"console","with":{"message":"{{ inputs.message }}"}}],"triggers":[{"type":"manual"}]},"workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","yaml":"name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}}}}},"description":"Indicates a successful response"}},"summary":"Get a workflow execution","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/executions\/{executionId}?includeInput=true&includeOutput=true\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/executions\/{executionId}?includeInput=true&includeOutput=true\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/executions\/{executionId}\/cancel":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/executions\/{executionId}\/cancel<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCancel a running workflow execution by its ID.[Required authorization] Route required privileges: workflowsManagement:cancelExecution.","operationId":"post-workflows-executions-executionid-cancel","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Workflow execution ID","in":"path","name":"executionId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Indicates a successful response"}},"summary":"Cancel a workflow execution","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/executions\/{executionId}\/cancel\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/executions\/{executionId}\/cancel\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/executions\/{executionId}\/children":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/executions\/{executionId}\/children<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve child workflow executions spawned by sub-workflow steps within a parent execution.[Required authorization] Route required privileges: workflowsManagement:readExecution.","operationId":"get-workflows-executions-executionid-children","parameters":[{"description":"Workflow execution ID","in":"path","name":"executionId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getChildrenExecutionsResponseExample":{"description":"Example response returning child workflow executions spawned by sub-workflow steps","value":[{"executionId":"child-exec-001","parentStepExecutionId":"step-exec-003","status":"completed","stepExecutions":[{"executionTimeMs":1000,"finishedAt":"2025-11-20T12:00:07.000Z","globalExecutionIndex":0,"id":"child-step-001","isTestRun":false,"scopeStack":[],"startedAt":"2025-11-20T12:00:06.000Z","status":"completed","stepExecutionIndex":0,"stepId":"hello_world_step","stepType":"console","topologicalIndex":0,"workflowId":"workflow-e5f6a7b8-c9d0-1234-efab-456789012345","workflowRunId":"child-exec-001"}],"workflowId":"workflow-e5f6a7b8-c9d0-1234-efab-456789012345","workflowName":"Child Workflow"}]}}}},"description":"Indicates a successful response"}},"summary":"Get child executions","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/executions\/{executionId}\/children\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/executions\/{executionId}\/children\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/executions\/{executionId}\/logs":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/executions\/{executionId}\/logs<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.[Required authorization] Route required privileges: workflowsManagement:readExecution.","operationId":"get-workflows-executions-executionid-logs","parameters":[{"description":"Workflow execution ID","in":"path","name":"executionId","required":true,"schema":{"type":"string"}},{"description":"Filter logs by a specific step execution ID.","in":"query","name":"stepExecutionId","required":false,"schema":{"type":"string"}},{"description":"Number of log entries per page.","in":"query","name":"size","required":false,"schema":{"default":100,"maximum":100,"minimum":1,"type":"number"}},{"description":"Page number.","in":"query","name":"page","required":false,"schema":{"default":1,"minimum":1,"type":"number"}},{"description":"Field to sort by.","in":"query","name":"sortField","required":false,"schema":{"type":"string"}},{"description":"Sort order.","in":"query","name":"sortOrder","required":false,"schema":{"enum":["asc","desc"],"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getExecutionLogsResponseExample":{"description":"Example response returning paginated execution logs","value":{"logs":[{"additionalData":{"executionId":"exec-a1b2c3d4-e5f6-7890","workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890"},"connectorType":"console","duration":150,"id":"log-001","level":"info","message":"Workflow execution started","stepId":"hello_world_step","stepName":"Hello World","timestamp":"2025-11-20T12:00:01.000Z"},{"additionalData":{"executionId":"exec-a1b2c3d4-e5f6-7890","workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890"},"connectorType":"console","duration":200,"id":"log-002","level":"info","message":"Step completed successfully","stepId":"hello_world_step","stepName":"Hello World","timestamp":"2025-11-20T12:00:02.000Z"}],"page":1,"size":100,"total":2}}}}},"description":"Indicates a successful response"}},"summary":"Get execution logs","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/executions\/{executionId}\/logs?size=100&page=1\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/executions\/{executionId}\/logs?size=100&page=1\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/executions\/{executionId}\/resume":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/executions\/{executionId}\/resume<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nResume a paused workflow execution with the provided input.[Required authorization] Route required privileges: workflowsManagement:execute.","operationId":"post-workflows-executions-executionid-resume","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Workflow execution ID","in":"path","name":"executionId","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"resumeExecutionRequestExample":{"description":"Example request to resume a paused workflow execution","value":{"input":{"approved":true,"comment":"Approved by analyst"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"input":{"additionalProperties":{"nullable":true},"description":"Input data to resume the execution with.","type":"object"}},"required":["input"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"resumeExecutionResponseExample":{"description":"Example response confirming the resume was scheduled","value":{"executionId":"exec-a1b2c3d4-e5f6-7890","message":"Workflow resume scheduled","success":true}}}}},"description":"Indicates a successful response"}},"summary":"Resume a workflow execution","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/executions\/{executionId}\/resume\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"input\": {\n \"approved\": true,\n \"comment\": \"Approved by analyst\"\n }\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/executions\/{executionId}\/resume\n{\n \"input\": {\n \"approved\": true,\n \"comment\": \"Approved by analyst\"\n }\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/executions\/{executionId}\/step\/{stepExecutionId}":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/executions\/{executionId}\/step\/{stepExecutionId}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve details of a single step execution within a workflow execution.[Required authorization] Route required privileges: workflowsManagement:readExecution.","operationId":"get-workflows-executions-executionid-step-stepexecutionid","parameters":[{"description":"Workflow execution ID.","in":"path","name":"executionId","required":true,"schema":{"type":"string"}},{"description":"Step execution ID.","in":"path","name":"stepExecutionId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getStepExecutionResponseExample":{"description":"Example response returning a single step execution","value":{"error":null,"executionTimeMs":1000,"finishedAt":"2025-11-20T12:00:02.000Z","globalExecutionIndex":0,"id":"step-exec-001","input":{"message":"hello world"},"isTestRun":false,"output":"hello world","scopeStack":[],"spaceId":"default","startedAt":"2025-11-20T12:00:01.000Z","state":null,"status":"completed","stepExecutionIndex":0,"stepId":"hello_world_step","stepType":"console","topologicalIndex":0,"workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","workflowRunId":"exec-a1b2c3d4-e5f6-7890"}}}}},"description":"Indicates a successful response"}},"summary":"Get a step execution","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/executions\/{executionId}\/step\/{stepExecutionId}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/executions\/{executionId}\/step\/{stepExecutionId}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/export":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/export<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExport one or more workflows as JSON with YAML content and metadata.[Required authorization] Route required privileges: workflowsManagement:read.","operationId":"post-workflows-export","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"exportWorkflowsRequestExample":{"description":"Example request to export workflows","value":{"ids":["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"ids":{"description":"Array of workflow IDs to export.","items":{"description":"Workflow ID to export.","maxLength":255,"type":"string"},"maxItems":500,"minItems":1,"type":"array"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"exportWorkflowsResponseExample":{"description":"Workflow entries with YAML content and export manifest","value":{"entries":[{"id":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","yaml":"name: My Workflow\nsteps:\n - type: http.request\n with:\n url: https:\/\/example.com"},{"id":"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901","yaml":"name: Another Workflow\nsteps:\n - type: http.request\n with:\n url: https:\/\/example.com"}],"manifest":{"exportedAt":"2026-03-26T12:00:00.000Z","exportedCount":2,"version":"1"}}}}}},"description":"JSON containing exported workflow YAML entries and manifest metadata"}},"summary":"Export workflows","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/export\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"ids\": [\"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890\", \"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901\"]\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/export\n{\n \"ids\": [\"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890\", \"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901\"]\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/mget":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/mget<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.[Required authorization] Route required privileges: workflowsManagement:read.","operationId":"post-workflows-mget","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"mgetWorkflowsRequestExample":{"description":"Example request to retrieve multiple workflows by their IDs","value":{"ids":["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"],"source":["name","enabled"]}}},"schema":{"additionalProperties":false,"type":"object","properties":{"ids":{"description":"Array of workflow IDs to look up.","items":{"description":"Workflow ID.","maxLength":255,"type":"string"},"maxItems":500,"minItems":1,"type":"array"},"source":{"description":"Array of source fields to include.","items":{"description":"Source field.","maxLength":255,"type":"string"},"maxItems":10,"minItems":1,"type":"array"}},"required":["ids"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"mgetWorkflowsResponseExample":{"description":"Example response returning the requested workflows with projected fields","value":[{"enabled":true,"id":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","name":"Example definition"},{"enabled":false,"id":"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901","name":"Second workflow"}]}}}},"description":"Indicates a successful response"}},"summary":"Get workflows by IDs","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/mget\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"ids\": [\"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890\", \"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901\"],\n \"source\": [\"name\", \"enabled\"]\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/mget\n{\n \"ids\": [\"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890\", \"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901\"],\n \"source\": [\"name\", \"enabled\"]\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/schema":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/schema<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.[Required authorization] Route required privileges: workflowsManagement:read.","operationId":"get-workflows-schema","parameters":[{"description":"When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation.","in":"query","name":"loose","required":true,"schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getSchemaResponseExample":{"description":"Example response returning the workflow JSON schema (truncated)","value":{"$schema":"http:\/\/json-schema.org\/draft-07\/schema#","type":"object","properties":{"description":{"type":"string"},"enabled":{"default":true,"type":"boolean"},"name":{"minLength":1,"type":"string"},"tags":{"items":{"type":"string"},"type":"array"},"version":{"const":"1","default":"1","description":"The version of the workflow schema","type":"string"}},"required":["name","triggers","steps"]}}}}},"description":"Indicates a successful response"}},"summary":"Get workflow JSON schema","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/schema?loose=false\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/schema?loose=false\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/stats":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/stats<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution.","operationId":"get-workflows-stats","parameters":[],"responses":{"200":{"content":{"application\/json":{"examples":{"getStatsResponseExample":{"description":"Example response with workflow counts and 30-day execution history","value":{"executions":[{"cancelled":1,"completed":45,"date":"2025-11-20","failed":2,"timestamp":"2025-11-20T00:00:00.000Z"},{"cancelled":0,"completed":50,"date":"2025-11-21","failed":0,"timestamp":"2025-11-21T00:00:00.000Z"}],"workflows":{"disabled":3,"enabled":12}}}}}},"description":"Indicates a successful response"}},"summary":"Get workflow statistics","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/stats\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/stats\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/step\/test":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/step\/test<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExecute a single step from a workflow definition in test mode.[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read.","operationId":"post-workflows-step-test","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"testStepRequestExample":{"description":"Example request to test a single workflow step","value":{"contextOverride":{"inputs":{"message":"override message"}},"stepId":"hello_world_step","workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","workflowYaml":"name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"contextOverride":{"additionalProperties":{"nullable":true},"description":"Context overrides for the step execution.","type":"object"},"executionContext":{"additionalProperties":{"nullable":true},"description":"Execution context for the step execution.","type":"object"},"stepId":{"description":"ID of the step to test.","type":"string"},"workflowId":{"description":"ID of the workflow containing the step.","type":"string"},"workflowYaml":{"description":"YAML definition of the workflow containing the step.","type":"string"}},"required":["stepId","contextOverride","workflowYaml"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"testStepResponseExample":{"description":"Example response returning the step test execution ID","value":{"workflowExecutionId":"step-test-exec-a1b2c3d4"}}}}},"description":"Indicates a successful response"}},"summary":"Test a workflow step","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/step\/test\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"stepId\": \"hello_world_step\",\n \"workflowId\": \"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\n \"workflowYaml\": \"name: Example definition\\nenabled: true\\ntriggers:\\n - type: manual\\ninputs:\\n - name: message\\n type: string\\n default: \\\"hello world\\\"\\nsteps:\\n - name: hello_world_step\\n type: console\\n with:\\n message: \\\"{{ inputs.message }}\\\"\",\n \"contextOverride\": { \"inputs\": { \"message\": \"override message\" } }\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/step\/test\n{\n \"stepId\": \"hello_world_step\",\n \"workflowId\": \"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\n \"workflowYaml\": \"name: Example definition\\nenabled: true\\ntriggers:\\n - type: manual\\ninputs:\\n - name: message\\n type: string\\n default: \\\"hello world\\\"\\nsteps:\\n - name: hello_world_step\\n type: console\\n with:\\n message: \\\"{{ inputs.message }}\\\"\",\n \"contextOverride\": { \"inputs\": { \"message\": \"override message\" } }\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/test":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/test<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExecute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read.","operationId":"post-workflows-test","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"testWorkflowByIdRequestExample":{"description":"Example request to test a saved workflow by its ID","value":{"inputs":{"message":"test message"},"workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890"}},"testWorkflowByYamlRequestExample":{"description":"Example request to test an unsaved workflow YAML draft","value":{"inputs":{"message":"test message"},"workflowYaml":"name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"description":"Key-value inputs for the test execution.","type":"object"},"workflowId":{"description":"ID of an existing workflow to test.","type":"string"},"workflowYaml":{"description":"YAML definition to test.","type":"string"}},"required":["inputs"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"testWorkflowResponseExample":{"description":"Example response returning the test execution ID","value":{"workflowExecutionId":"test-exec-a1b2c3d4-e5f6"}}}}},"description":"Indicates a successful response"}},"summary":"Test a workflow","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/test\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"workflowId\": \"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\n \"inputs\": { \"message\": \"test message\" }\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/test\n{\n \"workflowId\": \"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890\",\n \"inputs\": { \"message\": \"test message\" }\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/workflow":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/workflow<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.[Required authorization] Route required privileges: workflowsManagement:create.","operationId":"post-workflows-workflow","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"createWorkflowRequestExample":{"description":"Example request for creating a workflow from a YAML definition","value":{"yaml":"name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}},"createWorkflowWithIdRequestExample":{"description":"Example request for creating a workflow with a custom ID","value":{"id":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","yaml":"name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"id":{"maxLength":255,"minLength":3,"pattern":"^[a-z0-9]([a-z0-9-]*[a-z0-9])?$","type":"string"},"yaml":{"maxLength":1048576,"type":"string"}},"required":["yaml"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"createWorkflowResponseExample":{"description":"Example response returning the created workflow","value":{"createdAt":"2025-11-20T10:30:00.000Z","createdBy":"elastic","definition":{"description":"This is a workflow example","enabled":true,"inputs":[{"default":"hello world","name":"message","type":"string"}],"name":"Example definition","steps":[{"name":"hello_world_step","type":"console","with":{"message":"{{ inputs.message }}"}}],"triggers":[{"type":"manual"}]},"description":"This is a workflow example","enabled":true,"id":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","lastUpdatedAt":"2025-11-20T10:30:00.000Z","lastUpdatedBy":"elastic","name":"Example definition","valid":true,"yaml":"name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}}}}},"description":"Indicates a successful response"}},"summary":"Create a workflow","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/workflow\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"yaml\": \"name: Example definition\\nenabled: true\\ndescription: This is a workflow example\\ntriggers:\\n - type: manual\\ninputs:\\n - name: message\\n type: string\\n default: \\\"hello world\\\"\\nsteps:\\n - name: hello_world_step\\n type: console\\n with:\\n message: \\\"{{ inputs.message }}\\\"\\n\"\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/workflow\n{\n \"yaml\": \"name: Example definition\\nenabled: true\\ndescription: This is a workflow example\\ntriggers:\\n - type: manual\\ninputs:\\n - name: message\\n type: string\\n default: \\\"hello world\\\"\\nsteps:\\n - name: hello_world_step\\n type: console\\n with:\\n message: \\\"{{ inputs.message }}\\\"\\n\"\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/workflow\/{id}":{"delete":{"description":"**Spaces method and path for this operation:**\n\n
delete<\/span> \/s\/{space_id}\/api\/workflows\/workflow\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nDelete a single workflow by its ID.[Required authorization] Route required privileges: workflowsManagement:delete.","operationId":"delete-workflows-workflow-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Workflow ID","in":"path","name":"id","required":true,"schema":{"type":"string"}},{"description":"When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse.","in":"query","name":"force","required":false,"schema":{"default":false,"type":"boolean"}}],"responses":{"200":{"description":"Indicates a successful response"}},"summary":"Delete a workflow","tags":["workflows"],"x-codeSamples":[{"label":"Soft delete (default)","lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/workflows\/workflow\/{id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"label":"Hard delete (permanent)","lang":"curl","source":"curl \\\n -X DELETE \"${KIBANA_URL}\/api\/workflows\/workflow\/{id}?force=true\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"DELETE kbn:\/\/api\/workflows\/workflow\/{id}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/workflow\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a single workflow by its ID.[Required authorization] Route required privileges: workflowsManagement:read.","operationId":"get-workflows-workflow-id","parameters":[{"description":"Workflow ID","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getWorkflowResponseExample":{"description":"Example response returning a single workflow","value":{"createdAt":"2025-11-20T10:30:00.000Z","createdBy":"elastic","definition":{"description":"This is a workflow example","enabled":true,"inputs":[{"default":"hello world","name":"message","type":"string"}],"name":"Example definition","steps":[{"name":"hello_world_step","type":"console","with":{"message":"{{ inputs.message }}"}}],"triggers":[{"type":"manual"}]},"description":"This is a workflow example","enabled":true,"id":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","lastUpdatedAt":"2025-11-21T14:00:00.000Z","lastUpdatedBy":"elastic","name":"Example definition","valid":true,"yaml":"name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}}}}},"description":"Indicates a successful response"}},"summary":"Get a workflow","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/workflow\/{id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/workflow\/{id}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"**Spaces method and path for this operation:**\n\n
put<\/span> \/s\/{space_id}\/api\/workflows\/workflow\/{id}<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nPartially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.[Required authorization] Route required privileges: workflowsManagement:update.","operationId":"put-workflows-workflow-id","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Workflow ID","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"updateWorkflowEnableExample":{"description":"Example request to enable a workflow and update its tags","value":{"enabled":true,"tags":["production"]}},"updateWorkflowFullExample":{"description":"Example request to update multiple workflow fields","value":{"description":"Updated workflow description","enabled":true,"name":"Updated example","tags":["example","updated"],"yaml":"name: Updated example\nenabled: true\ndescription: Updated workflow description\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}}},"schema":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"enabled":{"type":"boolean"},"name":{"type":"string"},"tags":{"items":{"type":"string"},"type":"array"},"yaml":{"type":"string"}}}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"updateWorkflowResponseExample":{"description":"Example response returning the updated workflow","value":{"enabled":false,"id":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","lastUpdatedAt":"2026-03-23T13:38:59.568Z","lastUpdatedBy":"elastic","valid":true,"validationErrors":[]}}}}},"description":"Indicates a successful response"}},"summary":"Update a workflow","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X PUT \"${KIBANA_URL}\/api\/workflows\/workflow\/{id}\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"enabled\": true,\n \"tags\": [\"production\"]\n }'\n"},{"lang":"Console","source":"PUT kbn:\/\/api\/workflows\/workflow\/{id}\n{\n \"enabled\": true,\n \"tags\": [\"production\"]\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/workflow\/{id}\/clone":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/workflow\/{id}\/clone<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nCreate a copy of an existing workflow.[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read.","operationId":"post-workflows-workflow-id-clone","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Workflow ID","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"cloneWorkflowResponseExample":{"description":"Example response returning the cloned workflow with a new ID","value":{"createdAt":"2025-11-22T11:00:00.000Z","createdBy":"elastic","definition":{"description":"This is a workflow example","enabled":false,"inputs":[{"default":"hello world","name":"message","type":"string"}],"name":"Example definition (copy)","steps":[{"name":"hello_world_step","type":"console","with":{"message":"{{ inputs.message }}"}}],"triggers":[{"type":"manual"}]},"description":"This is a workflow example","enabled":false,"id":"workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901","lastUpdatedAt":"2025-11-22T11:00:00.000Z","lastUpdatedBy":"elastic","name":"Example definition (copy)","valid":true,"yaml":"name: Example definition (copy)\nenabled: false\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"}}}}},"description":"Indicates a successful response"}},"summary":"Clone a workflow","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/workflow\/{id}\/clone\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/workflow\/{id}\/clone\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/workflow\/{id}\/run":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/workflow\/{id}\/run<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nExecute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read.","operationId":"post-workflows-workflow-id-run","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Workflow ID","in":"path","name":"id","required":true,"schema":{"type":"string"}}],"requestBody":{"content":{"application\/json":{"examples":{"runWorkflowRequestExample":{"description":"Example request to execute a workflow with inputs","value":{"inputs":{"message":"hello from the API"}}}},"schema":{"additionalProperties":false,"type":"object","properties":{"inputs":{"additionalProperties":{"nullable":true},"description":"Key-value inputs for the workflow execution.","type":"object"},"metadata":{"additionalProperties":{"nullable":true},"description":"Optional metadata for the execution.","type":"object"}},"required":["inputs"]}}}},"responses":{"200":{"content":{"application\/json":{"examples":{"runWorkflowResponseExample":{"description":"Example response returning the execution ID","value":{"workflowExecutionId":"exec-a1b2c3d4-e5f6-7890"}}}}},"description":"Indicates a successful response"}},"summary":"Run a workflow","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/workflow\/{id}\/run\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\" \\\n -H \"Content-Type: application\/json\" \\\n -d '{\n \"inputs\": {\n \"message\": \"hello from the API\"\n }\n }'\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/workflow\/{id}\/run\n{\n \"inputs\": {\n \"message\": \"hello from the API\"\n }\n}\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/workflow\/{workflowId}\/executions":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/workflow\/{workflowId}\/executions<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a paginated list of executions for a specific workflow.[Required authorization] Route required privileges: workflowsManagement:readExecution.","operationId":"get-workflows-workflow-workflowid-executions","parameters":[{"description":"Workflow ID","in":"path","name":"workflowId","required":true,"schema":{"type":"string"}},{"description":"Filter by execution status.","in":"query","name":"statuses","required":false,"schema":{"items":{"enum":["pending","waiting","waiting_for_input","running","completed","failed","cancelled","timed_out","skipped"],"type":"string"},"maxItems":9,"type":"array"}},{"description":"Filter by execution type.","in":"query","name":"executionTypes","required":false,"schema":{"items":{"enum":["test","production"],"type":"string"},"maxItems":2,"type":"array"}},{"description":"Filter by the user who triggered the execution.","in":"query","name":"executedBy","required":false,"schema":{"items":{"type":"string"},"maxItems":100,"type":"array"}},{"description":"Whether to exclude step-level execution data.","in":"query","name":"omitStepRuns","required":false,"schema":{"type":"boolean"}},{"description":"Page number.","in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"number"}},{"description":"Number of results per page.","in":"query","name":"size","required":false,"schema":{"maximum":100,"minimum":1,"type":"number"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getWorkflowExecutionsResponseExample":{"description":"Example response returning a paginated list of executions for a workflow","value":{"page":1,"results":[{"duration":3000,"error":null,"executedBy":"elastic","finishedAt":"2025-11-20T12:00:03.000Z","id":"exec-001","isTestRun":false,"spaceId":"default","startedAt":"2025-11-20T12:00:00.000Z","status":"completed","triggeredBy":"manual","workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890"},{"duration":2000,"error":{"message":"Step 'hello_world_step' failed"},"executedBy":"elastic","finishedAt":"2025-11-20T13:00:02.000Z","id":"exec-002","isTestRun":false,"spaceId":"default","startedAt":"2025-11-20T13:00:00.000Z","status":"failed","triggeredBy":"manual","workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890"}],"size":20,"total":2}}}}},"description":"Indicates a successful response"}},"summary":"Get workflow executions","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/workflow\/{workflowId}\/executions?page=1&size=20\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/workflow\/{workflowId}\/executions?page=1&size=20\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/workflow\/{workflowId}\/executions\/cancel":{"post":{"description":"**Spaces method and path for this operation:**\n\n
post<\/span> \/s\/{space_id}\/api\/workflows\/workflow\/{workflowId}\/executions\/cancel<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRequest cancellation for all non-terminal executions of the given workflow in the current space.[Required authorization] Route required privileges: workflowsManagement:cancelExecution.","operationId":"post-workflows-workflow-workflowid-executions-cancel","parameters":[{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},{"description":"Workflow ID","in":"path","name":"workflowId","required":true,"schema":{"type":"string"}}],"responses":{"200":{"description":"Indicates a successful response"}},"summary":"Cancel all active workflow executions","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X POST \"${KIBANA_URL}\/api\/workflows\/workflow\/{workflowId}\/executions\/cancel\" \\\n -H \"Authorization: ApiKey ${API_KEY}\" \\\n -H \"kbn-xsrf: true\"\n"},{"lang":"Console","source":"POST kbn:\/\/api\/workflows\/workflow\/{workflowId}\/executions\/cancel\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/api\/workflows\/workflow\/{workflowId}\/executions\/steps":{"get":{"description":"**Spaces method and path for this operation:**\n\n
get<\/span> \/s\/{space_id}\/api\/workflows\/workflow\/{workflowId}\/executions\/steps<\/span><\/div>\n\nRefer to [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces) for more information.\n\nRetrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.[Required authorization] Route required privileges: workflowsManagement:readExecution.","operationId":"get-workflows-workflow-workflowid-executions-steps","parameters":[{"description":"Workflow ID","in":"path","name":"workflowId","required":true,"schema":{"type":"string"}},{"description":"Filter by step ID.","in":"query","name":"stepId","required":false,"schema":{"type":"string"}},{"description":"Include step input data.","in":"query","name":"includeInput","required":false,"schema":{"type":"boolean"}},{"description":"Include step output data.","in":"query","name":"includeOutput","required":false,"schema":{"type":"boolean"}},{"description":"Page number for pagination.","in":"query","name":"page","required":false,"schema":{"minimum":1,"type":"number"}},{"description":"Number of results per page.","in":"query","name":"size","required":false,"schema":{"maximum":100,"minimum":1,"type":"number"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getWorkflowStepExecutionsResponseExample":{"description":"Example response returning step execution records for a workflow","value":{"results":[{"executionTimeMs":1000,"finishedAt":"2025-11-20T12:00:02.000Z","globalExecutionIndex":0,"id":"step-exec-001","input":{"message":"hello world"},"isTestRun":false,"scopeStack":[],"spaceId":"default","startedAt":"2025-11-20T12:00:01.000Z","status":"completed","stepExecutionIndex":0,"stepId":"hello_world_step","stepType":"console","topologicalIndex":0,"workflowId":"workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890","workflowRunId":"exec-001"}],"total":1}}}}},"description":"Indicates a successful response"}},"summary":"Get workflow step executions","tags":["workflows"],"x-codeSamples":[{"lang":"curl","source":"curl \\\n -X GET \"${KIBANA_URL}\/api\/workflows\/workflow\/{workflowId}\/executions\/steps?includeInput=true\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n"},{"lang":"Console","source":"GET kbn:\/\/api\/workflows\/workflow\/{workflowId}\/executions\/steps?includeInput=true\n"}],"x-state":"Generally available","x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos":{"get":{"description":"You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"findSlosOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"description":"A valid kql query to filter the SLO with","example":"slo.name:latency* and slo.tags : \"prod\"","in":"query","name":"kqlQuery","schema":{"type":"string"}},{"description":"The page size to use for cursor-based pagination, must be greater or equal than 1","example":1,"in":"query","name":"size","schema":{"default":1,"type":"integer"}},{"description":"The cursor to use for fetching the results from, when using a cursor-base pagination.","in":"query","name":"searchAfter","schema":{"items":{"type":"string"},"type":"array"}},{"description":"The page to use for pagination, must be greater or equal than 1","example":1,"in":"query","name":"page","schema":{"default":1,"type":"integer"}},{"description":"Number of SLOs returned by page","example":25,"in":"query","name":"perPage","schema":{"default":25,"maximum":5000,"type":"integer"}},{"description":"Sort by field","example":"status","in":"query","name":"sortBy","schema":{"default":"status","enum":["sli_value","status","error_budget_consumed","error_budget_remaining"],"type":"string"}},{"description":"Sort order","example":"asc","in":"query","name":"sortDirection","schema":{"default":"asc","enum":["asc","desc"],"type":"string"}},{"description":"Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings","in":"query","name":"hideStale","schema":{"type":"boolean"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"findSloResponse":{"summary":"A paginated list of SLOs","value":{"page":1,"perPage":25,"results":[{"budgetingMethod":"occurrences","createdAt":"2025-01-12T10:03:19.000Z","description":"Availability of my web service","enabled":true,"groupBy":"*","id":"8853df00-ae2e-11ed-90af-09bb6422b258","indicator":{"params":{"filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.status_code : \"2xx\"","index":"logs-*","timestampField":"@timestamp","total":"request.status_code : *"},"type":"sli.kql.custom"},"instanceId":"*","name":"My Service Availability","objective":{"target":0.99},"revision":1,"settings":{"frequency":"5m","syncDelay":"5m"},"summary":{"errorBudget":{"consumed":0.17,"initial":0.01,"isEstimated":false,"remaining":0.83},"sliValue":0.9983,"status":"HEALTHY"},"tags":["production","web-service"],"timeWindow":{"duration":"30d","type":"rolling"},"updatedAt":"2025-01-12T10:03:19.000Z","version":2}],"total":42}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_find_slo_response"}}},"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'invalid' supplied to: sortBy","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_read] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"summary":"Not found","value":{"error":"Not Found","message":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","statusCode":404}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Get a paginated list of SLOs","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"post":{"description":"You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"createSloOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"}],"requestBody":{"content":{"application\/json":{"examples":{"createSloKqlExample":{"summary":"Create an SLO with a KQL indicator","value":{"budgetingMethod":"occurrences","description":"Availability of my web service measured by successful HTTP responses","indicator":{"params":{"filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.status_code : \"2xx\"","index":"logs-*","timestampField":"@timestamp","total":"request.status_code : *"},"type":"sli.kql.custom"},"name":"My Service Availability","objective":{"target":0.99},"settings":{"frequency":"5m","syncDelay":"5m"},"tags":["production","web-service"],"timeWindow":{"duration":"30d","type":"rolling"}}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_create_slo_request"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"createSloResponse":{"summary":"Create SLO response","value":{"id":"8853df00-ae2e-11ed-90af-09bb6422b258"}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_create_slo_response"}}},"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: indicator\/type","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"},"409":{"content":{"application\/json":{"examples":{"conflictExample":{"summary":"Conflict","value":{"error":"Conflict","message":"SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists","statusCode":409}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_409_response"}}},"description":"Conflict - The SLO id already exists"}},"summary":"Create an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos\/_bulk_delete":{"post":{"description":"Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET \/api\/slo\/_bulk_delete\/{taskId}` endpoint.\n","operationId":"bulkDeleteOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"}],"requestBody":{"content":{"application\/json":{"examples":{"bulkDeleteRequest":{"summary":"Bulk delete two SLOs","value":{"list":["8853df00-ae2e-11ed-90af-09bb6422b258","d077e940-1515-11ee-9c50-9d096392f520"]}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_bulk_delete_request"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"bulkDeleteResponse":{"summary":"Bulk delete response with task ID","value":{"taskId":"d08506b7-f0e8-4f8b-a06a-a83940f4db91"}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_bulk_delete_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: list","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"}},"summary":"Bulk delete SLO definitions and their associated summary and rollup data.","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos\/_bulk_delete\/{taskId}":{"get":{"description":"Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation.\n","operationId":"bulkDeleteStatusOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"description":"The task id of the bulk delete operation","in":"path","name":"taskId","required":true,"schema":{"example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"bulkDeleteStatusComplete":{"summary":"Completed bulk deletion","value":{"isDone":true,"results":[{"id":"8853df00-ae2e-11ed-90af-09bb6422b258","success":true},{"id":"d077e940-1515-11ee-9c50-9d096392f520","success":true}]}},"bulkDeleteStatusPartialFailure":{"summary":"Completed with partial failure","value":{"isDone":true,"results":[{"id":"8853df00-ae2e-11ed-90af-09bb6422b258","success":true},{"error":"SLO [d077e940-1515-11ee-9c50-9d096392f520] not found","id":"d077e940-1515-11ee-9c50-9d096392f520","success":false}]}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_bulk_delete_status_response"}}},"description":"Successful response"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: taskId","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"}},"summary":"Retrieve the status of the bulk deletion","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos\/_bulk_purge_rollup":{"post":{"description":"The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"deleteRollupDataOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"}],"requestBody":{"content":{"application\/json":{"examples":{"purgeByAgeExample":{"summary":"Purge rollup data older than 7 days","value":{"list":["8853df00-ae2e-11ed-90af-09bb6422b258"],"purgePolicy":{"age":"7d","purgeType":"fixed-age"}}},"purgeByTimestampExample":{"summary":"Purge rollup data before a specific date","value":{"list":["8853df00-ae2e-11ed-90af-09bb6422b258","d077e940-1515-11ee-9c50-9d096392f520"],"purgePolicy":{"purgeType":"fixed-time","timestamp":"2024-12-31T00:00:00.000Z"}}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_bulk_purge_rollup_request"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"bulkPurgeResponse":{"summary":"Bulk purge response with task ID","value":{"taskId":"8853df00-ae2e-11ed-90af-09bb6422b258"}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_bulk_purge_rollup_response"}}},"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: purgePolicy\/purgeType","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"}},"summary":"Batch delete rollup and summary data","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos\/_delete_instances":{"post":{"description":"The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"deleteSloInstancesOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"}],"requestBody":{"content":{"application\/json":{"examples":{"deleteInstancesExample":{"summary":"Delete specific SLO instances","value":{"list":[{"instanceId":"host-abc123","sloId":"8853df00-ae2e-11ed-90af-09bb6422b258"},{"instanceId":"host-def456","sloId":"8853df00-ae2e-11ed-90af-09bb6422b258"}]}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_delete_slo_instances_request"}}},"required":true},"responses":{"204":{"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: list\/0\/sloId","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"}},"summary":"Batch delete rollup and summary data","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos\/{sloId}":{"delete":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"deleteSloOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"$ref":"#\/components\/parameters\/SLOs_slo_id"}],"responses":{"204":{"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: id","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"summary":"Not found","value":{"error":"Not Found","message":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","statusCode":404}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Delete an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"get":{"description":"You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"getSloOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"$ref":"#\/components\/parameters\/SLOs_slo_id"},{"description":"the specific instanceId used by the summary calculation","example":"host-abcde","in":"query","name":"instanceId","schema":{"type":"string"}}],"responses":{"200":{"content":{"application\/json":{"examples":{"getSloResponse":{"summary":"Get SLO response","value":{"budgetingMethod":"occurrences","createdAt":"2025-01-12T10:03:19.000Z","description":"Availability of my web service","enabled":true,"groupBy":"*","id":"8853df00-ae2e-11ed-90af-09bb6422b258","indicator":{"params":{"filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.status_code : \"2xx\"","index":"logs-*","timestampField":"@timestamp","total":"request.status_code : *"},"type":"sli.kql.custom"},"instanceId":"*","name":"My Service Availability","objective":{"target":0.99},"revision":1,"settings":{"frequency":"5m","syncDelay":"5m"},"summary":{"errorBudget":{"consumed":0.17,"initial":0.01,"isEstimated":false,"remaining":0.83},"sliValue":0.9983,"status":"HEALTHY"},"tags":["production","web-service"],"timeWindow":{"duration":"30d","type":"rolling"},"updatedAt":"2025-01-12T10:03:19.000Z","version":2}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_slo_with_summary_response"}}},"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: id","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_read] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"summary":"Not found","value":{"error":"Not Found","message":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","statusCode":404}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Get an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]},"put":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"updateSloOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"$ref":"#\/components\/parameters\/SLOs_slo_id"}],"requestBody":{"content":{"application\/json":{"examples":{"updateSloNameExample":{"summary":"Update the SLO name and tags","value":{"name":"Updated Service Availability","tags":["production","updated"]}},"updateSloObjectiveExample":{"summary":"Update the SLO objective","value":{"objective":{"target":0.995}}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_update_slo_request"}}},"required":true},"responses":{"200":{"content":{"application\/json":{"examples":{"updateSloResponse":{"summary":"Update SLO response","value":{"budgetingMethod":"occurrences","createdAt":"2025-01-12T10:03:19.000Z","description":"Availability of my web service","enabled":true,"groupBy":"*","id":"8853df00-ae2e-11ed-90af-09bb6422b258","indicator":{"params":{"filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.status_code : \"2xx\"","index":"logs-*","timestampField":"@timestamp","total":"request.status_code : *"},"type":"sli.kql.custom"},"name":"Updated Service Availability","objective":{"target":0.99},"revision":2,"settings":{"frequency":"5m","syncDelay":"5m"},"tags":["production","updated"],"timeWindow":{"duration":"30d","type":"rolling"},"updatedAt":"2025-03-26T14:30:00.000Z","version":2}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_slo_definition_response"}}},"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: indicator\/type","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"summary":"Not found","value":{"error":"Not Found","message":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","statusCode":404}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Update an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos\/{sloId}\/_reset":{"post":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"resetSloOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"$ref":"#\/components\/parameters\/SLOs_slo_id"}],"responses":{"200":{"content":{"application\/json":{"examples":{"resetSloResponse":{"summary":"Reset SLO response","value":{"budgetingMethod":"occurrences","createdAt":"2025-01-12T10:03:19.000Z","description":"Availability of my web service","enabled":true,"groupBy":"*","id":"8853df00-ae2e-11ed-90af-09bb6422b258","indicator":{"params":{"filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.status_code : \"2xx\"","index":"logs-*","timestampField":"@timestamp","total":"request.status_code : *"},"type":"sli.kql.custom"},"name":"My Service Availability","objective":{"target":0.99},"revision":2,"settings":{"frequency":"5m","syncDelay":"5m"},"tags":["production","web-service"],"timeWindow":{"duration":"30d","type":"rolling"},"updatedAt":"2025-03-26T14:30:00.000Z","version":2}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_slo_definition_response"}}},"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: id","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"summary":"Not found","value":{"error":"Not Found","message":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","statusCode":404}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Reset an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos\/{sloId}\/disable":{"post":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"disableSloOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"$ref":"#\/components\/parameters\/SLOs_slo_id"}],"responses":{"204":{"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: id","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"summary":"Not found","value":{"error":"Not Found","message":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","statusCode":404}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Disable an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/api\/observability\/slos\/{sloId}\/enable":{"post":{"description":"You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"enableSloOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"$ref":"#\/components\/parameters\/SLOs_slo_id"}],"responses":{"204":{"description":"Successful request"},"400":{"content":{"application\/json":{"examples":{"badRequestExample":{"summary":"Bad request","value":{"error":"Bad Request","message":"Invalid value 'foo' supplied to: id","statusCode":400}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"examples":{"unauthorizedExample":{"summary":"Unauthorized","value":{"error":"Unauthorized","message":"security_exception: unable to authenticate user for REST request [\/api\/observability\/slos]","statusCode":401}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"examples":{"forbiddenExample":{"summary":"Forbidden","value":{"error":"Forbidden","message":"security_exception: action [slo_write] is unauthorized for user","statusCode":403}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"},"404":{"content":{"application\/json":{"examples":{"notFoundExample":{"summary":"Not found","value":{"error":"Not Found","message":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","statusCode":404}}},"schema":{"$ref":"#\/components\/schemas\/SLOs_404_response"}}},"description":"Not found response"}},"summary":"Enable an SLO","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}},"\/s\/{spaceId}\/internal\/observability\/slos\/_definitions":{"get":{"description":"You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.\n","operationId":"getDefinitionsOp","parameters":[{"$ref":"#\/components\/parameters\/SLOs_kbn_xsrf"},{"$ref":"#\/components\/parameters\/SLOs_space_id"},{"description":"Indicates if the API returns only outdated SLO or all SLO definitions","in":"query","name":"includeOutdatedOnly","schema":{"type":"boolean"}},{"description":"Indicates if the API returns SLO health data with definitions","example":true,"in":"query","name":"includeHealth","schema":{"type":"boolean"}},{"description":"Filters the SLOs by tag","in":"query","name":"tags","schema":{"type":"string"}},{"description":"Filters the SLOs by name","example":"my service availability","in":"query","name":"search","schema":{"type":"string"}},{"description":"The page to use for pagination, must be greater or equal than 1","example":1,"in":"query","name":"page","schema":{"type":"number"}},{"description":"Number of SLOs returned by page","example":100,"in":"query","name":"perPage","schema":{"default":100,"maximum":1000,"type":"integer"}}],"responses":{"200":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/SLOs_find_slo_definitions_response"}}},"description":"Successful request"},"400":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/SLOs_400_response"}}},"description":"Bad request"},"401":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/SLOs_401_response"}}},"description":"Unauthorized response"},"403":{"content":{"application\/json":{"schema":{"$ref":"#\/components\/schemas\/SLOs_403_response"}}},"description":"Forbidden response"}},"summary":"Get the SLO definitions","tags":["slo"],"x-metaTags":[{"content":"Kibana, Elastic Cloud Serverless","name":"product_name"}]}}},"components":{"examples":{"APM_UI_agent_configuration_environments_200_response1":{"description":"An example of a successful response from `GET \/api\/apm\/settings\/agent-configuration\/environments`.","value":{"environments":[{"alreadyConfigured":true,"name":"production"},{"alreadyConfigured":false,"name":"development"},{"alreadyConfigured":false,"name":"ALL_OPTION_VALUE"}]}},"APM_UI_agent_configuration_intake_object_delete_200_response1":{"description":"An example of a successful response from `DELETE \/api\/apm\/settings\/agent-configuration`.","value":{"result":"deleted"}},"APM_UI_agent_configuration_intake_object_delete_request1":{"description":"Run `DELETE \/api\/apm\/settings\/agent-configuration` to delete a configuration.","value":{"service":{"environment":"production","name":"frontend"}}},"APM_UI_agent_configuration_intake_object_get_200_response1":{"description":"An example of a successful response from `GET \/api\/apm\/settings\/agent-configuration`.","value":[{"@timestamp":1581934104843,"agent_name":"go","applied_by_agent":false,"etag":"1e58c178efeebae15c25c539da740d21dee422fc","service":{"environment":"production","name":"opbeans-go"},"settings":{"capture_body":"off","transaction_max_spans":"200","transaction_sample_rate":"1"}},{"@timestamp":1581934111727,"agent_name":"go","applied_by_agent":false,"etag":"3eed916d3db434d9fb7f039daa681c7a04539a64","service":{"name":"opbeans-go"},"settings":{"capture_body":"off","transaction_max_spans":"300","transaction_sample_rate":"1"}},{"@timestamp":1582031336265,"agent_name":"nodejs","applied_by_agent":false,"etag":"5080ed25785b7b19f32713681e79f46996801a5b","service":{"name":"frontend"},"settings":{"transaction_sample_rate":"1"}}]},"APM_UI_agent_configuration_intake_object_put_200_response1":{"description":"An example of a successful response from `PUT \/api\/apm\/settings\/agent-configuration`. The response body is intentionally empty.","value":{}},"APM_UI_agent_configuration_intake_object_put_request1":{"description":"Run `PUT \/api\/apm\/settings\/agent-configuration` to create or update configuration details.","value":{"agent_name":"nodejs","service":{"environment":"production","name":"frontend"},"settings":{"capture_body":"off","transaction_max_spans":"500","transaction_sample_rate":"0.4"}}},"APM_UI_agent_configuration_intake_object_search_200_response1":{"description":"An example of a successful response from `POST \/api\/apm\/settings\/agent-configuration\/search`.","value":{"_id":"CIaqXXABmQCdPphWj8EJ","_index":".apm-agent-configuration","_score":2,"_source":{"@timestamp":1582031336265,"agent_name":"nodejs","applied_by_agent":false,"etag":"5080ed25785b7b19f32713681e79f46996801a5b","service":{"name":"frontend"},"settings":{"transaction_sample_rate":"1"}}}},"APM_UI_agent_configuration_intake_object_search_request1":{"description":"Run `POST \/api\/apm\/settings\/agent-configuration\/search` to search configuration details.","value":{"etag":"1e58c178efeebae15c25c539da740d21dee422fc","service":{"environment":"production","name":"frontend"}}},"APM_UI_agent_configuration_intake_object_view_200_response1":{"description":"An example of a successful response from `GET \/api\/apm\/settings\/agent-configuration\/view`.","value":{"@timestamp":1582031336265,"agent_name":"nodejs","applied_by_agent":true,"etag":"5080ed25785b7b19f32713681e79f46996801a5b","id":"CIaqXXABmQCdPphWj8EJ","service":{"environment":"production","name":"frontend"},"settings":{"capture_body":"off","transaction_max_spans":"500","transaction_sample_rate":"0.4"}}},"APM_UI_agent_keys_object_post_200_response1":{"description":"An example of a successful response from `POST \/api\/apm\/agent_keys`, which creates an APM agent API key.","value":{"agentKey":{"api_key":"PjGloCGOTzaZr8ilUPvkjA","encoded":"M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ==","id":"3DCLmn0B3ZMhLUa7WBG9","name":"apm-key"}}},"APM_UI_agent_keys_object_post_request1":{"description":"Run `POST \/api\/apm\/agent_keys` to create an APM agent API key with the specified privileges.","value":{"name":"apm-key","privileges":["event:write","config_agent:read"]}},"APM_UI_annotation_object_post_200_response1":{"description":"An example of a successful response from `POST \/api\/apm\/services\/opbeans-java\/annotation`, which creates an annotation for a service named `opbeans-java`.","value":{"_id":"Lc9I93EBh6DbmkeV7nFX","_index":"observability-annotations","_primary_term":1,"_seq_no":12,"_source":{"@timestamp":"2020-05-08T10:31:30.452Z","annotation":{"type":"deployment"},"event":{"created":"2020-05-09T02:34:43.937Z"},"message":"Deployment 1.2","service":{"name":"opbeans-java","version":"1.2"},"tags":["apm","elastic.co","customer"]},"_version":1,"found":true}},"APM_UI_annotation_object_post_request1":{"description":"Run `POST \/api\/apm\/services\/{serviceName}\/annotation` to create a deployment annotation for a service.","value":{"@timestamp":"2024-01-15T12:00:00.000Z","message":"Deployment 1.2.0","service":{"environment":"production","version":"1.2.0"},"tags":["apm","deployment"]}},"APM_UI_fleet_apm_server_schema_200_response1":{"description":"An example of a successful response from `POST \/api\/apm\/fleet\/apm_server_schema`. The response body is intentionally empty.","value":{}},"APM_UI_source_maps_delete_200_response1":{"description":"An example of a successful response from `DELETE \/api\/apm\/sourcemaps\/{id}`. The response body is intentionally empty.","value":{}},"APM_UI_source_maps_get_200_response1":{"description":"A successful response from `GET \/api\/apm\/sourcemaps`.","value":{"artifacts":[{"body":{"bundleFilepath":"\/test\/e2e\/general-usecase\/bundle.js","serviceName":"foo","serviceVersion":"1.0.0","sourceMap":{"file":"static\/js\/main.chunk.js","mappings":"mapping","sourceRoot":"","sources":["fleet-source-map-client\/src\/index.css","fleet-source-map-client\/src\/App.js","webpack:\/\/\/.\/src\/index.css?bb0a","fleet-source-map-client\/src\/index.js","fleet-source-map-client\/src\/reportWebVitals.js"],"sourcesContent":["content"],"version":3}},"compressionAlgorithm":"zlib","created":"2021-07-09T20:47:44.812Z","decodedSha256":"644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","decodedSize":441,"encodedSha256":"024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24","encodedSize":237,"encryptionAlgorithm":"none","id":"apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","identifier":"foo-1.0.0","packageName":"apm","relative_url":"\/api\/fleet\/artifacts\/foo-1.0.0\/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","type":"sourcemap"}]}},"APM_UI_source_maps_upload_200_response1":{"description":"A successful response from `POST \/api\/apm\/sourcemaps`.","value":{"body":"eJyFkL1OwzAUhd\/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q\/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V\/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO\/p5hCSC4cZPByrp\/wFqOklbpefwAhzpqI","compressionAlgorithm":"zlib","created":"2021-07-09T20:47:44.812Z","decodedSha256":"644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","decodedSize":441,"encodedSha256":"024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24","encodedSize":237,"encryptionAlgorithm":"none","id":"apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","identifier":"foo-1.0.0","packageName":"apm","relative_url":"\/api\/fleet\/artifacts\/foo-1.0.0\/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456","type":"sourcemap"}},"Data_views_create_data_view_request":{"description":"Create a data view for logstash indices that includes a runtime field which extracts the shape name from a source field.","summary":"Create a data view with runtime fields.","value":{"data_view":{"name":"My Logstash data view","runtimeFieldMap":{"runtime_shape_name":{"script":{"source":"emit(doc['shape_name'].value)"},"type":"keyword"}},"title":"logstash-*"}}},"Data_views_create_runtime_field_request":{"description":"Create a long-type runtime field that emits a value derived from the foo source field.","summary":"Create a runtime field.","value":{"name":"runtimeFoo","runtimeField":{"script":{"source":"emit(doc[\"foo\"].value)"},"type":"long"}}},"Data_views_get_data_view_response":{"description":"A complete data view object including all fields, runtime fields, and metadata.","summary":"The get data view API returns a JSON object that contains information about the data view.","value":{"data_view":{"allowNoIndex":false,"fieldAttrs":{"products.manufacturer":{"count":1},"products.price":{"count":1},"products.product_name":{"count":1},"total_quantity":{"count":1}},"fieldFormats":{"products.base_price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.base_unit_price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.min_price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.taxful_price":{"id":"number","params":{"pattern":"$0,0.00"}},"products.taxless_price":{"id":"number","params":{"pattern":"$0,0.00"}},"taxful_total_price":{"id":"number","params":{"pattern":"$0,0.[00]"}},"taxless_total_price":{"id":"number","params":{"pattern":"$0,0.00"}}},"fields":{"_id":{"aggregatable":false,"count":0,"esTypes":["_id"],"format":{"id":"string"},"isMapped":true,"name":"_id","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"_index":{"aggregatable":true,"count":0,"esTypes":["_index"],"format":{"id":"string"},"isMapped":true,"name":"_index","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"_score":{"aggregatable":false,"count":0,"format":{"id":"number"},"isMapped":true,"name":"_score","readFromDocValues":false,"scripted":false,"searchable":false,"shortDotsEnable":false,"type":"number"},"_source":{"aggregatable":false,"count":0,"esTypes":["_source"],"format":{"id":"_source"},"isMapped":true,"name":"_source","readFromDocValues":false,"scripted":false,"searchable":false,"shortDotsEnable":false,"type":"_source"},"category":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"category","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"category.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"category.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"category"}},"type":"string"},"currency":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"currency","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_birth_date":{"aggregatable":true,"count":0,"esTypes":["date"],"format":{"id":"date"},"isMapped":true,"name":"customer_birth_date","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"date"},"customer_first_name":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"customer_first_name","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_first_name.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_first_name.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"customer_first_name"}},"type":"string"},"customer_full_name":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"customer_full_name","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_full_name.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_full_name.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"customer_full_name"}},"type":"string"},"customer_gender":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_gender","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_id":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_id","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_last_name":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"customer_last_name","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"customer_last_name.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_last_name.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"customer_last_name"}},"type":"string"},"customer_phone":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"customer_phone","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"day_of_week":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"day_of_week","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"day_of_week_i":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"day_of_week_i","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"email":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"email","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"event.dataset":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"event.dataset","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"geoip.city_name":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"geoip.city_name","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"geoip.continent_name":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"geoip.continent_name","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"geoip.country_iso_code":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"geoip.country_iso_code","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"geoip.location":{"aggregatable":true,"count":0,"esTypes":["geo_point"],"format":{"id":"geo_point","params":{"transform":"wkt"}},"isMapped":true,"name":"geoip.location","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"geo_point"},"geoip.region_name":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"geoip.region_name","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"manufacturer":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"manufacturer","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"manufacturer.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"manufacturer.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"manufacturer"}},"type":"string"},"order_date":{"aggregatable":true,"count":0,"esTypes":["date"],"format":{"id":"date"},"isMapped":true,"name":"order_date","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"date"},"order_id":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"order_id","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products._id":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"products._id","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products._id.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products._id.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"products._id"}},"type":"string"},"products.base_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.base_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.base_unit_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.base_unit_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.category":{"aggregatable":false,"count":0,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"products.category","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products.category.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products.category.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"products.category"}},"type":"string"},"products.created_on":{"aggregatable":true,"count":0,"esTypes":["date"],"format":{"id":"date"},"isMapped":true,"name":"products.created_on","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"date"},"products.discount_amount":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number"},"isMapped":true,"name":"products.discount_amount","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.discount_percentage":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number"},"isMapped":true,"name":"products.discount_percentage","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.manufacturer":{"aggregatable":false,"count":1,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"products.manufacturer","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products.manufacturer.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products.manufacturer.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"products.manufacturer"}},"type":"string"},"products.min_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.min_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.price":{"aggregatable":true,"count":1,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.product_id":{"aggregatable":true,"count":0,"esTypes":["long"],"format":{"id":"number"},"isMapped":true,"name":"products.product_id","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.product_name":{"aggregatable":false,"count":1,"esTypes":["text"],"format":{"id":"string"},"isMapped":true,"name":"products.product_name","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products.product_name.keyword":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products.product_name.keyword","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"subType":{"multi":{"parent":"products.product_name"}},"type":"string"},"products.quantity":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"products.quantity","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.sku":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"products.sku","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"products.tax_amount":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number"},"isMapped":true,"name":"products.tax_amount","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.taxful_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.taxful_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.taxless_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"products.taxless_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"products.unit_discount_amount":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number"},"isMapped":true,"name":"products.unit_discount_amount","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"sku":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"sku","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"taxful_total_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.[00]"}},"isMapped":true,"name":"taxful_total_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"taxless_total_price":{"aggregatable":true,"count":0,"esTypes":["half_float"],"format":{"id":"number","params":{"pattern":"$0,0.00"}},"isMapped":true,"name":"taxless_total_price","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"total_quantity":{"aggregatable":true,"count":1,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"total_quantity","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"total_unique_products":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"total_unique_products","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"type":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"type","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"user":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"user","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"}},"id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","name":"Kibana Sample Data eCommerce","namespaces":["default"],"runtimeFieldMap":{},"sourceFilters":[],"timeFieldName":"order_date","title":"kibana_sample_data_ecommerce","typeMeta":{},"version":"WzUsMV0="}}},"Data_views_get_data_views_response":{"description":"A list of available data views including their identifiers, names, and index patterns.","summary":"The get all data views API returns a list of data views.","value":{"data_view":[{"id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","name":"Kibana Sample Data eCommerce","namespaces":["default"],"title":"kibana_sample_data_ecommerce","typeMeta":{}},{"id":"d3d7af60-4c81-11e8-b3d7-01146121b73d","name":"Kibana Sample Data Flights","namespaces":["default"],"title":"kibana_sample_data_flights"},{"id":"90943e30-9a47-11e8-b64d-95841ca0b247","name":"Kibana Sample Data Logs","namespaces":["default"],"title":"kibana_sample_data_logs"}]}},"Data_views_get_default_data_view_response":{"description":"The identifier of the default data view for the current Kibana space.","summary":"The get default data view API returns the default data view identifier.","value":{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f"}},"Data_views_get_runtime_field_response":{"description":"The runtime field definition along with the parent data view.","summary":"The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`).","value":{"data_view":{"allowNoIndex":false,"fieldAttrs":{},"fieldFormats":{"AvgTicketPrice":{"id":"number","params":{"pattern":"$0,0.[00]"}},"hour_of_day":{"id":"number","params":{"pattern":"00"}}},"fields":{"_id":{"aggregatable":false,"count":0,"esTypes":["_id"],"format":{"id":"string"},"isMapped":true,"name":"_id","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"_index":{"aggregatable":true,"count":0,"esTypes":["_index"],"format":{"id":"string"},"isMapped":true,"name":"_index","readFromDocValues":false,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"_score":{"aggregatable":false,"count":0,"format":{"id":"number"},"isMapped":true,"name":"_score","readFromDocValues":false,"scripted":false,"searchable":false,"shortDotsEnable":false,"type":"number"},"_source":{"aggregatable":false,"count":0,"esTypes":["_source"],"format":{"id":"_source"},"isMapped":true,"name":"_source","readFromDocValues":false,"scripted":false,"searchable":false,"shortDotsEnable":false,"type":"_source"},"AvgTicketPrice":{"aggregatable":true,"count":0,"esTypes":["float"],"format":{"id":"number","params":{"pattern":"$0,0.[00]"}},"isMapped":true,"name":"AvgTicketPrice","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"Cancelled":{"aggregatable":true,"count":0,"esTypes":["boolean"],"format":{"id":"boolean"},"isMapped":true,"name":"Cancelled","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"boolean"},"Carrier":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"Carrier","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"dayOfWeek":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"dayOfWeek","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"Dest":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"Dest","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestAirportID":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestAirportID","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestCityName":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestCityName","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestCountry":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestCountry","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestLocation":{"aggregatable":true,"count":0,"esTypes":["geo_point"],"format":{"id":"geo_point","params":{"transform":"wkt"}},"isMapped":true,"name":"DestLocation","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"geo_point"},"DestRegion":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestRegion","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DestWeather":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"DestWeather","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"DistanceKilometers":{"aggregatable":true,"count":0,"esTypes":["float"],"format":{"id":"number"},"isMapped":true,"name":"DistanceKilometers","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"DistanceMiles":{"aggregatable":true,"count":0,"esTypes":["float"],"format":{"id":"number"},"isMapped":true,"name":"DistanceMiles","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"FlightDelay":{"aggregatable":true,"count":0,"esTypes":["boolean"],"format":{"id":"boolean"},"isMapped":true,"name":"FlightDelay","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"boolean"},"FlightDelayMin":{"aggregatable":true,"count":0,"esTypes":["integer"],"format":{"id":"number"},"isMapped":true,"name":"FlightDelayMin","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"FlightDelayType":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"FlightDelayType","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"FlightNum":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"FlightNum","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"FlightTimeHour":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"FlightTimeHour","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"FlightTimeMin":{"aggregatable":true,"count":0,"esTypes":["float"],"format":{"id":"number"},"isMapped":true,"name":"FlightTimeMin","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"hour_of_day":{"aggregatable":true,"count":0,"esTypes":["long"],"format":{"id":"number","params":{"pattern":"00"}},"name":"hour_of_day","readFromDocValues":false,"runtimeField":{"script":{"source":"emit(doc['timestamp'].value.getHour());"},"type":"long"},"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"},"Origin":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"Origin","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginAirportID":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginAirportID","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginCityName":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginCityName","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginCountry":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginCountry","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginLocation":{"aggregatable":true,"count":0,"esTypes":["geo_point"],"format":{"id":"geo_point","params":{"transform":"wkt"}},"isMapped":true,"name":"OriginLocation","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"geo_point"},"OriginRegion":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginRegion","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"OriginWeather":{"aggregatable":true,"count":0,"esTypes":["keyword"],"format":{"id":"string"},"isMapped":true,"name":"OriginWeather","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"string"},"timestamp":{"aggregatable":true,"count":0,"esTypes":["date"],"format":{"id":"date"},"isMapped":true,"name":"timestamp","readFromDocValues":true,"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"date"}},"id":"d3d7af60-4c81-11e8-b3d7-01146121b73d","name":"Kibana Sample Data Flights","runtimeFieldMap":{"hour_of_day":{"script":{"source":"emit(doc['timestamp'].value.getHour());"},"type":"long"}},"sourceFilters":[],"timeFieldName":"timestamp","title":"kibana_sample_data_flights","version":"WzM2LDJd"},"fields":[{"aggregatable":true,"count":0,"esTypes":["long"],"name":"hour_of_day","readFromDocValues":false,"runtimeField":{"script":{"source":"emit(doc['timestamp'].value.getHour());"},"type":"long"},"scripted":false,"searchable":true,"shortDotsEnable":false,"type":"number"}]}},"Data_views_preview_swap_data_view_request":{"description":"Preview the saved objects that would be affected by swapping references from one data view to another.","summary":"Preview swapping references from data view ID \"abcd-efg\" to \"xyz-123\".","value":{"fromId":"abcd-efg","toId":"xyz-123"}},"Data_views_set_default_data_view_request":{"description":"Set the default data view, using the force flag to overwrite an existing default.","summary":"Set the default data view identifier.","value":{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}},"Data_views_swap_data_view_request":{"description":"Swap all saved object references from one data view to another and delete the source data view afterward.","summary":"Swap references from data view ID \"abcd-efg\" to \"xyz-123\" and remove the data view that is no longer referenced.","value":{"delete":true,"fromId":"abcd-efg","toId":"xyz-123"}},"Data_views_update_data_view_request":{"description":"Update the title, time field, and other properties of an existing data view.","summary":"Update some properties for a data view.","value":{"data_view":{"allowNoIndex":false,"name":"Kibana Sample Data eCommerce","timeFieldName":"order_date","title":"kibana_sample_data_ecommerce"},"refresh_fields":true}},"Data_views_update_field_metadata_request":{"description":"Update the popularity count, custom label, and custom description for specific fields in a data view.","summary":"Update metadata for multiple fields.","value":{"fields":{"field1":{"count":123,"customLabel":"Field 1 label"},"field2":{"customDescription":"Field 2 description","customLabel":"Field 2 label"}}}},"Data_views_update_runtime_field_request":{"description":"Update the script of an existing runtime field.","summary":"Update an existing runtime field on a data view.","value":{"runtimeField":{"script":{"source":"emit(doc[\"bar\"].value)"}}}},"Machine_learning_APIs_mlSync401Example":{"summary":"Two anomaly detection jobs required synchronization in this example.","value":{"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [\/_security\/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [\/_security\/_authenticate]","statusCode":401}},"Machine_learning_APIs_mlSyncExample":{"summary":"Two anomaly detection jobs required synchronization in this example.","value":{"datafeedsAdded":{},"datafeedsRemoved":{},"savedObjectsCreated":{"anomaly-detector":{"myjob1":{"success":true},"myjob2":{"success":true}}},"savedObjectsDeleted":{}}},"Observability_AI_Assistant_API_ChatCompleteRequestExample":{"summary":"Example of completing a chat interaction","value":"{\n \"connectorId\": \"\",\n \"disableFunctions\": false,\n \"messages\": [\n {\n \"@timestamp\": \"2025-06-25T23:45:00.000Z\",\n \"message\": {\n \"role\": \"user\",\n \"content\": \"Is my Elasticsearch cluster healthy right now?\"\n }\n }\n ],\n \"persist\": false,\n \"actions\": [\n {\n \"name\": \"get_cluster_health\",\n \"description\": \"Fetch the current Elasticsearch cluster-health status and key metrics.\",\n \"parameters\": {\n \"type\": \"object\",\n \"properties\": {\n \"includeShardStats\": {\n \"type\": \"boolean\",\n \"default\": false\n }\n }\n }\n }\n ],\n \"instructions\": [\"When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English.\"]\n}\n"},"Observability_AI_Assistant_API_ChatCompleteResponseExample":{"summary":"Get a chat completion from the Observability AI Assistant","value":"data: {\"model\":\"unknown\",\"choices\":[{\"delta\":{\"content\":\"\",\"function_call\":{\"name\":\"get_cluster_health\",\"arguments\":\"{\\\"includeShardStats\\\":true}\"}},\"finish_reason\":null,\"index\":0}],\"created\":1750936626911,\"id\":\"9c8eff9b-4fd4-4203-a4ab-2e364688deff\",\"object\":\"chat.completion.chunk\"}\n\ndata: [DONE]\n"},"Security_Detections_API_SetAlertAssigneesBodyAdd":{"value":{"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]},"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"]}},"Security_Detections_API_SetAlertAssigneesBodyRemove":{"value":{"assignees":{"add":[],"remove":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"]},"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"]}},"Security_Detections_API_SetAlertTagsBodyAdd":{"value":{"ids":["549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"],"tags":{"tags_to_add":["Duplicate"],"tags_to_remove":[]}}},"Security_Detections_API_SetAlertTagsBodyRemove":{"value":{"ids":["549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e"],"tags":{"tags_to_add":[],"tags_to_remove":["Duplicate"]}}},"Task_manager_health_Serverless_APIs_health_200response_serverless":{"description":"A successful response from `GET api\/task_manager\/_health`.","value":"{\n \"id\": \"b44483e1-3ba2-4f28-93d0-1d96c69c32c1\",\n \"timestamp\": \"2025-03-21T21:49:50.409Z\",\n \"status\": \"OK\",\n \"last_update\": \"2025-03-21T21:48:53.996Z\",\n \"stats\": {\n \"configuration\": {\n \"timestamp\": \"2025-03-21T21:47:51.663Z\",\n \"value\": {\n \"request_capacity\": 1000,\n \"monitored_aggregated_stats_refresh_rate\": 60000,\n \"monitored_stats_running_average_window\": 50,\n \"monitored_task_execution_thresholds\": {\n \"custom\": {},\n \"default\": {\n \"error_threshold\": 90,\n \"warn_threshold\": 80\n }\n },\n \"claim_strategy\": \"mget\",\n \"poll_interval\": 500,\n \"capacity\": {\n \"config\": 10,\n \"as_workers\": 10,\n \"as_cost\": 20\n }\n },\n \"status\": \"OK\"\n },\n \"workload\": {\n \"timestamp\": \"2025-03-21T21:48:53.996Z\",\n \"value\": {\n \"count\": 21,\n \"cost\": 42,\n \"task_types\": {\n \"Fleet-Metrics-Task\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"Fleet-Usage-Logger\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"Fleet-Usage-Sender\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"ML:saved-objects-sync\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"actions:connector_usage_reporting\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"actions_telemetry\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"alerting_health_check\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"alerting_telemetry\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"alerts_invalidate_api_keys\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"cases-telemetry-task\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"dashboard_telemetry\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"fleet:automatic-agent-upgrade-task\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"fleet:check-deleted-files-task\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"fleet:delete-unenrolled-agents-task\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"fleet:sync-integrations-task\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"fleet:unenroll-inactive-agents-task\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"fleet:upgrade-agentless-deployments-task\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"session_cleanup\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"task_manager:delete_inactive_background_task_nodes\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n },\n \"task_manager:mark_removed_tasks_as_unrecognized\": {\n \"count\": 1,\n \"cost\": 2,\n \"status\": {\n \"idle\": 1\n }\n }\n },\n \"non_recurring\": 1,\n \"non_recurring_cost\": 2,\n \"schedule\": [\n [\n \"1m\",\n 2\n ],\n [\n \"5m\",\n 2\n ],\n [\n \"10m\",\n 1\n ],\n [\n \"15m\",\n 1\n ],\n [\n \"30m\",\n 1\n ],\n [\n \"1h\",\n 5\n ],\n [\n \"3600s\",\n 1\n ],\n [\n \"60m\",\n 1\n ],\n [\n \"720m\",\n 1\n ],\n [\n \"1d\",\n 4\n ],\n [\n \"1440m\",\n 1\n ]\n ],\n \"overdue\": 0,\n \"overdue_cost\": 0,\n \"overdue_non_recurring\": 0,\n \"estimated_schedule_density\": [\n 0,\n 0,\n 1,\n 0,\n 0,\n 0,\n 0,\n 1,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0\n ],\n \"capacity_requirements\": {\n \"per_minute\": 2,\n \"per_hour\": 43,\n \"per_day\": 7\n }\n },\n \"status\": \"OK\"\n }\n }\n}"},"get_connector_types_generativeai_response":{"summary":"A list of connector types for the `generativeAI` feature.","value":[{"id":".gen-ai","name":"OpenAI","enabled":true,"enabled_in_config":true,"enabled_in_license":true,"minimum_license_required":"enterprise","supported_feature_ids":["generativeAIForSecurity","generativeAIForObservability","generativeAIForSearchPlayground"],"is_system_action_type":false},{"id":".bedrock","name":"AWS Bedrock","enabled":true,"enabled_in_config":true,"enabled_in_license":true,"minimum_license_required":"enterprise","supported_feature_ids":["generativeAIForSecurity","generativeAIForObservability","generativeAIForSearchPlayground"],"is_system_action_type":false},{"id":".gemini","name":"Google Gemini","enabled":true,"enabled_in_config":true,"enabled_in_license":true,"minimum_license_required":"enterprise","supported_feature_ids":["generativeAIForSecurity"],"is_system_action_type":false}]},"get_connector_response":{"summary":"Get connector details.","value":{"id":"df770e30-8b8b-11ed-a780-3b746c987a81","name":"my_server_log_connector","config":{},"connector_type_id":".server-log","is_preconfigured":false,"is_deprecated":false,"is_missing_secrets":false,"is_system_action":false}},"update_index_connector_request":{"summary":"Update an index connector.","value":{"name":"updated-connector","config":{"index":"updated-index"}}},"create_email_connector_request":{"summary":"Create an email connector.","value":{"name":"email-connector-1","connector_type_id":".email","config":{"from":"tester@example.com","hasAuth":true,"host":"https:\/\/example.com","port":1025,"secure":false,"service":"other"},"secrets":{"user":"username","password":"password"}}},"create_index_connector_request":{"summary":"Create an index connector.","value":{"name":"my-connector","connector_type_id":".index","config":{"index":"test-index"}}},"create_webhook_connector_request":{"summary":"Create a webhook connector with SSL authentication.","value":{"name":"my-webhook-connector","connector_type_id":".webhook","config":{"method":"post","url":"https:\/\/example.com","authType":"webhook-authentication-ssl","certType":"ssl-crt-key"},"secrets":{"crt":"QmFnIEF0dH...","key":"LS0tLS1CRUdJ...","password":"my-passphrase"}}},"create_xmatters_connector_request":{"summary":"Create an xMatters connector with URL authentication.","value":{"name":"my-xmatters-connector","connector_type_id":".xmatters","config":{"usesBasic":false},"secrets":{"secretsUrl":"https:\/\/example.com?apiKey=xxxxx"}}},"create_email_connector_response":{"summary":"A new email connector.","value":{"id":"90a82c60-478f-11ee-a343-f98a117c727f","connector_type_id":".email","name":"email-connector-1","config":{"from":"tester@example.com","service":"other","host":"https:\/\/example.com","port":1025,"secure":false,"hasAuth":true,"tenantId":null,"clientId":null,"oauthTokenUrl":null},"is_preconfigured":false,"is_deprecated":false,"is_missing_secrets":false,"is_system_action":false}},"create_index_connector_response":{"summary":"A new index connector.","value":{"id":"c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad","connector_type_id":".index","name":"my-connector","config":{"index":"test-index","refresh":false,"executionTimeField":null},"is_preconfigured":false,"is_deprecated":false,"is_missing_secrets":false,"is_system_action":false}},"create_webhook_connector_response":{"summary":"A new webhook connector.","value":{"id":"900eb010-3b9d-11ee-a642-8ffbb94e38bd","name":"my-webhook-connector","config":{"method":"post","url":"https:\/\/example.com","authType":"webhook-authentication-ssl","certType":"ssl-crt-key","verificationMode":"full","headers":null,"hasAuth":true},"connector_type_id":".webhook","is_preconfigured":false,"is_deprecated":false,"is_missing_secrets":false,"is_system_action":false}},"run_index_connector_request":{"summary":"Run an index connector.","value":{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}},"run_jira_connector_request":{"summary":"Run a Jira connector to retrieve the list of issue types.","value":{"params":{"subAction":"issueTypes"}}},"run_servicenow_itom_connector_request":{"summary":"Run a ServiceNow ITOM connector to retrieve the list of choices.","value":{"params":{"subAction":"getChoices","subActionParams":{"fields":["severity","urgency"]}}}},"run_slack_api_connector_request":{"summary":"Run a Slack connector that uses the web API method to post a message on a channel.","value":{"params":{"subAction":"postMessage","subActionParams":{"channelIds":["C123ABC456"],"text":"A test message."}}}},"run_swimlane_connector_request":{"summary":"Run a Swimlane connector to create an incident.","value":{"params":{"subAction":"pushToService","subActionParams":{"comments":[{"commentId":1,"comment":"A comment about the incident."}],"incident":{"caseId":"1000","caseName":"Case name","description":"Description of the incident."}}}}},"run_index_connector_response":{"summary":"Response from running an index connector.","value":{"connector_id":"fd38c600-96a5-11ed-bb79-353b74189cba","data":{"errors":false,"items":[{"create":{"_id":"4JtvwYUBrcyxt2NnfW3y","_index":"my-index","_primary_term":1,"_seq_no":0,"_shards":{"failed":0,"successful":1,"total":2},"_version":1,"result":"created","status":201}}],"took":135},"status":"ok"}},"run_jira_connector_response":{"summary":"Response from retrieving the list of issue types for a Jira connector.","value":{"connector_id":"b3aad810-edbe-11ec-82d1-11348ecbf4a6","data":[{"id":10024,"name":"Improvement"},{"id":10006,"name":"Task"},{"id":10007,"name":"Sub-task"},{"id":10025,"name":"New Feature"},{"id":10023,"name":"Bug"},{"id":10000,"name":"Epic"}],"status":"ok"}},"run_server_log_connector_response":{"summary":"Response from running a server log connector.","value":{"connector_id":"7fc7b9a0-ecc9-11ec-8736-e7d63118c907","status":"ok"}},"run_servicenow_itom_connector_response":{"summary":"Response from retrieving the list of choices for a ServiceNow ITOM connector.","value":{"connector_id":"9d9be270-2fd2-11ed-b0e0-87533c532698","data":[{"dependent_value":"","element":"severity","label":"Critical","value":1},{"dependent_value":"","element":"severity","label":"Major","value":2},{"dependent_value":"","element":"severity","label":"Minor","value":3},{"dependent_value":"","element":"severity","label":"Warning","value":4},{"dependent_value":"","element":"severity","label":"OK","value":5},{"dependent_value":"","element":"severity","label":"Clear","value":0},{"dependent_value":"","element":"urgency","label":"1 - High","value":1},{"dependent_value":"","element":"urgency","label":"2 - Medium","value":2},{"dependent_value":"","element":"urgency","label":"3 - Low","value":3}],"status":"ok"}},"run_slack_api_connector_response":{"summary":"Response from posting a message with a Slack connector.","value":{"status":"ok","data":{"ok":true,"channel":"C123ABC456","ts":"1234567890.123456","message":{"bot_id":"B12BCDEFGHI","type":"message","text":"A test message","user":"U12A345BC6D","ts":"1234567890.123456","app_id":"A01BC2D34EF","blocks":[{"type":"rich_text","block_id":"\/NXe","elements":[{"type":"rich_text_section","elements":[{"type":"text","text":"A test message."}]}]}],"team":"T01ABCDE2F","bot_profile":{"id":"B12BCDEFGHI","app_id":"A01BC2D34EF","name":"test","icons":{"image_36":"https:\/\/a.slack-edge.com\/80588\/img\/plugins\/app\/bot_36.png"},"deleted":false,"updated":1672169705,"team_id":"T01ABCDE2F"}}},"connector_id":".slack_api"}},"run_swimlane_connector_response":{"summary":"Response from creating a Swimlane incident.","value":{"connector_id":"a4746470-2f94-11ed-b0e0-87533c532698","data":{"id":"aKPmBHWzmdRQtx6Mx","title":"TEST-457","url":"https:\/\/elastic.swimlane.url.us\/record\/aNcL2xniGHGpa2AHb\/aKPmBHWzmdRQtx6Mx","pushedDate":"2022-09-08T16:52:27.866Z","comments":[{"commentId":1,"pushedDate":"2022-09-08T16:52:27.865Z"}]},"status":"ok"}},"get_connectors_response":{"summary":"A list of connectors","value":[{"id":"preconfigured-email-connector","name":"my-preconfigured-email-notification","connector_type_id":".email","is_preconfigured":true,"is_deprecated":false,"referenced_by_count":0,"is_system_action":false},{"id":"e07d0c80-8b8b-11ed-a780-3b746c987a81","name":"my-index-connector","config":{"index":"test-index","refresh":false,"executionTimeField":null},"connector_type_id":".index","is_preconfigured":false,"is_deprecated":false,"referenced_by_count":2,"is_missing_secrets":false,"is_system_action":false}]},"get_spaces_response1":{"summary":"Get all spaces","description":"Get all spaces without specifying any options.","value":[{"id":"default","name":"Default","description":"This is the Default Space","disabledFeatures":[],"imageUrl":"","_reserved":true},{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"disabledFeatures":["apm"],"initials":"MK","imageUrl":"data:image\/png;base64,iVBORw0KGgoAAAANSU"},{"id":"sales","name":"Sales","initials":"MK","disabledFeatures":["discover"],"imageUr\"":"","solution":"oblt"}]},"get_spaces_response2":{"summary":"Get all spaces with custom options","description":"The user has read-only access to the Sales space. Get all spaces with the following query parameters: \"purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true\"\n","value":[{"id":"default","name":"Default","description":"This is the Default Space","disabledFeatures":[],"imageUrl":"","_reserved":true,"authorizedPurposes":{"any":true,"copySavedObjectsIntoSpace":true,"findSavedObjects":true,"shareSavedObjectsIntoSpace":true}},{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"disabledFeatures":["apm"],"initials":"MK","imageUrl":"data:image\/png;base64,iVBORw0KGgoAAAANSU","authorizedPurposes":{"any":true,"copySavedObjectsIntoSpace":true,"findSavedObjects":true,"shareSavedObjectsIntoSpace":true}},{"id":"sales","name":"Sales","initials":"MK","disabledFeatures":["discover"],"imageUrl":"","authorizedPurposes":{"any":true,"copySavedObjectsIntoSpace":false,"findSavedObjects":true,"shareSavedObjectsIntoSpace":false}}]},"create_space_request":{"summary":"Create a marketing space","value":{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"initials":"MK","disabledFeatures":[],"imageUrl":"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G\/aCkGowCIghCkRcrVSSKIu\/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x\/zpn\/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr\/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ\/7Z7yKmey5zYGZt4h2IzR8\/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh\/awCz\/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea\/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj\/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5\/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI\/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw\/vxvlVV4du\/s0oaxbxg0TbL\/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd\/fyWxIM\/VuCe+HzTgZ2Jpy\/kNJ2FJLmLm24mPJ\/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI\/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3\/o\/MoXizL3JE5O3F3P\/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB\/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w\/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh\/h5E5PHNl4qga\/+\/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2\/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn\/EKPMRMxOVQXmP18Mx3q3b\/Y\/0cQE\/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd\/cy6x+9D4veXmprj5wxMw\/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai\/rJo+up87jWEE\/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE\/q+no3XMKeObgGtaintbb\/AvXj4JDkNw\/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM\/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8\/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn\/vxwHe6b3tSk6JFPV4nq85oAOrx555v\/x\/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q\/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY\/WBYs3s8uzaVn5q3F\/wf70mRuBCtbjQAAAABJRU5ErkJggg=="}},"get_space_response":{"summary":"Get details about a marketing space","value":{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"initials":"MK","disabledFeatures":[],"imageUrl":"","solution":"es"}},"update_space_request":{"summary":"Update a marketing space","description":"Update the marketing space to remove the imageUrl.","value":{"id":"marketing","name":"Marketing","description":"This is the Marketing Space","color":null,"initials":"MK","disabledFeatures":[],"imageUrl":""}}},"parameters":{"APM_UI_elastic_api_version":{"description":"The version of the API to use","in":"header","name":"elastic-api-version","required":true,"schema":{"default":"2023-10-31","enum":["2023-10-31"],"type":"string"}},"APM_UI_kbn_xsrf":{"description":"A required header to protect against CSRF attacks","in":"header","name":"kbn-xsrf","required":true,"schema":{"example":"true","type":"string"}},"Data_views_field_name":{"description":"The name of the runtime field.","in":"path","name":"fieldName","required":true,"schema":{"example":"hour_of_day","type":"string"}},"Data_views_kbn_xsrf":{"description":"Cross-site request forgery protection","in":"header","name":"kbn-xsrf","required":true,"schema":{"type":"string"}},"Data_views_view_id":{"description":"An identifier for the data view.","in":"path","name":"viewId","required":true,"schema":{"example":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","type":"string"}},"Machine_learning_APIs_simulateParam":{"description":"When true, simulates the synchronization by returning only the list of actions that would be performed.","example":"true","in":"query","name":"simulate","required":false,"schema":{"type":"boolean"}},"SLOs_kbn_xsrf":{"description":"Cross-site request forgery protection","in":"header","name":"kbn-xsrf","required":true,"schema":{"type":"string"}},"SLOs_slo_id":{"description":"An identifier for the slo.","in":"path","name":"sloId","required":true,"schema":{"example":"9c235211-6834-11ea-a78c-6feb38a34414","type":"string"}},"SLOs_space_id":{"description":"An identifier for the space. If `\/s\/` and the identifier are omitted from the path, the default space is used.","in":"path","name":"spaceId","required":true,"schema":{"example":"default","type":"string"}}},"schemas":{"APM_UI_400_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Not Found","type":"string"},"message":{"description":"Error message","example":"Not Found","type":"string"},"statusCode":{"description":"Error status code","example":400,"type":"number"}}},"APM_UI_401_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Unauthorized","type":"string"},"message":{"description":"Error message","type":"string"},"statusCode":{"description":"Error status code","example":401,"type":"number"}}},"APM_UI_403_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Forbidden","type":"string"},"message":{"description":"Error message","type":"string"},"statusCode":{"description":"Error status code","example":403,"type":"number"}}},"APM_UI_404_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Not Found","type":"string"},"message":{"description":"Error message","example":"Not Found","type":"string"},"statusCode":{"description":"Error status code","example":404,"type":"number"}}},"APM_UI_500_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Internal Server Error","type":"string"},"message":{"description":"Error message","type":"string"},"statusCode":{"description":"Error status code","example":500,"type":"number"}}},"APM_UI_501_response":{"type":"object","properties":{"error":{"description":"Error type","example":"Not Implemented","type":"string"},"message":{"description":"Error message","example":"Not Implemented","type":"string"},"statusCode":{"description":"Error status code","example":501,"type":"number"}}},"APM_UI_agent_configuration_intake_object":{"type":"object","properties":{"agent_name":{"description":"The agent name is used by the UI to determine which settings to display.","type":"string"},"service":{"$ref":"#\/components\/schemas\/APM_UI_service_object"},"settings":{"$ref":"#\/components\/schemas\/APM_UI_settings_object"}},"required":["service","settings"]},"APM_UI_agent_configuration_object":{"description":"Agent configuration","type":"object","properties":{"@timestamp":{"description":"Timestamp","example":1730194190636,"type":"number"},"agent_name":{"description":"Agent name","type":"string"},"applied_by_agent":{"description":"Applied by agent","example":true,"type":"boolean"},"etag":{"description":"`etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`.\n","example":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","type":"string"},"service":{"$ref":"#\/components\/schemas\/APM_UI_service_object"},"settings":{"$ref":"#\/components\/schemas\/APM_UI_settings_object"}},"required":["service","settings","@timestamp","etag"]},"APM_UI_agent_configurations_response":{"type":"object","properties":{"configurations":{"description":"Agent configuration","items":{"$ref":"#\/components\/schemas\/APM_UI_agent_configuration_object"},"type":"array"}}},"APM_UI_agent_keys_object":{"type":"object","properties":{"name":{"description":"The name of the APM agent key.","type":"string"},"privileges":{"description":"The APM agent key privileges. It can take one or more of the following values:\n* `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely.\n","items":{"enum":["event:write","config_agent:read"],"type":"string"},"type":"array"}},"required":["name","privileges"]},"APM_UI_agent_keys_response":{"type":"object","properties":{"agentKey":{"description":"Agent key","type":"object","properties":{"api_key":{"type":"string"},"encoded":{"type":"string"},"expiration":{"format":"int64","type":"integer"},"id":{"type":"string"},"name":{"type":"string"}},"required":["id","name","api_key","encoded"]}}},"APM_UI_annotation_search_response":{"type":"object","properties":{"annotations":{"description":"Annotations","items":{"type":"object","properties":{"@timestamp":{"type":"number"},"id":{"type":"string"},"text":{"type":"string"},"type":{"enum":["version"],"type":"string"}}},"type":"array"}}},"APM_UI_base_source_map_object":{"type":"object","properties":{"compressionAlgorithm":{"description":"Compression Algorithm","type":"string"},"created":{"description":"Created date","type":"string"},"decodedSha256":{"description":"Decoded SHA-256","type":"string"},"decodedSize":{"description":"Decoded size","type":"number"},"encodedSha256":{"description":"Encoded SHA-256","type":"string"},"encodedSize":{"description":"Encoded size","type":"number"},"encryptionAlgorithm":{"description":"Encryption Algorithm","type":"string"},"id":{"description":"Identifier","type":"string"},"identifier":{"description":"Identifier","type":"string"},"packageName":{"description":"Package name","type":"string"},"relative_url":{"description":"Relative URL","type":"string"},"type":{"description":"Type","type":"string"}}},"APM_UI_create_annotation_object":{"type":"object","properties":{"@timestamp":{"description":"The date and time of the annotation. It must be in ISO 8601 format.","type":"string"},"message":{"description":"The message displayed in the annotation. It defaults to `service.version`.","type":"string"},"service":{"description":"The service that identifies the configuration to create or update.","type":"object","properties":{"environment":{"description":"The environment of the service.","type":"string"},"version":{"description":"The version of the service.","type":"string"}},"required":["version"]},"tags":{"description":"Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag.\n","items":{"type":"string"},"type":"array"}},"required":["@timestamp","service"]},"APM_UI_create_annotation_response":{"type":"object","properties":{"_id":{"description":"Identifier","type":"string"},"_index":{"description":"Index","type":"string"},"_source":{"description":"Response","type":"object","properties":{"@timestamp":{"type":"string"},"annotation":{"type":"object","properties":{"title":{"type":"string"},"type":{"type":"string"}}},"event":{"type":"object","properties":{"created":{"type":"string"}}},"message":{"type":"string"},"service":{"type":"object","properties":{"environment":{"type":"string"},"name":{"type":"string"},"version":{"type":"string"}}},"tags":{"items":{"type":"string"},"type":"array"}}}}},"APM_UI_delete_agent_configurations_response":{"type":"object","properties":{"result":{"description":"Result","type":"string"}}},"APM_UI_delete_service_object":{"description":"Service","type":"object","properties":{"service":{"$ref":"#\/components\/schemas\/APM_UI_service_object"}},"required":["service"]},"APM_UI_search_agent_configuration_object":{"type":"object","properties":{"error":{"description":"If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`.\nThis is useful for cases where the agent configuration was not applied successfully.\n","type":"string"},"etag":{"description":"If etags match then `applied_by_agent` field will be set to `true`","example":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","type":"string"},"mark_as_applied_by_agent":{"description":"`markAsAppliedByAgent=true` means \"force setting it to true regardless of etag\".\nThis is needed for Jaeger agent that doesn't have etags\n","type":"boolean"},"service":{"$ref":"#\/components\/schemas\/APM_UI_service_object"}},"required":["service"]},"APM_UI_search_agent_configuration_response":{"type":"object","properties":{"_id":{"description":"Identifier","type":"string"},"_index":{"description":"Index","type":"string"},"_score":{"description":"Score","type":"number"},"_source":{"$ref":"#\/components\/schemas\/APM_UI_agent_configuration_object"}}},"APM_UI_service_agent_name_response":{"type":"object","properties":{"agentName":{"description":"Agent name","example":"nodejs","type":"string"}}},"APM_UI_service_environment_object":{"type":"object","properties":{"alreadyConfigured":{"description":"Already configured","type":"boolean"},"name":{"description":"Service environment name","example":"ALL_OPTION_VALUE","type":"string"}}},"APM_UI_service_environments_response":{"type":"object","properties":{"environments":{"description":"Service environment list","items":{"$ref":"#\/components\/schemas\/APM_UI_service_environment_object"},"type":"array"}}},"APM_UI_service_object":{"description":"Service","type":"object","properties":{"environment":{"description":"The environment of the service.","example":"prod","type":"string"},"name":{"description":"The name of the service.","example":"node","type":"string"}}},"APM_UI_settings_object":{"additionalProperties":{"type":"string"},"description":"Agent configuration settings","type":"object"},"APM_UI_single_agent_configuration_response":{"allOf":[{"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},{"$ref":"#\/components\/schemas\/APM_UI_agent_configuration_object"}]},"APM_UI_source_maps_response":{"type":"object","properties":{"artifacts":{"description":"Artifacts","items":{"allOf":[{"type":"object","properties":{"body":{"type":"object","properties":{"bundleFilepath":{"type":"string"},"serviceName":{"type":"string"},"serviceVersion":{"type":"string"},"sourceMap":{"type":"object","properties":{"file":{"type":"string"},"mappings":{"type":"string"},"sourceRoot":{"type":"string"},"sources":{"items":{"type":"string"},"type":"array"},"sourcesContent":{"items":{"type":"string"},"type":"array"},"version":{"type":"number"}}}}}}},{"$ref":"#\/components\/schemas\/APM_UI_base_source_map_object"}]},"type":"array"}}},"APM_UI_upload_source_map_object":{"type":"object","properties":{"bundle_filepath":{"description":"The absolute path of the final bundle as used in the web application.","type":"string"},"service_name":{"description":"The name of the service that the service map should apply to.","type":"string"},"service_version":{"description":"The version of the service that the service map should apply to.","type":"string"},"sourcemap":{"description":"The source map. It can be a string or file upload. It must follow the\n[source map format specification](https:\/\/tc39.es\/ecma426\/).\n","format":"binary","type":"string"}},"required":["service_name","service_version","bundle_filepath","sourcemap"]},"APM_UI_upload_source_maps_response":{"allOf":[{"type":"object","properties":{"body":{"type":"string"}}},{"$ref":"#\/components\/schemas\/APM_UI_base_source_map_object"}]},"Data_views_400_response":{"title":"Bad request","type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"type":"string"},"statusCode":{"example":400,"type":"number"}},"required":["statusCode","error","message"]},"Data_views_404_response":{"type":"object","properties":{"error":{"enum":["Not Found"],"example":"Not Found","type":"string"},"message":{"example":"Saved object [index-pattern\/caaad6d0-920c-11ed-b36a-874bd1548a00] not found","type":"string"},"statusCode":{"enum":[404],"example":404,"type":"integer"}}},"Data_views_allownoindex":{"description":"Allows the data view saved object to exist before the data is available. Defaults to `false`.","type":"boolean"},"Data_views_create_data_view_request_object":{"title":"Create data view request","type":"object","properties":{"data_view":{"description":"The data view object.","type":"object","properties":{"allowNoIndex":{"$ref":"#\/components\/schemas\/Data_views_allownoindex"},"fieldAttrs":{"additionalProperties":{"$ref":"#\/components\/schemas\/Data_views_fieldattrs"},"type":"object"},"fieldFormats":{"$ref":"#\/components\/schemas\/Data_views_fieldformats"},"fields":{"type":"object"},"id":{"type":"string"},"name":{"description":"The data view name.","type":"string"},"namespaces":{"$ref":"#\/components\/schemas\/Data_views_namespaces"},"runtimeFieldMap":{"additionalProperties":{"$ref":"#\/components\/schemas\/Data_views_runtimefieldmap"},"type":"object"},"sourceFilters":{"$ref":"#\/components\/schemas\/Data_views_sourcefilters"},"timeFieldName":{"$ref":"#\/components\/schemas\/Data_views_timefieldname"},"title":{"$ref":"#\/components\/schemas\/Data_views_title"},"type":{"$ref":"#\/components\/schemas\/Data_views_type"},"typeMeta":{"$ref":"#\/components\/schemas\/Data_views_typemeta"},"version":{"type":"string"}},"required":["title"]},"override":{"default":false,"description":"Override an existing data view if a data view with the provided title already exists.","type":"boolean"}},"required":["data_view"]},"Data_views_data_view_response_object":{"title":"Data view response properties","type":"object","properties":{"data_view":{"type":"object","properties":{"allowNoIndex":{"$ref":"#\/components\/schemas\/Data_views_allownoindex"},"fieldAttrs":{"additionalProperties":{"$ref":"#\/components\/schemas\/Data_views_fieldattrs"},"type":"object"},"fieldFormats":{"$ref":"#\/components\/schemas\/Data_views_fieldformats"},"fields":{"type":"object"},"id":{"example":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","type":"string"},"name":{"description":"The data view name.","type":"string"},"namespaces":{"$ref":"#\/components\/schemas\/Data_views_namespaces"},"runtimeFieldMap":{"additionalProperties":{"$ref":"#\/components\/schemas\/Data_views_runtimefieldmap"},"type":"object"},"sourceFilters":{"$ref":"#\/components\/schemas\/Data_views_sourcefilters"},"timeFieldName":{"$ref":"#\/components\/schemas\/Data_views_timefieldname"},"title":{"$ref":"#\/components\/schemas\/Data_views_title"},"typeMeta":{"$ref":"#\/components\/schemas\/Data_views_typemeta_response"},"version":{"example":"WzQ2LDJd","type":"string"}}}}},"Data_views_fieldattrs":{"description":"A map of field attributes by field name.","type":"object","properties":{"count":{"description":"Popularity count for the field.","type":"integer"},"customDescription":{"description":"Custom description for the field.","maxLength":300,"type":"string"},"customLabel":{"description":"Custom label for the field.","type":"string"}}},"Data_views_fieldformats":{"description":"A map of field formats by field name.","type":"object"},"Data_views_namespaces":{"description":"An array of space identifiers for sharing the data view between multiple spaces.","items":{"default":"default","type":"string"},"type":"array"},"Data_views_runtimefieldmap":{"description":"A map of runtime field definitions by field name.","type":"object","properties":{"script":{"type":"object","properties":{"source":{"description":"Script for the runtime field.","type":"string"}}},"type":{"description":"Mapping type of the runtime field.","type":"string"}},"required":["script","type"]},"Data_views_sourcefilters":{"description":"The array of field names you want to filter out in Discover.","items":{"type":"object","properties":{"value":{"type":"string"}},"required":["value"]},"type":"array"},"Data_views_swap_data_view_request_object":{"title":"Data view reference swap request","type":"object","properties":{"delete":{"description":"Deletes referenced saved object if all references are removed.","type":"boolean"},"forId":{"description":"Limit the affected saved objects to one or more by identifier.","oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"forType":{"description":"Limit the affected saved objects by type.","type":"string"},"fromId":{"description":"The saved object reference to change.","type":"string"},"fromType":{"description":"Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views.\n","type":"string"},"toId":{"description":"New saved object reference value to replace the old value.","type":"string"}},"required":["fromId","toId"]},"Data_views_timefieldname":{"description":"The timestamp field name, which you use for time-based data views.","type":"string"},"Data_views_title":{"description":"Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`).","type":"string"},"Data_views_type":{"description":"When set to `rollup`, identifies the rollup data views.","type":"string"},"Data_views_typemeta":{"description":"When you use rollup indices, contains the field list for the rollup data view API endpoints.","type":"object","properties":{"aggs":{"description":"A map of rollup restrictions by aggregation type and field name.","type":"object"},"params":{"description":"Properties for retrieving rollup fields.","type":"object"}},"required":["aggs","params"]},"Data_views_typemeta_response":{"description":"When you use rollup indices, contains the field list for the rollup data view API endpoints.","nullable":true,"type":"object","properties":{"aggs":{"description":"A map of rollup restrictions by aggregation type and field name.","type":"object"},"params":{"description":"Properties for retrieving rollup fields.","type":"object"}}},"Data_views_update_data_view_request_object":{"title":"Update data view request","type":"object","properties":{"data_view":{"description":"The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted.\n","type":"object","properties":{"allowNoIndex":{"$ref":"#\/components\/schemas\/Data_views_allownoindex"},"fieldFormats":{"$ref":"#\/components\/schemas\/Data_views_fieldformats"},"fields":{"type":"object"},"name":{"type":"string"},"runtimeFieldMap":{"additionalProperties":{"$ref":"#\/components\/schemas\/Data_views_runtimefieldmap"},"type":"object"},"sourceFilters":{"$ref":"#\/components\/schemas\/Data_views_sourcefilters"},"timeFieldName":{"$ref":"#\/components\/schemas\/Data_views_timefieldname"},"title":{"$ref":"#\/components\/schemas\/Data_views_title"},"type":{"$ref":"#\/components\/schemas\/Data_views_type"},"typeMeta":{"$ref":"#\/components\/schemas\/Data_views_typemeta"}}},"refresh_fields":{"default":false,"description":"Reloads the data view fields after the data view is updated.","type":"boolean"}},"required":["data_view"]},"Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly\"`.","properties":{"anomalyDetectorTypes":{"description":"The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates.","items":{"enum":["txLatency","txThroughput","txFailureRate"],"type":"string"},"minItems":1,"type":"array"},"anomalySeverityType":{"description":"The severity of anomalies that result in an alert: critical, major, minor, or warning.","enum":["critical","major","minor","warning"],"type":"string"},"environment":{"description":"The environment from APM.","type":"string"},"serviceName":{"description":"The service name from APM.","type":"string"},"transactionType":{"description":"The transaction type from APM.","type":"string"},"windowSize":{"description":"The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.","type":"number"},"windowUnit":{"description":"The type of units for the time window: minutes, hours, or days.","type":"string"}},"required":["windowSize","windowUnit","environment","anomalySeverityType"],"title":"APM Anomaly Rule Params","type":"object"},"rule_type_id":{"enum":["apm.anomaly"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"APM anomaly","type":"object"},"Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`.","properties":{"environment":{"description":"Filter the errors coming from your application to apply the rule to a specific environment.","type":"string"},"errorGroupingKey":{"description":"Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties.","type":"string"},"groupBy":{"items":{"description":"Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.","type":"string"},"type":"array"},"searchConfiguration":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"language":{"type":"string"},"query":{"anyOf":[{"type":"string"},{"additionalProperties":{"nullable":true},"type":"object"}]}},"required":["query","language"]}},"required":["query"]},"serviceName":{"description":"Filter the errors coming from your application to apply the rule to a specific service.","type":"string"},"threshold":{"description":"The number of errors, which is the threshold for alerts.","type":"number"},"useKqlFilter":{"description":"A filter in Kibana Query Language (KQL) that limits the scope of the rule.","type":"boolean"},"windowSize":{"description":"The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection.","type":"number"},"windowUnit":{"description":"The type of units for the time window: minutes, hours, or days.","type":"string"}},"required":["windowSize","windowUnit","threshold","environment"],"title":"Error Count Rule Params","type":"object"},"rule_type_id":{"enum":["apm.error_rate"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Error rate","type":"object"},"Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`.","properties":{"aggregationType":{"description":"The type of aggregation to perform.","enum":["avg","95th","99th"],"type":"string"},"environment":{"description":"Filter the rule to apply to a specific environment.","type":"string"},"groupBy":{"items":{"description":"Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.","type":"string"},"type":"array"},"searchConfiguration":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"language":{"type":"string"},"query":{"anyOf":[{"type":"string"},{"additionalProperties":{"nullable":true},"type":"object"}]}},"required":["query","language"]}},"required":["query"]},"serviceName":{"description":"Filter the rule to apply to a specific service.","type":"string"},"threshold":{"description":"The latency threshold value.","type":"number"},"transactionName":{"description":"Filter the rule to apply to a specific transaction name.","type":"string"},"transactionType":{"description":"Filter the rule to apply to a specific transaction type.","type":"string"},"useKqlFilter":{"description":"A Kibana Query Language (KQL) expression thats limits the scope of alerts.","type":"boolean"},"windowSize":{"description":"The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.","type":"number"},"windowUnit":{"description":"The type of units for the time window. For example: minutes, hours, or days.","type":"string"}},"required":["windowSize","windowUnit","threshold","aggregationType","environment"],"title":"Transaction Duration Rule Params","type":"object"},"rule_type_id":{"enum":["apm.transaction_duration"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Transaction duration","type":"object"},"Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`.","properties":{"environment":{"type":"string"},"groupBy":{"items":{"type":"string"},"type":"array"},"searchConfiguration":{"additionalProperties":false,"type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"language":{"type":"string"},"query":{"anyOf":[{"type":"string"},{"additionalProperties":{"nullable":true},"type":"object"}]}},"required":["query","language"]}},"required":["query"]},"serviceName":{"type":"string"},"threshold":{"type":"number"},"transactionName":{"type":"string"},"transactionType":{"type":"string"},"useKqlFilter":{"type":"boolean"},"windowSize":{"type":"number"},"windowUnit":{"type":"string"}},"required":["windowSize","windowUnit","threshold","environment"],"title":"Transaction Error Rate Rule Params","type":"object"},"rule_type_id":{"enum":["apm.transaction_error_rate"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Transaction error rate","type":"object"},"Kibana_HTTP_APIs_ClassicFieldDefinition":{"additionalProperties":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig"},"type":"object"},"Kibana_HTTP_APIs_ClassicFieldDefinitionConfig":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_RecursiveRecord"},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"format":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["keyword","match_only_text","long","double","date","boolean","ip","geo_point","integer","short","byte","float","half_float","text","wildcard","version","unsigned_long","date_nanos"],"type":"string"}},"required":["type"]},{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["type"]}]}]},"Kibana_HTTP_APIs_ClassicStreamUpsertRequest":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"type":"string"},"type":"array"},"queries":{"items":{"type":"object","properties":{"description":{"type":"string"},"esql":{"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"evidence":{"items":{"type":"string"},"type":"array"},"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"severity_score":{"type":"number"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"default":"match","enum":["match","stats"],"type":"string"}},"required":["id","title","description","esql"]},"type":"array"},"rules":{"items":{"type":"string"},"type":"array"},"stream":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"ingest":{"additionalProperties":false,"type":"object","properties":{"classic":{"additionalProperties":false,"type":"object","properties":{"field_overrides":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_ClassicFieldDefinition"}}},"failure_store":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_FailureStore"},"lifecycle":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_IngestStreamLifecycle"},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_StreamlangStep"},"type":"array"},"updated_at":{}},"required":["steps"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}}},"required":["lifecycle","processing","settings","failure_store","classic"]},"query_streams":{"items":{"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"type":"array"},"type":{"enum":["classic"],"type":"string"}},"required":["description","ingest","type"]}},"required":["dashboards","rules","queries","stream"]},"Kibana_HTTP_APIs_Condition":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_FilterCondition"},{"additionalProperties":false,"description":"A logical AND that groups multiple conditions.","type":"object","properties":{"and":{"description":"An array of conditions. All sub-conditions must be true for this condition to be true.","items":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition"},"type":"array"}},"required":["and"]},{"additionalProperties":false,"description":"A logical OR that groups multiple conditions.","type":"object","properties":{"or":{"description":"An array of conditions. At least one sub-condition must be true for this condition to be true.","items":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition"},"type":"array"}},"required":["or"]},{"additionalProperties":false,"description":"A logical NOT that negates a condition.","type":"object","properties":{"not":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"A condition that negates another condition."}},"required":["not"]},{"additionalProperties":false,"description":"A condition that always evaluates to false.","type":"object","properties":{"never":{"additionalProperties":false,"description":"An empty object. This condition never matches.","type":"object","properties":{}}},"required":["never"]},{"additionalProperties":false,"description":"A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.","type":"object","properties":{"always":{"additionalProperties":false,"description":"An empty object. This condition always matches.","type":"object","properties":{}}},"required":["always"]}],"description":"The root condition object. It can be a simple filter or a combination of other conditions."},"Kibana_HTTP_APIs_ConditionWithSteps":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition"},{"additionalProperties":false,"type":"object","properties":{"else":{"items":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_StreamlangStep"},"type":"array"},"steps":{"items":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_StreamlangStep"},"type":"array"}},"required":["steps"]}]},"Kibana_HTTP_APIs_ContentPackIncludedObjects":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"objects":{"additionalProperties":false,"type":"object","properties":{"all":{"additionalProperties":false,"type":"object","properties":{}}},"required":["all"]}},"required":["objects"]},{"additionalProperties":false,"type":"object","properties":{"objects":{"additionalProperties":false,"type":"object","properties":{"mappings":{"type":"boolean"},"queries":{"items":{"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"type":"array"},"routing":{"items":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_ContentPackIncludedObjects"},{"type":"object","properties":{"destination":{"type":"string"}},"required":["destination"]}]},"type":"array"}},"required":["mappings","queries","routing"]}},"required":["objects"]}]},"Kibana_HTTP_APIs_core_status_redactedResponse":{"additionalProperties":false,"description":"A minimal representation of Kibana's operational status.","properties":{"status":{"additionalProperties":false,"type":"object","properties":{"overall":{"additionalProperties":false,"type":"object","properties":{"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"}},"required":["level"]}},"required":["overall"]}},"required":["status"],"title":"core_status_redactedResponse","type":"object"},"Kibana_HTTP_APIs_core_status_response":{"additionalProperties":false,"description":"Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request.","properties":{"metrics":{"additionalProperties":false,"description":"Metric groups collected by Kibana.","type":"object","properties":{"collection_interval_in_millis":{"description":"The interval at which metrics should be collected.","type":"number"},"elasticsearch_client":{"additionalProperties":false,"description":"Current network metrics of Kibana's Elasticsearch client.","type":"object","properties":{"totalActiveSockets":{"description":"Count of network sockets currently in use.","type":"number"},"totalIdleSockets":{"description":"Count of network sockets currently idle.","type":"number"},"totalQueuedRequests":{"description":"Count of requests not yet assigned to sockets.","type":"number"}},"required":["totalActiveSockets","totalIdleSockets","totalQueuedRequests"]},"last_updated":{"description":"The time metrics were collected.","type":"string"}},"required":["elasticsearch_client","last_updated","collection_interval_in_millis"]},"name":{"description":"Kibana instance name.","type":"string"},"status":{"additionalProperties":false,"type":"object","properties":{"core":{"additionalProperties":false,"description":"Statuses of core Kibana services.","type":"object","properties":{"elasticsearch":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{"nullable":true},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]},"http":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{"nullable":true},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]},"savedObjects":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{"nullable":true},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]}},"required":["elasticsearch","savedObjects"]},"overall":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{"nullable":true},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]},"plugins":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"detail":{"description":"Human readable detail of the service status.","type":"string"},"documentationUrl":{"description":"A URL to further documentation regarding this service.","type":"string"},"level":{"description":"Service status levels as human and machine readable values.","enum":["available","degraded","unavailable","critical"],"type":"string"},"meta":{"additionalProperties":{"nullable":true},"description":"An unstructured set of extra metadata about this service.","type":"object"},"summary":{"description":"A human readable summary of the service status.","type":"string"}},"required":["level","summary","meta"]},"description":"A dynamic mapping of plugin ID to plugin status.","type":"object"}},"required":["overall","core","plugins"]},"uuid":{"description":"Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts.","type":"string"},"version":{"additionalProperties":false,"type":"object","properties":{"build_date":{"description":"The date and time of this build.","type":"string"},"build_flavor":{"description":"The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the \"traditional\" flavour, while other flavours are reserved for Elastic-specific use cases.","enum":["serverless","traditional"],"type":"string"},"build_hash":{"description":"A unique hash value representing the git commit of this Kibana build.","type":"string"},"build_number":{"description":"A monotonically increasing number, each subsequent build will have a higher number.","type":"number"},"build_snapshot":{"description":"Whether this build is a snapshot build.","type":"boolean"},"number":{"description":"A semantic version number.","type":"string"}},"required":["number","build_hash","build_number","build_snapshot","build_flavor","build_date"]}},"required":["name","uuid","version","status","metrics"],"title":"core_status_response","type":"object"},"Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`.","properties":{"comparator":{"type":"string"},"groupBy":{"items":{"type":"string"},"type":"array"},"searchConfiguration":{"additionalProperties":false,"type":"object","properties":{"index":{"type":"string"}},"required":["index"]},"threshold":{"items":{"type":"number"},"type":"array"},"timeSize":{"type":"number"},"timeUnit":{"type":"string"}},"required":["timeUnit","timeSize","threshold","comparator","searchConfiguration"],"title":"Degraded Docs Rule Params","type":"object"},"rule_type_id":{"enum":["datasetQuality.degradedDocs"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Degraded docs","type":"object"},"Kibana_HTTP_APIs_es-query-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`.","properties":{"aggField":{"description":"The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.","minLength":1,"type":"string"},"aggType":{"default":"count","description":"The type of aggregation to perform.","type":"string"},"esqlQuery":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"description":"The query definition in Elasticsearch Query Language.","nullable":true,"oneOf":[{"additionalProperties":false,"type":"object","properties":{"esql":{"minLength":1,"type":"string"}},"required":["esql"]},{"not":{}}]},"esQuery":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"nullable":true,"oneOf":[{"minLength":1,"type":"string"},{"not":{}}]},"excludeHitsFromPreviousRun":{"default":true,"description":"Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.","type":"boolean"},"groupBy":{"default":"all","description":"Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold.","type":"string"},"index":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"description":"The indices to query.","nullable":true,"oneOf":[{"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},{"not":{}}]},"searchConfiguration":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"description":"The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.","nullable":true,"oneOf":[{"additionalProperties":true,"type":"object","properties":{}},{"not":{}}]},"searchType":{"default":"esQuery","description":"The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).","enum":["searchSource","esQuery","esqlQuery"],"type":"string"},"size":{"description":"The number of documents to pass to the configured actions when the threshold condition is met.","maximum":10000,"minimum":0,"type":"number"},"sourceFields":{"description":"The sourceFields param is ignored.","items":{"additionalProperties":false,"type":"object","properties":{"label":{"type":"string"},"searchPath":{"type":"string"}},"required":["label","searchPath"]},"maxItems":5,"type":"array"},"termField":{"anyOf":[{"minLength":1,"type":"string"},{"items":{"type":"string"},"maxItems":4,"minItems":2,"type":"array"}],"description":"The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`."},"termSize":{"description":"This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.","minimum":1,"type":"number"},"threshold":{"items":{"description":"The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.","type":"number"},"maxItems":2,"minItems":1,"type":"array"},"thresholdComparator":{"description":"The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.","enum":[">","<",">=","<=","between","notBetween"],"type":"string"},"timeField":{"anyOf":[{"items":{},"type":"array"},{"type":"boolean"},{"type":"number"},{"type":"object"},{"type":"string"}],"description":"The field that is used to calculate the time window.","nullable":true,"oneOf":[{"minLength":1,"type":"string"},{"minLength":1,"type":"string","x-oas-optional":true}]},"timeWindowSize":{"description":"The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.","minimum":1,"type":"number"},"timeWindowUnit":{"description":"The type of units for the time window. For example: seconds, minutes, hours, or days.","type":"string"}},"required":["size","timeWindowSize","timeWindowUnit","threshold","thresholdComparator","timeField","searchConfiguration","esQuery","index","esqlQuery"],"title":"ES Query Rule Params","type":"object"},"rule_type_id":{"enum":[".es-query"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"ES query","type":"object"},"Kibana_HTTP_APIs_FailureStore":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]},{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]},{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"enabled":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"}}}},"required":["enabled"]}},"required":["lifecycle"]},{"additionalProperties":false,"type":"object","properties":{"lifecycle":{"additionalProperties":false,"type":"object","properties":{"disabled":{"additionalProperties":false,"type":"object","properties":{}}},"required":["disabled"]}},"required":["lifecycle"]}]},"Kibana_HTTP_APIs_FieldDefinition":{"additionalProperties":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_FieldDefinitionConfig"},"type":"object"},"Kibana_HTTP_APIs_FieldDefinitionConfig":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_RecursiveRecord"},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"format":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"enum":["keyword","match_only_text","long","double","date","boolean","ip","geo_point","integer","short","byte","float","half_float","text","wildcard","version","unsigned_long","date_nanos"],"type":"string"}},"required":["type"]},{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"format":{"not":{}},"type":{"not":{}}},"required":["description"]},{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"type":{"enum":["system"],"type":"string"}},"required":["type"]}]}]},"Kibana_HTTP_APIs_FilterCondition":{"anyOf":[{"additionalProperties":false,"description":"A condition that compares a field to a value or range using an operator as the key.","type":"object","properties":{"contains":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Contains comparison value."},"endsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Ends-with comparison value."},"eq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Equality comparison value."},"field":{"description":"The document field to filter on.","minLength":1,"type":"string"},"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than comparison value."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Greater-than-or-equal comparison value."},"includes":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Checks if multivalue field includes the value."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than comparison value."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Less-than-or-equal comparison value."},"neq":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Inequality comparison value."},"range":{"additionalProperties":false,"description":"Range comparison values.","type":"object","properties":{"gt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"gte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lt":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."},"lte":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"A value that can be a string, number, or boolean."}}},"startsWith":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"}],"description":"Starts-with comparison value."}},"required":["field"]},{"additionalProperties":false,"description":"A condition that checks for the existence or non-existence of a field.","type":"object","properties":{"exists":{"description":"Indicates whether the field exists or not.","type":"boolean"},"field":{"description":"The document field to check.","minLength":1,"type":"string"}},"required":["field"]}],"description":"A basic filter condition, either unary or binary."},"Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`.","properties":{"boundaryGeoField":{"minLength":1,"type":"string"},"boundaryIndexId":{"minLength":1,"type":"string"},"boundaryIndexQuery":{"nullable":true},"boundaryIndexTitle":{"minLength":1,"type":"string"},"boundaryNameField":{"minLength":1,"type":"string"},"boundaryType":{"minLength":1,"type":"string"},"dateField":{"minLength":1,"type":"string"},"entity":{"minLength":1,"type":"string"},"geoField":{"minLength":1,"type":"string"},"index":{"minLength":1,"type":"string"},"indexId":{"minLength":1,"type":"string"},"indexQuery":{"nullable":true}},"required":["index","indexId","geoField","entity","dateField","boundaryType","boundaryIndexTitle","boundaryIndexId","boundaryGeoField","indexQuery","boundaryIndexQuery"],"title":"Geo Containment Rule Params","type":"object"},"rule_type_id":{"enum":[".geo-containment"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Geo containment","type":"object"},"Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`.","properties":{"aggField":{"description":"The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.","minLength":1,"type":"string"},"aggType":{"default":"count","description":"The type of aggregation to perform.","type":"string"},"filterKuery":{"description":"A Kibana Query Language (KQL) expression thats limits the scope of alerts.","type":"string"},"groupBy":{"default":"all","description":"Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.","type":"string"},"index":{"anyOf":[{"minLength":1,"type":"string"},{"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"}],"description":"The indices to query."},"termField":{"description":"The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`.","minLength":1,"type":"string"},"termSize":{"description":"This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.","minimum":1,"type":"number"},"threshold":{"items":{"type":"number"},"maxItems":2,"minItems":1,"type":"array"},"thresholdComparator":{"description":"The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.","enum":[">","<",">=","<=","between","notBetween"],"type":"string"},"timeField":{"description":"The field that is used to calculate the time window.","minLength":1,"type":"string"},"timeWindowSize":{"description":"The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.","minimum":1,"type":"number"},"timeWindowUnit":{"description":"The type of units for the time window. For example: seconds, minutes, hours, or days.","type":"string"}},"required":["index","timeField","timeWindowSize","timeWindowUnit","thresholdComparator","threshold"],"title":"Index Threshold Rule Params","type":"object"},"rule_type_id":{"enum":[".index-threshold"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Index threshold","type":"object"},"Kibana_HTTP_APIs_IngestStreamLifecycle":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"dsl":{"additionalProperties":false,"type":"object","properties":{"data_retention":{"description":"A non-empty string.","minLength":1,"type":"string"},"downsample":{"items":{"type":"object","properties":{"after":{"description":"A non-empty string.","minLength":1,"type":"string"},"fixed_interval":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["after","fixed_interval"]},"type":"array"}}}},"required":["dsl"]},{"additionalProperties":false,"type":"object","properties":{"ilm":{"additionalProperties":false,"type":"object","properties":{"policy":{"description":"A non-empty string.","minLength":1,"type":"string"}},"required":["policy"]}},"required":["ilm"]},{"additionalProperties":false,"type":"object","properties":{"inherit":{"additionalProperties":false,"type":"object","properties":{}}},"required":["inherit"]}]},"Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"count":{"additionalProperties":false,"type":"object","properties":{"comparator":{"enum":["more than","more than or equals","less than","less than or equals","equals","does not equal","matches","does not match","matches phrase","does not match phrase"],"type":"string"},"value":{"type":"number"}},"required":["comparator","value"]},"criteria":{"items":{"additionalProperties":false,"type":"object","properties":{"comparator":{"enum":["more than","more than or equals","less than","less than or equals","equals","does not equal","matches","does not match","matches phrase","does not match phrase"],"type":"string"},"field":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["field","comparator","value"]},"type":"array"},"groupBy":{"items":{"type":"string"},"type":"array"},"logView":{"additionalProperties":false,"type":"object","properties":{"logViewId":{"type":"string"},"type":{"enum":["log-view-reference"],"type":"string"}},"required":["logViewId","type"]},"timeSize":{"type":"number"},"timeUnit":{"enum":["s","m","h","d"],"type":"string"}},"required":["criteria","count","timeUnit","timeSize","logView"]},{"additionalProperties":false,"type":"object","properties":{"count":{"additionalProperties":false,"type":"object","properties":{"comparator":{"enum":["more than","more than or equals","less than","less than or equals","equals","does not equal","matches","does not match","matches phrase","does not match phrase"],"type":"string"},"value":{"type":"number"}},"required":["comparator","value"]},"criteria":{"items":{"items":{"additionalProperties":false,"type":"object","properties":{"comparator":{"enum":["more than","more than or equals","less than","less than or equals","equals","does not equal","matches","does not match","matches phrase","does not match phrase"],"type":"string"},"field":{"type":"string"},"value":{"anyOf":[{"type":"string"},{"type":"number"}]}},"required":["field","comparator","value"]},"type":"array"},"type":"array"},"groupBy":{"items":{"type":"string"},"type":"array"},"logView":{"additionalProperties":false,"type":"object","properties":{"logViewId":{"type":"string"},"type":{"enum":["log-view-reference"],"type":"string"}},"required":["logViewId","type"]},"timeSize":{"type":"number"},"timeUnit":{"enum":["s","m","h","d"],"type":"string"}},"required":["criteria","count","timeUnit","timeSize","logView"]}],"description":"The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`.","title":"Log Threshold Rule Params"},"rule_type_id":{"enum":["logs.alert.document.count"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Log threshold","type":"object"},"Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`.","properties":{"alertOnNoData":{"type":"boolean"},"criteria":{"items":{"additionalProperties":false,"type":"object","properties":{"comparator":{"type":"string"},"customMetric":{"additionalProperties":false,"type":"object","properties":{"aggregation":{"type":"string"},"field":{"type":"string"},"id":{"type":"string"},"label":{"type":"string"},"type":{"enum":["custom"],"type":"string"}},"required":["type","id","field","aggregation"]},"metric":{"type":"string"},"threshold":{"items":{"type":"number"},"type":"array"},"timeSize":{"type":"number"},"timeUnit":{"type":"string"},"warningComparator":{"type":"string"},"warningThreshold":{"items":{"type":"number"},"type":"array"}},"required":["threshold","comparator","timeUnit","timeSize","metric"]},"type":"array"},"filterQuery":{"type":"string"},"nodeType":{"type":"string"},"schema":{"type":"string"},"sourceId":{"type":"string"}},"required":["criteria","nodeType","sourceId"],"title":"Metric Inventory Threshold Rule Params","type":"object"},"rule_type_id":{"enum":["metrics.alert.inventory.threshold"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Metric inventory threshold","type":"object"},"Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`.","properties":{"alertOnGroupDisappear":{"description":"If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically.","type":"boolean"},"alertOnNoData":{"description":"If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails.","type":"boolean"},"criteria":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"aggType":{"enum":["count"],"type":"string"},"comparator":{"type":"string"},"threshold":{"description":"The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values.","items":{"type":"number"},"type":"array"},"timeSize":{"description":"The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.","type":"number"},"timeUnit":{"description":"The type of units for the time window: seconds, minutes, hours, or days.","type":"string"},"warningComparator":{"type":"string"},"warningThreshold":{"items":{"description":"The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values.","type":"number"},"type":"array"}},"required":["threshold","comparator","timeUnit","timeSize","aggType"]},{"additionalProperties":false,"type":"object","properties":{"aggType":{"type":"string"},"comparator":{"type":"string"},"metric":{"type":"string"},"threshold":{"description":"The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values.","items":{"type":"number"},"type":"array"},"timeSize":{"description":"The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.","type":"number"},"timeUnit":{"description":"The type of units for the time window: seconds, minutes, hours, or days.","type":"string"},"warningComparator":{"type":"string"},"warningThreshold":{"items":{"description":"The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values.","type":"number"},"type":"array"}},"required":["threshold","comparator","timeUnit","timeSize","metric","aggType"]},{"additionalProperties":false,"type":"object","properties":{"aggType":{"enum":["custom"],"type":"string"},"comparator":{"type":"string"},"customMetrics":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"aggType":{"type":"string"},"field":{"type":"string"},"name":{"type":"string"}},"required":["name","aggType","field"]},{"additionalProperties":false,"type":"object","properties":{"aggType":{"enum":["count"],"type":"string"},"filter":{"type":"string"},"name":{"type":"string"}},"required":["name","aggType"]}]},"type":"array"},"equation":{"type":"string"},"label":{"type":"string"},"threshold":{"description":"The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values.","items":{"type":"number"},"type":"array"},"timeSize":{"description":"The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.","type":"number"},"timeUnit":{"description":"The type of units for the time window: seconds, minutes, hours, or days.","type":"string"},"warningComparator":{"type":"string"},"warningThreshold":{"items":{"description":"The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values.","type":"number"},"type":"array"}},"required":["threshold","comparator","timeUnit","timeSize","aggType","customMetrics"]}]},"type":"array"},"filterQuery":{"description":"A query that limits the scope of the rule. The rule evaluates only metric data that matches the query.","type":"string"},"groupBy":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}],"description":"Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region."},"sourceId":{"type":"string"}},"required":["criteria","sourceId"],"title":"Metric Threshold Rule Params","type":"object"},"rule_type_id":{"enum":["metrics.alert.threshold"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Metric threshold","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Cluster Health Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_cluster_health"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Cluster health","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"CPU Usage Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_cpu_usage"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"CPU usage","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Disk Usage Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_disk_usage"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Disk usage","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"ES Version Mismatch Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_elasticsearch_version_mismatch"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Elasticsearch version mismatch","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Memory Usage Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_jvm_memory_usage"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"JVM memory usage","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Kibana Version Mismatch Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_kibana_version_mismatch"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Kibana version mismatch","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"License Expiration Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_license_expiration"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"License expiration","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Logstash Version Mismatch Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_logstash_version_mismatch"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Logstash version mismatch","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Missing Monitoring Data Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_missing_monitoring_data"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Missing monitoring data","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Nodes Changed Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_nodes_changed"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Nodes changed","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Thread Pool Search Rejections Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_thread_pool_search_rejections"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Thread pool search rejections","type":"object"},"Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"Thread Pool Write Rejections Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_alert_thread_pool_write_rejections"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Thread pool write rejections","type":"object"},"Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration"],"title":"CCR Read Exceptions Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_ccr_read_exceptions"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"CCR read exceptions","type":"object"},"Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`.","properties":{"duration":{"type":"string"},"filterQuery":{"type":"string"},"filterQueryText":{"type":"string"},"indexPattern":{"type":"string"},"limit":{"type":"string"},"threshold":{"type":"number"}},"required":["duration","indexPattern"],"title":"Large Shard Size Rule Params","type":"object"},"rule_type_id":{"enum":["monitoring_shard_size"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Large shard size","type":"object"},"Kibana_HTTP_APIs_new_output_elasticsearch":{"additionalProperties":false,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"],"title":"new_output_elasticsearch","type":"object"},"Kibana_HTTP_APIs_new_output_kafka":{"additionalProperties":false,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"type":"number"},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"enum":["plaintext","encryption"],"type":"string"},"hash":{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"nullable":true,"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":false,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":false,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":false,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"nullable":true,"type":"string"},"version":{"type":"string"}},"required":["name","type","hosts","auth_type"],"title":"new_output_kafka","type":"object"},"Kibana_HTTP_APIs_new_output_logstash":{"additionalProperties":false,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"type":{"enum":["logstash"],"type":"string"}},"required":["name","type","hosts"],"title":"new_output_logstash","type":"object"},"Kibana_HTTP_APIs_new_output_remote_elasticsearch":{"additionalProperties":false,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"],"title":"new_output_remote_elasticsearch","type":"object"},"Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":true,"description":"The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`.","properties":{"alertOnGroupDisappear":{"type":"boolean"},"alertOnNoData":{"type":"boolean"},"criteria":{"items":{"additionalProperties":false,"type":"object","properties":{"aggType":{"enum":["custom"],"type":"string"},"comparator":{"type":"string"},"equation":{"type":"string"},"label":{"type":"string"},"metrics":{"items":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"aggType":{"type":"string"},"field":{"type":"string"},"filter":{"type":"string"},"name":{"type":"string"}},"required":["name","aggType","field"]},{"additionalProperties":false,"type":"object","properties":{"aggType":{"enum":["count"],"type":"string"},"filter":{"type":"string"},"name":{"type":"string"}},"required":["name","aggType"]}]},"type":"array"},"threshold":{"items":{"type":"number"},"type":"array"},"timeSize":{"type":"number"},"timeUnit":{"type":"string"}},"required":["threshold","comparator","timeUnit","timeSize","metrics"]},"type":"array"},"groupBy":{"anyOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"noDataBehavior":{"enum":["recover","remainActive","alertOnNoData"],"type":"string"},"searchConfiguration":{"additionalProperties":false,"type":"object","properties":{"filter":{"items":{"additionalProperties":false,"type":"object","properties":{"meta":{"additionalProperties":{"nullable":true},"type":"object"},"query":{"additionalProperties":{"nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"index":{"anyOf":[{"type":"string"},{"additionalProperties":false,"type":"object","properties":{"allowHidden":{"type":"boolean"},"allowNoIndex":{"type":"boolean"},"fieldAttrs":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"count":{"type":"number"},"customDescription":{"maxLength":300,"type":"string"},"customLabel":{"type":"string"}}},"type":"object"},"fieldFormats":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"params":{"nullable":true}},"required":["params"]},"type":"object"},"fields":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"aggregatable":{"type":"boolean"},"count":{"minimum":0,"type":"number"},"customDescription":{"maxLength":300,"type":"string"},"customLabel":{"type":"string"},"esTypes":{"items":{"type":"string"},"type":"array"},"format":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"params":{"nullable":true}},"required":["params"]},"name":{"maxLength":1000,"type":"string"},"readFromDocValues":{"type":"boolean"},"runtimeField":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"customDescription":{"maxLength":300,"type":"string"},"customLabel":{"type":"string"},"format":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"params":{"nullable":true}},"required":["params"]},"popularity":{"minimum":0,"type":"number"},"script":{"additionalProperties":false,"type":"object","properties":{"source":{"type":"string"}},"required":["source"]},"type":{"enum":["keyword","long","double","date","ip","boolean","geo_point"],"type":"string"}},"required":["type"]},{"additionalProperties":false,"type":"object","properties":{"fields":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"customDescription":{"maxLength":300,"type":"string"},"customLabel":{"type":"string"},"format":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"params":{"nullable":true}},"required":["params"]},"popularity":{"minimum":0,"type":"number"},"type":{"enum":["keyword","long","double","date","ip","boolean","geo_point"],"type":"string"}},"required":["type"]},"type":"object"},"script":{"additionalProperties":false,"type":"object","properties":{"source":{"type":"string"}},"required":["source"]},"type":{"enum":["composite"],"type":"string"}},"required":["type"]}]},"script":{"maxLength":1000000,"type":"string"},"scripted":{"type":"boolean"},"searchable":{"type":"boolean"},"shortDotsEnable":{"type":"boolean"},"subType":{"additionalProperties":false,"type":"object","properties":{"multi":{"additionalProperties":false,"type":"object","properties":{"parent":{"type":"string"}},"required":["parent"]},"nested":{"additionalProperties":false,"type":"object","properties":{"path":{"type":"string"}},"required":["path"]}}},"type":{"default":"string","maxLength":1000,"type":"string"}},"required":["name"]},"type":"object"},"id":{"type":"string"},"managed":{"type":"boolean"},"name":{"type":"string"},"namespaces":{"items":{"type":"string"},"type":"array"},"runtimeFieldMap":{"additionalProperties":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"customDescription":{"maxLength":300,"type":"string"},"customLabel":{"type":"string"},"format":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"params":{"nullable":true}},"required":["params"]},"popularity":{"minimum":0,"type":"number"},"script":{"additionalProperties":false,"type":"object","properties":{"source":{"type":"string"}},"required":["source"]},"type":{"enum":["keyword","long","double","date","ip","boolean","geo_point"],"type":"string"}},"required":["type"]},{"additionalProperties":false,"type":"object","properties":{"fields":{"additionalProperties":{"additionalProperties":false,"type":"object","properties":{"customDescription":{"maxLength":300,"type":"string"},"customLabel":{"type":"string"},"format":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"},"params":{"nullable":true}},"required":["params"]},"popularity":{"minimum":0,"type":"number"},"type":{"enum":["keyword","long","double","date","ip","boolean","geo_point"],"type":"string"}},"required":["type"]},"type":"object"},"script":{"additionalProperties":false,"type":"object","properties":{"source":{"type":"string"}},"required":["source"]},"type":{"enum":["composite"],"type":"string"}},"required":["type"]}]},"type":"object"},"sourceFilters":{"items":{"additionalProperties":false,"type":"object","properties":{"clientId":{"anyOf":[{"type":"string"},{"type":"number"}]},"value":{"type":"string"}},"required":["value"]},"type":"array"},"timeFieldName":{"type":"string"},"title":{"type":"string"},"type":{"type":"string"},"typeMeta":{"additionalProperties":true,"type":"object","properties":{}},"version":{"type":"string"}},"required":["title"]}]},"query":{"additionalProperties":false,"type":"object","properties":{"language":{"type":"string"},"query":{"type":"string"}},"required":["language","query"]}},"required":["index","query"]}},"required":["criteria","searchConfiguration"],"title":"Custom Threshold Rule Params","type":"object"},"rule_type_id":{"enum":["observability.rules.custom_threshold"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Custom threshold","type":"object"},"Kibana_HTTP_APIs_output_elasticsearch":{"additionalProperties":true,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"],"title":"output_elasticsearch","type":"object"},"Kibana_HTTP_APIs_output_kafka":{"additionalProperties":true,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"type":"number"},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"enum":["plaintext","encryption"],"type":"string"},"hash":{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":true,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"nullable":true,"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":true,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":true,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":true,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"nullable":true,"type":"string"},"version":{"type":"string"}},"required":["name","type","hosts","auth_type"],"title":"output_kafka","type":"object"},"Kibana_HTTP_APIs_output_logstash":{"additionalProperties":true,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"type":{"enum":["logstash"],"type":"string"}},"required":["name","type","hosts"],"title":"output_logstash","type":"object"},"Kibana_HTTP_APIs_output_remote_elasticsearch":{"additionalProperties":true,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":true,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":true,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":true,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"required":["name","type","hosts"],"title":"output_remote_elasticsearch","type":"object"},"Kibana_HTTP_APIs_output_shipper":{"additionalProperties":true,"properties":{"compression_level":{"nullable":true,"type":"number"},"disk_queue_compression_enabled":{"nullable":true,"type":"boolean"},"disk_queue_enabled":{"default":false,"nullable":true,"type":"boolean"},"disk_queue_encryption_enabled":{"nullable":true,"type":"boolean"},"disk_queue_max_size":{"nullable":true,"type":"number"},"disk_queue_path":{"nullable":true,"type":"string"},"loadbalance":{"nullable":true,"type":"boolean"},"max_batch_bytes":{"nullable":true,"type":"number"},"mem_queue_events":{"nullable":true,"type":"number"},"queue_flush_timeout":{"nullable":true,"type":"number"}},"required":["disk_queue_path","disk_queue_max_size","disk_queue_encryption_enabled","disk_queue_compression_enabled","compression_level","loadbalance","mem_queue_events","queue_flush_timeout","max_batch_bytes"],"title":"output_shipper","type":"object"},"Kibana_HTTP_APIs_output_ssl":{"additionalProperties":true,"properties":{"certificate":{"type":"string"},"certificate_authorities":{"items":{"type":"string"},"maxItems":10,"type":"array"},"key":{"type":"string"},"verification_mode":{"enum":["full","none","certificate","strict"],"type":"string"}},"title":"output_ssl","type":"object"},"Kibana_HTTP_APIs_QueryStreamUpsertRequest":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"type":"string"},"type":"array"},"queries":{"items":{"type":"object","properties":{"description":{"type":"string"},"esql":{"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"evidence":{"items":{"type":"string"},"type":"array"},"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"severity_score":{"type":"number"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"default":"match","enum":["match","stats"],"type":"string"}},"required":["id","title","description","esql"]},"type":"array"},"rules":{"items":{"type":"string"},"type":"array"},"stream":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"field_descriptions":{"additionalProperties":{"type":"string"},"type":"object"},"query":{"additionalProperties":false,"type":"object","properties":{"esql":{"type":"string"},"view":{"type":"string"}},"required":["view","esql"]},"query_streams":{"items":{"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"type":"array"},"type":{"enum":["query"],"type":"string"}},"required":["description","type","query"]}},"required":["dashboards","rules","queries","stream"]},"Kibana_HTTP_APIs_RecursiveRecord":{"additionalProperties":{"anyOf":[{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"nullable":true},{}]},{"items":{"anyOf":[{"type":"string"},{"type":"number"},{"type":"boolean"},{"nullable":true},{}]},"type":"array"},{"items":{},"type":"array"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_RecursiveRecord"}]},"type":"object"},"Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`.","properties":{"dependencies":{"items":{"additionalProperties":false,"type":"object","properties":{"actionGroupsToSuppressOn":{"items":{"type":"string"},"type":"array"},"ruleId":{"type":"string"}},"required":["ruleId","actionGroupsToSuppressOn"]},"type":"array"},"sloId":{"type":"string"},"windows":{"items":{"additionalProperties":false,"type":"object","properties":{"actionGroup":{"type":"string"},"burnRateThreshold":{"type":"number"},"id":{"type":"string"},"longWindow":{"additionalProperties":false,"type":"object","properties":{"unit":{"type":"string"},"value":{"type":"number"}},"required":["value","unit"]},"maxBurnRateThreshold":{"nullable":true,"type":"number"},"shortWindow":{"additionalProperties":false,"type":"object","properties":{"unit":{"type":"string"},"value":{"type":"number"}},"required":["value","unit"]}},"required":["id","burnRateThreshold","maxBurnRateThreshold","longWindow","shortWindow","actionGroup"]},"type":"array"}},"required":["sloId","windows"],"title":"SLO Burn Rate Rule Params","type":"object"},"rule_type_id":{"enum":["slo.rules.burnRate"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"SLO burn rate","type":"object"},"Kibana_HTTP_APIs_StreamlangConditionBlock":{"additionalProperties":false,"type":"object","properties":{"condition":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_ConditionWithSteps"},"customIdentifier":{"type":"string"}},"required":["condition"]},"Kibana_HTTP_APIs_StreamlangStep":{"anyOf":[{"anyOf":[{"additionalProperties":false,"description":"Grok processor - Extract fields from text using grok patterns","type":"object","properties":{"action":{"enum":["grok"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with grok patterns","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern_definitions":{"additionalProperties":{"type":"string"},"type":"object"},"patterns":{"description":"Grok patterns applied in order to extract fields","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"minItems":1,"type":"array"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","patterns"]},{"additionalProperties":false,"description":"Dissect processor - Extract fields from text using a lightweight, delimiter-based parser","type":"object","properties":{"action":{"enum":["dissect"],"type":"string"},"append_separator":{"description":"Separator inserted when target fields are concatenated","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to parse with dissect pattern","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"pattern":{"description":"Dissect pattern describing field boundaries","minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern"]},{"additionalProperties":false,"description":"Date processor - Parse dates from strings using one or more expected formats","type":"object","properties":{"action":{"enum":["date"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"formats":{"description":"Accepted input date formats, tried in order","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":"array"},"from":{"description":"Source field containing the date\/time text","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"locale":{"description":"Optional locale for date parsing","minLength":1,"type":"string"},"output_format":{"description":"Optional output format for storing the parsed date as text","minLength":1,"type":"string"},"timezone":{"description":"Optional timezone for date parsing","minLength":1,"type":"string"},"to":{"description":"Target field for the parsed date (defaults to source)","minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","formats"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["drop_document"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["math"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"expression":{"description":"A non-empty string.","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","expression","to"]},{"additionalProperties":false,"description":"Rename processor - Change a field name and optionally its location","type":"object","properties":{"action":{"enum":["rename"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Existing source field to rename or move","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip when source field is missing","type":"boolean"},"override":{"description":"Allow overwriting the target field if it already exists","type":"boolean"},"to":{"description":"New field name or destination path","minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","to"]},{"additionalProperties":false,"description":"Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)","type":"object","properties":{"action":{"enum":["set"],"type":"string"},"copy_from":{"description":"Copy value from another field instead of providing a literal","minLength":1,"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"override":{"description":"Allow overwriting an existing target field","type":"boolean"},"to":{"description":"Target field to set or create","minLength":1,"type":"string"},"value":{"description":"Literal value to assign to the target field"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","to"]},{"additionalProperties":false,"description":"Append processor - Append one or more values to an existing or new array field","type":"object","properties":{"action":{"enum":["append"],"type":"string"},"allow_duplicates":{"description":"If true, do not deduplicate appended values","type":"boolean"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"to":{"description":"Array field to append values to","minLength":1,"type":"string"},"value":{"description":"Values to append (must be literal, no templates)","items":{},"minItems":1,"type":"array"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","to","value"]},{"additionalProperties":false,"description":"Remove by prefix processor - Remove a field and all nested fields matching the prefix","type":"object","properties":{"action":{"enum":["remove_by_prefix"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove along with all its nested fields","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"}},"required":["action","from"]},{"additionalProperties":false,"description":"Remove processor - Delete one or more fields from the document","type":"object","properties":{"action":{"enum":["remove"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Field to remove from the document","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["replace"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"pattern":{"minLength":1,"type":"string"},"replacement":{"type":"string"},"to":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","pattern","replacement"]},{"additionalProperties":false,"description":"Redact processor - Mask sensitive data using Grok patterns","type":"object","properties":{"action":{"enum":["redact"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to redact sensitive data from","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing (defaults to true)","type":"boolean"},"pattern_definitions":{"additionalProperties":{"type":"string"},"description":"Custom pattern definitions to use in the patterns","type":"object"},"patterns":{"description":"Grok patterns to match sensitive data (for example, \"%{IP:client}\", \"%{EMAILADDRESS:email}\")","items":{"description":"A non-empty string.","minLength":1,"type":"string"},"minItems":1,"type":"array"},"prefix":{"description":"Prefix to prepend to the redacted pattern name (defaults to \"<\")","type":"string"},"suffix":{"description":"Suffix to append to the redacted pattern name (defaults to \">\")","type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","patterns"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["uppercase"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["lowercase"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["trim"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["join"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"delimiter":{"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"items":{"minLength":1,"type":"string"},"minItems":1,"type":"array"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","delimiter","to"]},{"additionalProperties":false,"description":"Split processor - Split a field value into an array using a separator","type":"object","properties":{"action":{"enum":["split"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to split into an array","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"preserve_trailing":{"description":"Preserve empty trailing fields in the split result","type":"boolean"},"separator":{"description":"Regex separator used to split the field value into an array","minLength":1,"type":"string"},"to":{"description":"Target field for the split array (defaults to source)","minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","separator"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["sort"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Array field to sort","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"order":{"description":"Sort order - \"asc\" (ascending) or \"desc\" (descending). Defaults to \"asc\"","enum":["asc","desc"],"type":"string"},"to":{"description":"Target field for the sorted array (defaults to source)","minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from"]},{"additionalProperties":false,"description":"Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)","type":"object","properties":{"action":{"enum":["convert"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"description":"Source field to convert to a different data type","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"to":{"description":"Target field for the converted value (defaults to source)","minLength":1,"type":"string"},"type":{"description":"Target data type: integer, long, double, boolean, or string","enum":["integer","long","double","boolean","string"],"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","type"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["concat"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"from":{"items":{"anyOf":[{"type":"object","properties":{"type":{"enum":["field"],"type":"string"},"value":{"minLength":1,"type":"string"}},"required":["type","value"]},{"type":"object","properties":{"type":{"enum":["literal"],"type":"string"},"value":{"type":"string"}},"required":["type","value"]}]},"minItems":1,"type":"array"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"to":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","from","to"]},{"allOf":[{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["network_direction"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"destination_ip":{"minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"source_ip":{"minLength":1,"type":"string"},"target_field":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","source_ip","destination_ip"]},{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"internal_networks":{"items":{"type":"string"},"type":"array"}},"required":["internal_networks"]},{"additionalProperties":false,"type":"object","properties":{"internal_networks_field":{"minLength":1,"type":"string"}},"required":["internal_networks_field"]}]}]},{"additionalProperties":false,"description":"JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors","type":"object","properties":{"action":{"enum":["json_extract"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"extractions":{"description":"List of extraction specifications","items":{"description":"A single extraction specification","type":"object","properties":{"selector":{"description":"JSONPath-like selector to extract value (e.g., \"user.id\", \"$.metadata.client.ip\", \"items[0].name\")","minLength":1,"type":"string"},"target_field":{"description":"Target field to store the extracted value","minLength":1,"type":"string"},"type":{"description":"Data type for the extracted value. Defaults to \"keyword\". Ensures consistent types across transpilers.","enum":["keyword","integer","long","double","boolean"],"type":"string"}},"required":["selector","target_field"]},"minItems":1,"type":"array"},"field":{"description":"Source field containing the JSON string to parse","minLength":1,"type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"description":"Skip processing when source field is missing","type":"boolean"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","field","extractions"]},{"additionalProperties":false,"type":"object","properties":{"action":{"enum":["enrich"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"ignore_missing":{"type":"boolean"},"override":{"type":"boolean"},"policy_name":{"description":"A non-empty string.","minLength":1,"type":"string"},"to":{"minLength":1,"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","policy_name","to"]},{"additionalProperties":false,"description":"Manual ingest pipeline wrapper around native Elasticsearch processors","type":"object","properties":{"action":{"description":"Manual ingest pipeline - executes raw Elasticsearch ingest processors","enum":["manual_ingest_pipeline"],"type":"string"},"customIdentifier":{"description":"Custom identifier to correlate this processor across outputs","minLength":1,"type":"string"},"description":{"description":"Human-readable notes about this processor step","type":"string"},"ignore_failure":{"description":"Continue pipeline execution if this processor fails","type":"boolean"},"on_failure":{"description":"Fallback processors to run when a processor fails","items":{"additionalProperties":{},"type":"object"},"type":"array"},"processors":{"description":"List of raw Elasticsearch ingest processors to run","items":{"additionalProperties":{},"type":"object"},"type":"array"},"tag":{"description":"Optional ingest processor tag for Elasticsearch","type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition","description":"Conditional expression controlling whether this processor runs"}},"required":["action","processors"]}]},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_StreamlangConditionBlock"}]},"Kibana_HTTP_APIs_StreamUpsertRequest":{"anyOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_WiredStreamUpsertRequest"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_ClassicStreamUpsertRequest"},{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_QueryStreamUpsertRequest"}]},"Kibana_HTTP_APIs_transform-health-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`.","properties":{"excludeTransforms":{"default":[],"items":{"type":"string"},"nullable":true,"type":"array"},"includeTransforms":{"items":{"type":"string"},"type":"array"},"testsConfig":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"errorMessages":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"enabled":{"default":false,"type":"boolean"}}},"healthCheck":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"enabled":{"default":true,"type":"boolean"}}},"notStarted":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"enabled":{"default":true,"type":"boolean"}}}},"required":["notStarted","errorMessages","healthCheck"]}},"required":["includeTransforms","testsConfig"],"title":"Transform Health Rule Params","type":"object"},"rule_type_id":{"enum":["transform_health"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Transform health","type":"object"},"Kibana_HTTP_APIs_update_output_elasticsearch":{"additionalProperties":false,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"type":"boolean"},"is_default_monitoring":{"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"type":{"enum":["elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"title":"update_output_elasticsearch","type":"object"},"Kibana_HTTP_APIs_update_output_kafka":{"additionalProperties":false,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"auth_type":{"enum":["none","user_pass","ssl","kerberos"],"type":"string"},"broker_timeout":{"type":"number"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"client_id":{"type":"string"},"compression":{"enum":["gzip","snappy","lz4","none"],"type":"string"},"compression_level":{"type":"number"},"config_yaml":{"nullable":true,"type":"string"},"connection_type":{"enum":["plaintext","encryption"],"type":"string"},"hash":{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"random":{"type":"boolean"}}},"headers":{"items":{"additionalProperties":false,"type":"object","properties":{"key":{"type":"string"},"value":{"type":"string"}},"required":["key","value"]},"maxItems":100,"type":"array"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"default":false,"type":"boolean"},"is_default_monitoring":{"default":false,"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"key":{"type":"string"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"partition":{"enum":["random","round_robin","hash"],"type":"string"},"password":{"nullable":true,"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"random":{"additionalProperties":false,"type":"object","properties":{"group_events":{"type":"number"}}},"required_acks":{"enum":[1,0,-1],"type":"integer"},"round_robin":{"additionalProperties":false,"type":"object","properties":{"group_events":{"type":"number"}}},"sasl":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"mechanism":{"enum":["PLAIN","SCRAM-SHA-256","SCRAM-SHA-512"],"type":"string"}}},"secrets":{"additionalProperties":false,"type":"object","properties":{"password":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}},"required":["key"]}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"timeout":{"type":"number"},"topic":{"type":"string"},"type":{"enum":["kafka"],"type":"string"},"username":{"nullable":true,"type":"string"},"version":{"type":"string"}},"required":["name"],"title":"update_output_kafka","type":"object"},"Kibana_HTTP_APIs_update_output_logstash":{"additionalProperties":false,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"type":"boolean"},"is_default_monitoring":{"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"type":{"enum":["logstash"],"type":"string"}},"title":"update_output_logstash","type":"object"},"Kibana_HTTP_APIs_update_output_remote_elasticsearch":{"additionalProperties":false,"properties":{"allow_edit":{"items":{"type":"string"},"maxItems":1000,"type":"array"},"ca_sha256":{"nullable":true,"type":"string"},"ca_trusted_fingerprint":{"nullable":true,"type":"string"},"config_yaml":{"nullable":true,"type":"string"},"hosts":{"items":{"format":"uri","type":"string"},"maxItems":10,"minItems":1,"type":"array"},"id":{"type":"string"},"is_default":{"type":"boolean"},"is_default_monitoring":{"type":"boolean"},"is_internal":{"type":"boolean"},"is_preconfigured":{"type":"boolean"},"kibana_api_key":{"nullable":true,"type":"string"},"kibana_url":{"nullable":true,"type":"string"},"name":{"type":"string"},"otel_disable_beatsauth":{"nullable":true,"type":"boolean"},"otel_exporter_config_yaml":{"nullable":true,"type":"string"},"preset":{"enum":["balanced","custom","throughput","scale","latency"],"type":"string"},"proxy_id":{"nullable":true,"type":"string"},"secrets":{"additionalProperties":false,"type":"object","properties":{"service_token":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]},"ssl":{"additionalProperties":false,"type":"object","properties":{"key":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"hash":{"type":"string"},"id":{"type":"string"}},"required":["id"]},{"type":"string"}]}}}}},"service_token":{"nullable":true,"type":"string"},"shipper":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_shipper"}],"nullable":true},"ssl":{"allOf":[{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_output_ssl"}],"nullable":true},"sync_integrations":{"type":"boolean"},"sync_uninstalled_integrations":{"type":"boolean"},"type":{"enum":["remote_elasticsearch"],"type":"string"},"write_to_logs_streams":{"nullable":true,"type":"boolean"}},"title":"update_output_remote_elasticsearch","type":"object"},"Kibana_HTTP_APIs_WiredStreamUpsertRequest":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"type":"string"},"type":"array"},"queries":{"items":{"type":"object","properties":{"description":{"type":"string"},"esql":{"type":"object","properties":{"query":{"type":"string"}},"required":["query"]},"evidence":{"items":{"type":"string"},"type":"array"},"id":{"description":"A non-empty string.","minLength":1,"type":"string"},"severity_score":{"type":"number"},"title":{"description":"A non-empty string.","minLength":1,"type":"string"},"type":{"default":"match","enum":["match","stats"],"type":"string"}},"required":["id","title","description","esql"]},"type":"array"},"rules":{"items":{"type":"string"},"type":"array"},"stream":{"additionalProperties":false,"type":"object","properties":{"description":{"type":"string"},"ingest":{"additionalProperties":false,"type":"object","properties":{"failure_store":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_FailureStore"},"lifecycle":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_IngestStreamLifecycle"},"processing":{"additionalProperties":false,"type":"object","properties":{"steps":{"items":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_StreamlangStep"},"type":"array"},"updated_at":{}},"required":["steps"]},"settings":{"additionalProperties":false,"type":"object","properties":{"index.number_of_replicas":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.number_of_shards":{"additionalProperties":false,"type":"object","properties":{"value":{"type":"number"}},"required":["value"]},"index.refresh_interval":{"additionalProperties":false,"type":"object","properties":{"value":{"anyOf":[{"type":"string"},{"enum":[-1],"type":"number"}]}},"required":["value"]}}},"wired":{"additionalProperties":false,"type":"object","properties":{"draft":{"type":"boolean"},"fields":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_FieldDefinition"},"routing":{"items":{"type":"object","properties":{"destination":{"description":"A non-empty string.","minLength":1,"type":"string"},"draft":{"type":"boolean"},"status":{"enum":["enabled","disabled"],"type":"string"},"where":{"$ref":"#\/components\/schemas\/Kibana_HTTP_APIs_Condition"}},"required":["destination","where"]},"type":"array"}},"required":["fields","routing"]}},"required":["lifecycle","processing","settings","failure_store","wired"]},"query_streams":{"items":{"type":"object","properties":{"name":{"type":"string"}},"required":["name"]},"type":"array"},"type":{"enum":["wired"],"type":"string"}},"required":["description","ingest","type"]}},"required":["dashboards","rules","queries","stream"]},"Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert\"`.","properties":{"includeInterim":{"default":true,"type":"boolean"},"jobSelection":{"additionalProperties":false,"type":"object","properties":{"groupIds":{"default":[],"items":{"type":"string"},"type":"array"},"jobIds":{"default":[],"items":{"type":"string"},"type":"array"}}},"kqlQueryString":{"nullable":true,"type":"string"},"lookbackInterval":{"nullable":true,"type":"string"},"resultType":{"enum":["record","bucket","influencer"],"type":"string"},"severity":{"maximum":100,"minimum":0,"type":"number"},"topNBuckets":{"minimum":1,"nullable":true,"type":"number"}},"required":["jobSelection","severity","resultType","lookbackInterval","topNBuckets","kqlQueryString"],"title":"Anomaly Detection Rule Params","type":"object"},"rule_type_id":{"enum":["xpack.ml.anomaly_detection_alert"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Anomaly detection","type":"object"},"Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health\"`.","properties":{"excludeJobs":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"groupIds":{"default":[],"items":{"type":"string"},"type":"array"},"jobIds":{"default":[],"items":{"type":"string"},"type":"array"}}},"includeJobs":{"additionalProperties":false,"type":"object","properties":{"groupIds":{"default":[],"items":{"type":"string"},"type":"array"},"jobIds":{"default":[],"items":{"type":"string"},"type":"array"}}},"testsConfig":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"behindRealtime":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"enabled":{"default":true,"type":"boolean"},"timeInterval":{"nullable":true,"type":"string"}},"required":["timeInterval"]},"datafeed":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"enabled":{"default":true,"type":"boolean"}}},"delayedData":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"docsCount":{"minimum":1,"nullable":true,"type":"number"},"enabled":{"default":true,"type":"boolean"},"timeInterval":{"nullable":true,"type":"string"}},"required":["docsCount","timeInterval"]},"errorMessages":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"enabled":{"default":true,"type":"boolean"}}},"mml":{"additionalProperties":false,"nullable":true,"type":"object","properties":{"enabled":{"default":true,"type":"boolean"}}}},"required":["datafeed","mml","delayedData","behindRealtime","errorMessages"]}},"required":["includeJobs","excludeJobs","testsConfig"],"title":"Anomaly Detection Jobs Health Rule Params","type":"object"},"rule_type_id":{"enum":["xpack.ml.anomaly_detection_jobs_health"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Anomaly detection jobs health","type":"object"},"Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`.","properties":{"condition":{"additionalProperties":false,"type":"object","properties":{"alertOnNoData":{"type":"boolean"},"downThreshold":{"type":"number"},"groupBy":{"type":"string"},"includeRetests":{"type":"boolean"},"locationsThreshold":{"type":"number"},"recoveryStrategy":{"enum":["firstUp","conditionNotMet"],"type":"string"},"window":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"time":{"additionalProperties":false,"type":"object","properties":{"size":{"default":5,"type":"number"},"unit":{"default":"m","enum":["s","m","h","d"],"type":"string"}}}},"required":["time"]},{"additionalProperties":false,"type":"object","properties":{"numberOfChecks":{"default":5,"maximum":100,"minimum":1,"type":"number"}}}]}},"required":["window"]},"kqlQuery":{"type":"string"},"locations":{"items":{"type":"string"},"type":"array"},"monitorIds":{"items":{"type":"string"},"type":"array"},"monitorTypes":{"items":{"type":"string"},"type":"array"},"projects":{"items":{"type":"string"},"type":"array"},"tags":{"items":{"type":"string"},"type":"array"}},"title":"Synthetics Monitor Status Rule Params","type":"object"},"rule_type_id":{"enum":["xpack.synthetics.alerts.monitorStatus"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Synthetics monitor status","type":"object"},"Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`.","properties":{"certAgeThreshold":{"type":"number"},"certExpirationThreshold":{"type":"number"},"kqlQuery":{"type":"string"},"locations":{"items":{"type":"string"},"type":"array"},"monitorIds":{"items":{"type":"string"},"type":"array"},"monitorTypes":{"items":{"type":"string"},"type":"array"},"projects":{"items":{"type":"string"},"type":"array"},"search":{"type":"string"},"tags":{"items":{"type":"string"},"type":"array"}},"title":"Synthetics TLS Rule Params","type":"object"},"rule_type_id":{"enum":["xpack.synthetics.alerts.tls"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Synthetics TLS","type":"object"},"Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`.","properties":{"monitorId":{"type":"string"},"severity":{"type":"number"},"stackVersion":{"type":"string"}},"required":["monitorId","severity"],"title":"Uptime Duration Anomaly Rule Params","type":"object"},"rule_type_id":{"enum":["xpack.uptime.alerts.durationAnomaly"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Uptime duration anomaly","type":"object"},"Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`.","properties":{"availability":{"additionalProperties":false,"type":"object","properties":{"range":{"type":"number"},"rangeUnit":{"type":"string"},"threshold":{"type":"string"}},"required":["range","rangeUnit","threshold"]},"filters":{"anyOf":[{"additionalProperties":false,"type":"object","properties":{"monitor.type":{"items":{"type":"string"},"type":"array"},"observer.geo.name":{"items":{"type":"string"},"type":"array"},"tags":{"items":{"type":"string"},"type":"array"},"url.port":{"items":{"type":"string"},"type":"array"}}},{"type":"string"}]},"isAutoGenerated":{"type":"boolean"},"locations":{"items":{"type":"string"},"type":"array"},"numTimes":{"type":"number"},"search":{"type":"string"},"shouldCheckAvailability":{"type":"boolean"},"shouldCheckStatus":{"type":"boolean"},"stackVersion":{"type":"string"},"timerange":{"additionalProperties":false,"type":"object","properties":{"from":{"type":"string"},"to":{"type":"string"}},"required":["from","to"]},"timerangeCount":{"type":"number"},"timerangeUnit":{"type":"string"},"version":{"type":"number"}},"required":["numTimes","shouldCheckStatus","shouldCheckAvailability"],"title":"Uptime Monitor Status Rule Params","type":"object"},"rule_type_id":{"enum":["xpack.uptime.alerts.monitorStatus"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Uptime monitor status","type":"object"},"Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting":{"additionalProperties":false,"properties":{"actions":{"default":[],"items":{"additionalProperties":false,"description":"An action that runs under defined conditions.","type":"object","properties":{"alerts_filter":{"additionalProperties":false,"description":"Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.","type":"object","properties":{"query":{"additionalProperties":false,"type":"object","properties":{"dsl":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL).","type":"string"},"filters":{"description":"A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.","items":{"additionalProperties":false,"type":"object","properties":{"$state":{"additionalProperties":false,"type":"object","properties":{"store":{"description":"A filter can be either specific to an application context or applied globally.","enum":["appState","globalState"],"type":"string"}},"required":["store"]},"meta":{"additionalProperties":{"description":"An object with fields such as \"controlledBy\", \"disabled\", \"field\", \"group\", \"index\", \"isMultiIndex\", \"key\", \"negate\", \"params\", \"type\", \"value\"","nullable":true},"type":"object"},"query":{"additionalProperties":{"description":"A query for the filter.","nullable":true},"type":"object"}},"required":["meta"]},"type":"array"},"kql":{"description":"A filter written in Kibana Query Language (KQL).","type":"string"}},"required":["kql","filters"]},"timeframe":{"additionalProperties":false,"description":"Defines a period that limits whether the action runs.","type":"object","properties":{"days":{"description":"Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.","items":{"enum":[1,2,3,4,5,6,7],"type":"integer"},"type":"array"},"hours":{"additionalProperties":false,"description":"Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.","type":"object","properties":{"end":{"description":"The end of the time frame in 24-hour notation (`hh:mm`).","type":"string"},"start":{"description":"The start of the time frame in 24-hour notation (`hh:mm`).","type":"string"}},"required":["start","end"]},"timezone":{"description":"The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.","type":"string"}},"required":["days","hours","timezone"]}}},"frequency":{"additionalProperties":false,"type":"object","properties":{"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"type":"string"},"summary":{"description":"Indicates whether the action is a summary.","type":"boolean"},"throttle":{"description":"The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["summary","notify_when","throttle"]},"group":{"description":"The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.","type":"string"},"id":{"description":"The identifier for the connector saved object.","type":"string"},"params":{"additionalProperties":{"nullable":true},"default":{},"description":"The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.","type":"object"},"use_alert_data_for_template":{"description":"Indicates whether to use alert data as a template.","type":"boolean"},"uuid":{"description":"A universally unique identifier (UUID) for the action.","type":"string"}},"required":["id"]},"type":"array"},"alert_delay":{"additionalProperties":false,"description":"Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.","type":"object","properties":{"active":{"description":"The number of consecutive runs that must meet the rule conditions.","type":"number"}},"required":["active"]},"artifacts":{"additionalProperties":false,"type":"object","properties":{"dashboards":{"items":{"additionalProperties":false,"type":"object","properties":{"id":{"type":"string"}},"required":["id"]},"maxItems":10,"type":"array"},"investigation_guide":{"additionalProperties":false,"type":"object","properties":{"blob":{"maxLength":10000,"type":"string"}},"required":["blob"]}}},"consumer":{"description":"The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.","type":"string"},"enabled":{"default":true,"description":"Indicates whether you want to run the rule on an interval basis after it is created.","type":"boolean"},"flapping":{"additionalProperties":false,"description":"When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as \u201cflapping\u201d and notifications are reduced.","nullable":true,"type":"object","properties":{"enabled":{"description":"Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.","type":"boolean"},"look_back_window":{"description":"The minimum number of runs in which the threshold must be met.","maximum":20,"minimum":2,"type":"number"},"status_change_threshold":{"description":"The minimum number of times an alert must switch states in the look back window.","maximum":20,"minimum":2,"type":"number"}},"required":["look_back_window","status_change_threshold"]},"name":{"description":"The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.","type":"string"},"notify_when":{"description":"Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","enum":["onActionGroupChange","onActiveAlert","onThrottleInterval"],"nullable":true,"type":"string"},"params":{"additionalProperties":false,"description":"The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`.","properties":{"certAgeThreshold":{"type":"number"},"certExpirationThreshold":{"type":"number"},"search":{"type":"string"},"stackVersion":{"type":"string"}},"title":"Uptime TLS Rule Params","type":"object"},"rule_type_id":{"enum":["xpack.uptime.alerts.tlsCertificate"],"type":"string"},"schedule":{"additionalProperties":false,"description":"The check interval, which specifies how frequently the rule conditions are checked.","type":"object","properties":{"interval":{"description":"The interval is specified in seconds, minutes, hours, or days.","type":"string"}},"required":["interval"]},"tags":{"default":[],"description":"The tags for the rule.","items":{"type":"string"},"type":"array"},"throttle":{"description":"Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.","nullable":true,"type":"string"}},"required":["name","consumer","schedule","rule_type_id","params"],"title":"Uptime TLS certificate","type":"object"},"Machine_learning_APIs_mlSync200Response":{"properties":{"datafeedsAdded":{"additionalProperties":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseDatafeeds"},"description":"If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.","type":"object"},"datafeedsRemoved":{"additionalProperties":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseDatafeeds"},"description":"If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.","type":"object"},"savedObjectsCreated":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated"},"savedObjectsDeleted":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted"}},"title":"Successful sync API response","type":"object"},"Machine_learning_APIs_mlSync4xxResponse":{"properties":{"error":{"example":"Unauthorized","type":"string"},"message":{"type":"string"},"statusCode":{"example":401,"type":"integer"}},"title":"Unsuccessful sync API response","type":"object"},"Machine_learning_APIs_mlSyncResponseAnomalyDetectors":{"description":"The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.","properties":{"success":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseSuccess"}},"title":"Sync API response for anomaly detection jobs","type":"object"},"Machine_learning_APIs_mlSyncResponseDatafeeds":{"description":"The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.","properties":{"success":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseSuccess"}},"title":"Sync API response for datafeeds","type":"object"},"Machine_learning_APIs_mlSyncResponseDataFrameAnalytics":{"description":"The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.","properties":{"success":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseSuccess"}},"title":"Sync API response for data frame analytics jobs","type":"object"},"Machine_learning_APIs_mlSyncResponseSavedObjectsCreated":{"description":"If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.","properties":{"anomaly-detector":{"additionalProperties":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseAnomalyDetectors"},"description":"If saved objects are missing for anomaly detection jobs, they are created.","type":"object"},"data-frame-analytics":{"additionalProperties":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics"},"description":"If saved objects are missing for data frame analytics jobs, they are created.","type":"object"},"trained-model":{"additionalProperties":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseTrainedModels"},"description":"If saved objects are missing for trained models, they are created.","type":"object"}},"title":"Sync API response for created saved objects","type":"object"},"Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted":{"description":"If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.","properties":{"anomaly-detector":{"additionalProperties":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseAnomalyDetectors"},"description":"If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.","type":"object"},"data-frame-analytics":{"additionalProperties":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics"},"description":"If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.","type":"object"},"trained-model":{"additionalProperties":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseTrainedModels"},"description":"If there are saved objects exist for nonexistent trained models, they are deleted.","type":"object"}},"title":"Sync API response for deleted saved objects","type":"object"},"Machine_learning_APIs_mlSyncResponseSuccess":{"description":"The success or failure of the synchronization.","type":"boolean"},"Machine_learning_APIs_mlSyncResponseTrainedModels":{"description":"The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.","properties":{"success":{"$ref":"#\/components\/schemas\/Machine_learning_APIs_mlSyncResponseSuccess"}},"title":"Sync API response for trained models","type":"object"},"Observability_AI_Assistant_API_Function":{"type":"object","properties":{"description":{"description":"The description of the function.","type":"string"},"name":{"description":"The name of the function.","type":"string"},"parameters":{"description":"The parameters of the function.","type":"object"}}},"Observability_AI_Assistant_API_FunctionCall":{"description":"Details of the function call within the message.","type":"object","properties":{"arguments":{"description":"The arguments for the function call.","type":"string"},"name":{"description":"The name of the function.","type":"string"},"trigger":{"description":"The trigger of the function call.","enum":["assistant","user","elastic"],"type":"string"}},"required":["name","trigger"]},"Observability_AI_Assistant_API_Instruction":{"oneOf":[{"description":"A simple instruction represented as a string.","type":"string"},{"description":"A detailed instruction with an ID and text.","type":"object","properties":{"id":{"description":"A unique identifier for the instruction.","type":"string"},"text":{"description":"The text of the instruction.","type":"string"}},"required":["id","text"]}]},"Observability_AI_Assistant_API_Message":{"name":"Message","type":"object","properties":{"@timestamp":{"description":"The timestamp when the message was created.","type":"string"},"message":{"description":"The main content of the message.","type":"object","properties":{"content":{"description":"The content of the message.","type":"string"},"data":{"description":"Additional data associated with the message.","type":"string"},"event":{"description":"The event related to the message.","type":"string"},"function_call":{"$ref":"#\/components\/schemas\/Observability_AI_Assistant_API_FunctionCall"},"name":{"description":"The name associated with the message.","type":"string"},"role":{"$ref":"#\/components\/schemas\/Observability_AI_Assistant_API_MessageRoleEnum"}},"required":["role"]}},"required":["@timestamp","message"]},"Observability_AI_Assistant_API_MessageRoleEnum":{"description":"The role of the message sender.","enum":["system","assistant","function","user","elastic"],"type":"string"},"Security_AI_Assistant_API_AnonymizationFieldCreateProps":{"type":"object","properties":{"allowed":{"description":"Whether this field is allowed to be sent to the model.","example":true,"type":"boolean"},"anonymized":{"description":"Whether this field should be anonymized.","example":false,"type":"boolean"},"field":{"description":"Name of the anonymization field to create.","example":"host.name","type":"string"}},"required":["field"]},"Security_AI_Assistant_API_AnonymizationFieldDetailsInError":{"type":"object","properties":{"id":{"description":"The ID of the anonymization field.","example":"field12","type":"string"},"name":{"description":"Name of the anonymization field.","example":"host.name","type":"string"}},"required":["id"]},"Security_AI_Assistant_API_AnonymizationFieldResponse":{"type":"object","properties":{"allowed":{"description":"Whether this field is allowed to be sent to the model.","example":true,"type":"boolean"},"anonymized":{"description":"Whether this field should be anonymized.","example":false,"type":"boolean"},"createdAt":{"description":"Timestamp of when the anonymization field was created.","example":"2023-10-31T12:00:00Z","type":"string"},"createdBy":{"description":"Username of the person who created the anonymization field.","example":"user1","type":"string"},"field":{"description":"Name of the anonymization field.","example":"url.domain","type":"string"},"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString","description":"The ID of the anonymization field."},"namespace":{"description":"Kibana space in which this anonymization field exists.","example":"default","type":"string"},"timestamp":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyTimestamp","description":"Timestamp when the anonymization field was initially created."},"updatedAt":{"description":"Timestamp of the last update.","example":"2023-10-31T12:00:00Z","type":"string"},"updatedBy":{"description":"Username of the person who last updated the field.","example":"user1","type":"string"}},"required":["id","field"]},"Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason":{"description":"Reason why the anonymization field was not modified.","enum":["ANONYMIZATION_FIELD_NOT_MODIFIED"],"type":"string"},"Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult":{"type":"object","properties":{"id":{"description":"The ID of the anonymization field that was not modified.","example":"field4","type":"string"},"name":{"description":"Name of the anonymization field that was not modified.","example":"user.name","type":"string"},"skip_reason":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason","description":"Reason why the anonymization field was not modified."}},"required":["id","skip_reason"]},"Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse":{"type":"object","properties":{"anonymization_fields_count":{"description":"Total number of anonymization fields processed.","example":5,"type":"integer"},"attributes":{"type":"object","properties":{"errors":{"description":"List of errors that occurred during the bulk operation.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NormalizedAnonymizationFieldError"},"type":"array"},"results":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults"},"summary":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BulkCrudActionSummary"}},"required":["results","summary"]},"message":{"description":"Message providing information about the bulk action result.","example":"Bulk action completed successfully","type":"string"},"status_code":{"description":"HTTP status code returned.","example":200,"type":"integer"},"success":{"description":"Indicates if the bulk action was successful.","example":true,"type":"boolean"}},"required":["attributes"]},"Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults":{"type":"object","properties":{"created":{"description":"List of anonymization fields successfully created.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldResponse"},"type":"array"},"deleted":{"items":{"description":"Array of IDs of anonymization fields that were deleted.","example":"field3","type":"string"},"type":"array"},"skipped":{"description":"List of anonymization fields that were skipped during the operation.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult"},"type":"array"},"updated":{"description":"List of anonymization fields successfully updated.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldResponse"},"type":"array"}},"required":["updated","created","deleted","skipped"]},"Security_AI_Assistant_API_AnonymizationFieldUpdateProps":{"type":"object","properties":{"allowed":{"description":"Whether this field is allowed to be sent to the model.","example":true,"type":"boolean"},"anonymized":{"description":"Whether this field should be anonymized.","example":false,"type":"boolean"},"id":{"description":"The ID of the anonymization field to update.","example":"field8","type":"string"}},"required":["id"]},"Security_AI_Assistant_API_ApiConfig":{"type":"object","properties":{"actionTypeId":{"description":"Action type ID","example":"actionType456","type":"string"},"connectorId":{"description":"Connector ID","example":"connector123","type":"string"},"defaultSystemPromptId":{"description":"Default system prompt ID","example":"systemPrompt001","type":"string"},"model":{"description":"Model","example":"gpt-4","type":"string"},"provider":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Provider","description":"Provider","example":"OpenAI"}},"required":["connectorId","actionTypeId"]},"Security_AI_Assistant_API_BaseContentReference":{"description":"The basis of a content reference","type":"object","properties":{"id":{"description":"Id of the content reference","example":"content123","type":"string"},"type":{"description":"Type of the content reference","example":"SecurityAlert","type":"string"}},"required":["id","type"]},"Security_AI_Assistant_API_BaseInterruptResumeValue":{"description":"The basis of an interrupt resume value","type":"object","properties":{"type":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_InterruptType","description":"Type of the resume value","example":"SELECT_OPTION"}},"required":["type"]},"Security_AI_Assistant_API_BaseInterruptValue":{"description":"The basis of an agent interrupt","type":"object","properties":{"expired":{"description":"Whether the interrupt has expired and can no longer be resumed.","example":false,"type":"boolean"},"threadId":{"description":"Thread ID of the graph execution that produced this message.","example":"","type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_InterruptType","description":"Type of the interrupt","example":"SELECT_OPTION"}},"required":["type","threadId"]},"Security_AI_Assistant_API_BulkCrudActionSummary":{"type":"object","properties":{"failed":{"description":"The number of failed actions.","example":0,"type":"integer"},"skipped":{"description":"The number of skipped actions.","example":1,"type":"integer"},"succeeded":{"description":"The number of successfully performed actions.","example":10,"type":"integer"},"total":{"description":"The total number of actions attempted.","example":12,"type":"integer"}},"required":["failed","skipped","succeeded","total"]},"Security_AI_Assistant_API_ChatCompleteProps":{"description":"The request payload for creating a chat completion.","example":{"connectorId":"conn-001","conversationId":"abc123","isStream":true,"langSmithApiKey":"","langSmithProject":"security_ai_project","messages":[{"content":"How do I detect ransomware on my endpoints?","data":{"device_id":"device-567"},"fields_to_anonymize":["device.name","file.path"],"role":"user"}],"model":"gpt-4","persist":true,"promptId":"prompt_456","responseLanguage":"en"},"type":"object","properties":{"connectorId":{"description":"Required connector identifier to route the request.","example":"conn-001","type":"string"},"conversationId":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString","description":"Existing conversation ID to continue."},"isStream":{"description":"If true, the response will be streamed in chunks.","example":true,"type":"boolean"},"langSmithApiKey":{"description":"API key for LangSmith integration.","example":"","type":"string"},"langSmithProject":{"description":"LangSmith project name for tracing.","example":"security_ai_project","type":"string"},"messages":{"description":"List of chat messages exchanged so far.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ChatMessage"},"type":"array"},"model":{"description":"Model ID or name to use for the response.","example":"gpt-4","type":"string"},"persist":{"description":"Whether to persist the chat and response to storage.","example":true,"type":"boolean"},"promptId":{"description":"Prompt template identifier.","example":"prompt_001","type":"string"},"responseLanguage":{"description":"ISO language code for the assistant's response.","example":"en","type":"string"}},"required":["messages","persist","connectorId"]},"Security_AI_Assistant_API_ChatMessage":{"description":"A message exchanged within the AI chat conversation.","type":"object","properties":{"content":{"description":"The textual content of the message.","example":"What security incidents have been reported today?","type":"string"},"data":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_MessageData","description":"Metadata to attach to the context of the message."},"fields_to_anonymize":{"description":"List of field names within the data object that should be anonymized.","example":["user.name","source.ip"],"items":{"type":"string"},"type":"array"},"role":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ChatMessageRole","description":"The sender role of the message."}},"required":["role"]},"Security_AI_Assistant_API_ChatMessageRole":{"description":"The role associated with the message in the chat.","enum":["system","user","assistant"],"example":"user","type":"string"},"Security_AI_Assistant_API_ContentReferences":{"additionalProperties":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SecurityAlertContentReference"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SecurityAlertsPageContentReference"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ProductDocumentationContentReference"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_EsqlContentReference"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_HrefContentReference","additionalProperties":false}]},"description":"A union of all content reference types","type":"object"},"Security_AI_Assistant_API_ConversationCategory":{"description":"The conversation category.","enum":["assistant","insights"],"example":"assistant","type":"string"},"Security_AI_Assistant_API_ConversationCreateProps":{"type":"object","properties":{"apiConfig":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ApiConfig","description":"LLM API configuration."},"category":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationCategory","description":"The conversation category.","example":"assistant"},"excludeFromLastConversationStorage":{"description":"Exclude from last conversation storage.","type":"boolean"},"id":{"description":"The conversation id.","example":"conversation123","type":"string"},"messages":{"description":"The conversation messages.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Message"},"type":"array"},"replacements":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Replacements"},"title":{"description":"The conversation title.","example":"Security AI Assistant Setup","type":"string"}},"required":["title"]},"Security_AI_Assistant_API_ConversationResponse":{"type":"object","properties":{"apiConfig":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ApiConfig","description":"LLM API configuration."},"category":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationCategory","description":"The conversation category.","example":"assistant"},"createdAt":{"description":"The time conversation was created.","example":"2025-04-30T14:00:00Z","type":"string"},"createdBy":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User","description":"The user who created the conversation."},"excludeFromLastConversationStorage":{"description":"Exclude from last conversation storage.","type":"boolean"},"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"},"messages":{"description":"The conversation messages.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Message"},"type":"array"},"namespace":{"description":"Kibana space","example":"default","type":"string"},"replacements":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Replacements"},"timestamp":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyTimestamp"},"title":{"description":"The conversation title.","example":"Security AI Assistant Setup","type":"string"},"updatedAt":{"description":"The last time conversation was updated.","example":"2025-04-30T16:30:00Z","type":"string"},"users":{"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id","title","createdAt","createdBy","users","namespace","category"]},"Security_AI_Assistant_API_ConversationUpdateProps":{"type":"object","properties":{"apiConfig":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ApiConfig","description":"LLM API configuration."},"category":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ConversationCategory","description":"The conversation category.","example":"assistant"},"excludeFromLastConversationStorage":{"description":"Exclude from last conversation storage.","type":"boolean"},"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"},"messages":{"description":"The conversation messages.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Message"},"type":"array"},"replacements":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Replacements"},"title":{"description":"The conversation title.","example":"Updated Security AI Assistant Setup","type":"string"},"users":{"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id"]},"Security_AI_Assistant_API_DeleteResponseFields":{"type":"object","properties":{"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"}},"required":["id"]},"Security_AI_Assistant_API_DocumentEntry":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["name","namespace","global","users"]},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryResponseFields"}]},"Security_AI_Assistant_API_DocumentEntryCreateFields":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["name"]},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryRequiredFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryOptionalFields"}]},"Security_AI_Assistant_API_DocumentEntryOptionalFields":{"type":"object","properties":{"required":{"description":"Whether this resource should always be included, defaults to false.","example":false,"type":"boolean"},"vector":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Vector"}}},"Security_AI_Assistant_API_DocumentEntryRequiredFields":{"type":"object","properties":{"kbResource":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseResource"},"source":{"description":"Source document name or filepath.","example":"\/documents\/example.txt","type":"string"},"text":{"description":"Knowledge Base Entry content.","example":"This is the content of the document.","type":"string"},"type":{"description":"Entry type.","enum":["document"],"example":"document","type":"string"}},"required":["type","kbResource","source","text"]},"Security_AI_Assistant_API_DocumentEntryResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryRequiredFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryOptionalFields"}]},"Security_AI_Assistant_API_DocumentEntryUpdateFields":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id"]},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryCreateFields"}]},"Security_AI_Assistant_API_EsqlContentReference":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"label":{"description":"Label of the query","example":"High Severity Alerts","type":"string"},"query":{"description":"An ESQL query","example":"SELECT * FROM alerts WHERE severity = \"high\"","type":"string"},"timerange":{"description":"Time range to select in the time picker.","type":"object","properties":{"from":{"example":"2025-04-01T00:00:00Z","type":"string"},"to":{"example":"2025-04-30T23:59:59Z","type":"string"}},"required":["from","to"]},"type":{"enum":["EsqlQuery"],"example":"EsqlQuery","type":"string"}},"required":["type","query","label"]}],"description":"References an ESQL query"},"Security_AI_Assistant_API_FindAnonymizationFieldsSortField":{"enum":["created_at","anonymized","allowed","field","updated_at"],"type":"string"},"Security_AI_Assistant_API_FindConversationsSortField":{"description":"The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`.","enum":["created_at","title","updated_at"],"example":"created_at","type":"string"},"Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField":{"description":"Fields available for sorting Knowledge Base Entries.","enum":["created_at","is_default","title","updated_at"],"example":"title","type":"string"},"Security_AI_Assistant_API_FindPromptsSortField":{"description":"Field by which to sort the prompts.","enum":["created_at","is_default","name","updated_at"],"example":"created_at","type":"string"},"Security_AI_Assistant_API_HrefContentReference":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"href":{"description":"URL to the external resource","type":"string"},"label":{"description":"Label of the query","type":"string"},"type":{"enum":["Href"],"type":"string"}},"required":["type","href"]}],"description":"References an external URL"},"Security_AI_Assistant_API_IndexEntry":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["name","namespace","global","users"]},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryResponseFields"}]},"Security_AI_Assistant_API_IndexEntryCreateFields":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["name"]},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryRequiredFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryOptionalFields"}]},"Security_AI_Assistant_API_IndexEntryOptionalFields":{"type":"object","properties":{"inputSchema":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_InputSchema"},"outputFields":{"description":"Fields to extract from the query result, defaults to all fields if not provided or empty.","example":["title","author"],"items":{"type":"string"},"type":"array"}}},"Security_AI_Assistant_API_IndexEntryRequiredFields":{"type":"object","properties":{"description":{"description":"Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description.","example":"Query this index for general knowledge base content.","type":"string"},"field":{"description":"Field to query for Knowledge Base content.","example":"content","type":"string"},"index":{"description":"Index or Data Stream to query for Knowledge Base content.","example":"knowledge_base_index","type":"string"},"queryDescription":{"description":"Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema.","example":"Search for documents containing the specified keywords.","type":"string"},"type":{"description":"Entry type.","enum":["index"],"example":"index","type":"string"}},"required":["type","index","field","description","queryDescription"]},"Security_AI_Assistant_API_IndexEntryResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryRequiredFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryOptionalFields"}]},"Security_AI_Assistant_API_IndexEntryUpdateFields":{"allOf":[{"type":"object","properties":{"global":{"description":"Whether this Knowledge Base Entry is global, defaults to false.","example":false,"type":"boolean"},"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"},"name":{"description":"Name of the Knowledge Base Entry.","example":"Example Entry","type":"string"},"namespace":{"description":"Kibana Space, defaults to 'default' space.","example":"default","type":"string"},"users":{"description":"Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id"]},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryCreateFields"}]},"Security_AI_Assistant_API_InputSchema":{"description":"Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval.","items":{"type":"object","properties":{"description":{"description":"Description of the field.","example":"The title of the document.","type":"string"},"fieldName":{"description":"Name of the field.","example":"title","type":"string"},"fieldType":{"description":"Type of the field.","example":"string","type":"string"}},"required":["fieldName","fieldType","description"]},"type":"array"},"Security_AI_Assistant_API_InputTextInterruptResumeValue":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseInterruptResumeValue"},{"type":"object","properties":{"type":{"enum":["INPUT_TEXT"],"example":"INPUT_TEXT","type":"string"},"value":{"description":"Text value used to resume the graph execution with.","example":".logs*","type":"string"}},"required":["value","type"]}],"description":"A resume value for input text"},"Security_AI_Assistant_API_InputTextInterruptValue":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseInterruptValue"},{"type":"object","properties":{"description":{"description":"Description of action required","example":"What is the index you would like to use for the query.","type":"string"},"placeholder":{"description":"Placeholder text for the input field","example":"Enter index pattern here...","type":"string"},"type":{"enum":["INPUT_TEXT"],"example":"INPUT_TEXT","type":"string"}},"required":["type"]}],"description":"Interrupt that requests user to provide text input"},"Security_AI_Assistant_API_InterruptResumeValue":{"description":"Union of the interrupt resume values","oneOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SelectOptionInterruptResumeValue","additionalProperties":false},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_InputTextInterruptResumeValue","additionalProperties":false}]},"Security_AI_Assistant_API_InterruptType":{"description":"The type of interrupt","enum":["SELECT_OPTION","INPUT_TEXT"],"type":"string"},"Security_AI_Assistant_API_InterruptValue":{"description":"Union of the interrupt values","oneOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SelectOptionInterruptValue","additionalProperties":false},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_InputTextInterruptValue","additionalProperties":false}]},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason":{"description":"Reason why a Knowledge Base Entry was skipped during the bulk action.","enum":["KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED"],"type":"string"},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult":{"type":"object","properties":{"id":{"description":"ID of the skipped Knowledge Base Entry.","example":"123","type":"string"},"name":{"description":"Name of the skipped Knowledge Base Entry.","example":"Skipped Entry","type":"string"},"skip_reason":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason"}},"required":["id","skip_reason"]},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse":{"type":"object","properties":{"attributes":{"type":"object","properties":{"errors":{"description":"List of errors encountered during the bulk action.","example":[{"err_code":"UPDATE_FAILED","knowledgeBaseEntries":[{"id":"456","name":"Error Entry"}],"message":"Failed to update entry.","statusCode":400}],"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError"},"type":"array"},"results":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults"},"summary":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary"}},"required":["results","summary"]},"knowledgeBaseEntriesCount":{"description":"Total number of Knowledge Base Entries processed.","example":8,"type":"integer"},"message":{"description":"Message describing the result of the bulk action.","example":"Bulk action completed successfully.","type":"string"},"statusCode":{"description":"HTTP status code of the response.","example":200,"type":"integer"},"success":{"description":"Indicates whether the bulk action was successful.","example":true,"type":"boolean"}},"required":["attributes"]},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults":{"type":"object","properties":{"created":{"description":"List of Knowledge Base Entries that were successfully created.","example":[{"id":"456","kbResource":"user","name":"New Entry","source":"manual","text":"This is the content of the new entry.","type":"document"}],"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"},"type":"array"},"deleted":{"description":"List of IDs of Knowledge Base Entries that were successfully deleted.","example":["789"],"items":{"type":"string"},"type":"array"},"skipped":{"description":"List of Knowledge Base Entries that were skipped during the bulk action.","example":[{"id":"123","name":"Skipped Entry","skip_reason":"KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED"}],"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult"},"type":"array"},"updated":{"description":"List of Knowledge Base Entries that were successfully updated.","example":[{"id":"123","kbResource":"user","name":"Updated Entry","source":"manual","text":"Updated content.","type":"document"}],"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryResponse"},"type":"array"}},"required":["updated","created","deleted","skipped"]},"Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary":{"type":"object","properties":{"failed":{"description":"Number of Knowledge Base Entries that failed during the bulk action.","example":2,"type":"integer"},"skipped":{"description":"Number of Knowledge Base Entries that were skipped during the bulk action.","example":1,"type":"integer"},"succeeded":{"description":"Number of Knowledge Base Entries that were successfully processed during the bulk action.","example":5,"type":"integer"},"total":{"description":"Total number of Knowledge Base Entries involved in the bulk action.","example":8,"type":"integer"}},"required":["failed","skipped","succeeded","total"]},"Security_AI_Assistant_API_KnowledgeBaseEntryContentReference":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"knowledgeBaseEntryId":{"description":"Id of the Knowledge Base Entry","example":"kbentry456","type":"string"},"knowledgeBaseEntryName":{"description":"Name of the knowledge base entry","example":"Network Security Best Practices","type":"string"},"type":{"enum":["KnowledgeBaseEntry"],"example":"KnowledgeBaseEntry","type":"string"}},"required":["type","knowledgeBaseEntryId","knowledgeBaseEntryName"]}],"description":"References a knowledge base entry"},"Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryCreateFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryCreateFields"}],"discriminator":{"mapping":{"document":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryCreateFields","index":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryCreateFields"},"propertyName":"type"}},"Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError":{"type":"object","properties":{"id":{"description":"ID of the Knowledge Base Entry that encountered an error.","example":"456","type":"string"},"name":{"description":"Name of the Knowledge Base Entry that encountered an error.","example":"Error Entry","type":"string"}},"required":["id"]},"Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema":{"additionalProperties":false,"type":"object","properties":{"error":{"description":"Error type or category.","example":"Not Found","type":"string"},"message":{"description":"Detailed error message.","example":"The requested Knowledge Base Entry was not found.","type":"string"},"statusCode":{"description":"HTTP status code of the error.","example":404,"type":"number"}},"required":["statusCode","error","message"]},"Security_AI_Assistant_API_KnowledgeBaseEntryResponse":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntry"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntry"}],"discriminator":{"mapping":{"document":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntry","index":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntry"},"propertyName":"type"}},"Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryUpdateFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryUpdateFields"}],"discriminator":{"mapping":{"document":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryUpdateFields","index":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryUpdateFields"},"propertyName":"type"}},"Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryCreateFields"},{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryCreateFields"}],"discriminator":{"mapping":{"document":"#\/components\/schemas\/Security_AI_Assistant_API_DocumentEntryCreateFields","index":"#\/components\/schemas\/Security_AI_Assistant_API_IndexEntryCreateFields"},"propertyName":"type"}},"Security_AI_Assistant_API_KnowledgeBaseReadResponse200":{"type":"object","properties":{"defend_insights_exists":{"description":"Indicates if Defend Insights documentation exists in the KnowledgeBase.","example":true,"type":"boolean"},"elser_exists":{"description":"Indicates if the ELSER model exists for the KnowledgeBase.","example":true,"type":"boolean"},"is_setup_available":{"description":"Indicates if the setup process is available for the KnowledgeBase.","example":true,"type":"boolean"},"is_setup_in_progress":{"description":"Indicates if the setup process is currently in progress.","example":false,"type":"boolean"},"product_documentation_status":{"description":"The status of the product documentation in the KnowledgeBase.","example":"complete","type":"string"},"security_labs_exists":{"description":"Indicates if Security Labs documentation exists in the KnowledgeBase.","example":true,"type":"boolean"},"user_data_exists":{"description":"Indicates if user data exists in the KnowledgeBase.","example":false,"type":"boolean"}}},"Security_AI_Assistant_API_KnowledgeBaseResource":{"description":"Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc.","enum":["security_labs","defend_insights","user"],"example":"security_labs","type":"string"},"Security_AI_Assistant_API_KnowledgeBaseResponse":{"description":"AI assistant KnowledgeBase.","type":"object","properties":{"success":{"description":"Identify the success of the method execution.","example":true,"type":"boolean"}}},"Security_AI_Assistant_API_KnowledgeBaseResponse400":{"type":"object","properties":{"error":{"description":"A short description of the error.","example":"Bad Request","type":"string"},"message":{"description":"A detailed error message.","example":"Invalid resource ID provided.","type":"string"},"statusCode":{"description":"The HTTP status code of the error.","example":400,"type":"number"}}},"Security_AI_Assistant_API_Message":{"description":"AI assistant conversation message.","type":"object","properties":{"content":{"description":"Message content.","example":"Hello, how can I assist you today?","type":"string"},"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString","description":"Message id"},"isError":{"description":"Is error message.","example":false,"type":"boolean"},"metadata":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_MessageMetadata","description":"Metadata"},"reader":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_Reader","description":"Message content."},"refusal":{"description":"Refusal reason returned by the model when content is filtered.","type":"string"},"role":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_MessageRole","description":"Message role.","example":"assistant"},"timestamp":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyTimestamp","description":"The timestamp message was sent or received.","example":"2025-04-30T15:30:00Z"},"traceData":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_TraceData","description":"Trace data"},"user":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User","description":"The user who sent the message."}},"required":["timestamp","content","role"]},"Security_AI_Assistant_API_MessageData":{"additionalProperties":true,"description":"ECS-style metadata attached to the message.","example":{"alert_id":"alert-456","user_id":"abc123"},"type":"object"},"Security_AI_Assistant_API_MessageMetadata":{"description":"Message metadata","type":"object","properties":{"contentReferences":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_ContentReferences","description":"Data referred to by the message content."},"interruptResumeValue":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_InterruptResumeValue","description":"When the agent is resumed after an interrupt, this field is populated with the details of the resume value."},"interruptValue":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_InterruptValue","description":"When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context."}}},"Security_AI_Assistant_API_MessageRole":{"description":"Message role.","enum":["system","user","assistant"],"example":"assistant","type":"string"},"Security_AI_Assistant_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters.","example":"I am a string","format":"nonempty","minLength":1,"type":"string"},"Security_AI_Assistant_API_NonEmptyTimestamp":{"description":"A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.","example":"2023-10-31T12:00:00Z","format":"nonempty","minLength":1,"type":"string"},"Security_AI_Assistant_API_NormalizedAnonymizationFieldError":{"type":"object","properties":{"anonymization_fields":{"description":"Array of anonymization fields that caused the error.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_AnonymizationFieldDetailsInError"},"type":"array"},"err_code":{"description":"Error code indicating the type of failure.","example":"UPDATE_FAILED","type":"string"},"message":{"description":"Error message.","example":"Failed to update anonymization field.","type":"string"},"status_code":{"description":"Status code of the response.","example":400,"type":"integer"}},"required":["message","status_code","anonymization_fields"]},"Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError":{"type":"object","properties":{"err_code":{"description":"Specific error code for the issue.","example":"UPDATE_FAILED","type":"string"},"knowledgeBaseEntries":{"description":"List of Knowledge Base Entries that encountered the error.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError"},"type":"array"},"message":{"description":"Error message describing the issue.","example":"Failed to update entry.","type":"string"},"statusCode":{"description":"HTTP status code associated with the error.","example":400,"type":"integer"}},"required":["message","statusCode","knowledgeBaseEntries"]},"Security_AI_Assistant_API_NormalizedPromptError":{"type":"object","properties":{"err_code":{"description":"A code representing the error type.","type":"string"},"message":{"description":"A message describing the error encountered.","type":"string"},"prompts":{"description":"List of prompts that encountered errors.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptDetailsInError"},"type":"array"},"status_code":{"description":"The HTTP status code associated with the error.","type":"integer"}},"required":["message","status_code","prompts"]},"Security_AI_Assistant_API_ProductDocumentationContentReference":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"title":{"description":"Title of the documentation","example":"Getting Started with Security AI Assistant","type":"string"},"type":{"enum":["ProductDocumentation"],"example":"ProductDocumentation","type":"string"},"url":{"description":"URL to the documentation","example":"https:\/\/docs.example.com\/security-ai-assistant","type":"string"}},"required":["type","title","url"]}],"description":"References the product documentation"},"Security_AI_Assistant_API_PromptCreateProps":{"type":"object","properties":{"categories":{"description":"List of categories for the prompt.","example":["security","verification"],"items":{"type":"string"},"type":"array"},"color":{"description":"The color associated with the prompt.","example":"blue","type":"string"},"consumer":{"description":"The consumer associated with the prompt.","example":"admin","type":"string"},"content":{"description":"The content of the prompt.","example":"Please verify the security settings.","type":"string"},"isDefault":{"description":"Whether this prompt should be the default.","example":false,"type":"boolean"},"isNewConversationDefault":{"description":"Whether this prompt should be the default for new conversations.","example":true,"type":"boolean"},"name":{"description":"The name of the prompt.","example":"New Security Prompt","type":"string"},"promptType":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptType","description":"The type of the prompt.","example":"system"}},"required":["name","content","promptType"]},"Security_AI_Assistant_API_PromptDetailsInError":{"type":"object","properties":{"id":{"description":"The ID of the prompt that encountered an error.","type":"string"},"name":{"description":"The name of the prompt that encountered an error.","type":"string"}},"required":["id"]},"Security_AI_Assistant_API_PromptResponse":{"type":"object","properties":{"categories":{"description":"Categories associated with the prompt.","items":{"type":"string"},"type":"array"},"color":{"description":"The color associated with the prompt.","type":"string"},"consumer":{"description":"The consumer that the prompt is associated with.","type":"string"},"content":{"description":"The content of the prompt.","type":"string"},"createdAt":{"description":"The timestamp of when the prompt was created.","type":"string"},"createdBy":{"description":"The user who created the prompt.","type":"string"},"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"},"isDefault":{"description":"Whether this prompt is the default.","type":"boolean"},"isNewConversationDefault":{"description":"Whether this prompt is the default for new conversations.","type":"boolean"},"name":{"description":"The name of the prompt.","type":"string"},"namespace":{"description":"Kibana space where the prompt is located.","type":"string"},"promptType":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptType","description":"The type of the prompt."},"timestamp":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyTimestamp"},"updatedAt":{"description":"The timestamp of when the prompt was last updated.","type":"string"},"updatedBy":{"description":"The user who last updated the prompt.","type":"string"},"users":{"description":"List of users associated with the prompt.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_User"},"type":"array"}},"required":["id","name","promptType","content"]},"Security_AI_Assistant_API_PromptsBulkActionSkipReason":{"description":"Reason why a prompt was skipped during the bulk action.","enum":["PROMPT_FIELD_NOT_MODIFIED"],"type":"string"},"Security_AI_Assistant_API_PromptsBulkActionSkipResult":{"type":"object","properties":{"id":{"description":"The ID of the prompt that was skipped.","type":"string"},"name":{"description":"The name of the prompt that was skipped.","type":"string"},"skip_reason":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptsBulkActionSkipReason","description":"The reason for skipping the prompt."}},"required":["id","skip_reason"]},"Security_AI_Assistant_API_PromptsBulkCrudActionResponse":{"type":"object","properties":{"attributes":{"type":"object","properties":{"errors":{"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NormalizedPromptError"},"type":"array"},"results":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptsBulkCrudActionResults"},"summary":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BulkCrudActionSummary"}},"required":["results","summary"]},"message":{"description":"A message describing the result of the bulk action.","example":"Bulk action completed successfully.","type":"string"},"prompts_count":{"description":"The number of prompts processed in the bulk action.","example":6,"type":"integer"},"status_code":{"description":"The HTTP status code of the response.","example":200,"type":"integer"},"success":{"description":"Indicates if the bulk action was successful.","example":true,"type":"boolean"}},"required":["attributes"]},"Security_AI_Assistant_API_PromptsBulkCrudActionResults":{"type":"object","properties":{"created":{"description":"List of prompts that were created.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptResponse"},"type":"array"},"deleted":{"description":"List of IDs of prompts that were deleted.","items":{"type":"string"},"type":"array"},"skipped":{"description":"List of prompts that were skipped.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptsBulkActionSkipResult"},"type":"array"},"updated":{"description":"List of prompts that were updated.","items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_PromptResponse"},"type":"array"}},"required":["updated","created","deleted","skipped"]},"Security_AI_Assistant_API_PromptType":{"description":"Type of the prompt (either system or quick).","enum":["system","quick"],"type":"string"},"Security_AI_Assistant_API_PromptUpdateProps":{"type":"object","properties":{"categories":{"description":"The updated categories for the prompt.","example":["security","alert"],"items":{"type":"string"},"type":"array"},"color":{"description":"The updated color associated with the prompt.","example":"green","type":"string"},"consumer":{"description":"The updated consumer for the prompt.","example":"user123","type":"string"},"content":{"description":"The updated content for the prompt.","example":"Updated content for security prompt.","type":"string"},"id":{"description":"The ID of the prompt to update.","example":"prompt123","type":"string"},"isDefault":{"description":"Whether this prompt should be the default.","example":true,"type":"boolean"},"isNewConversationDefault":{"description":"Whether the prompt should be the default for new conversations.","example":false,"type":"boolean"}},"required":["id"]},"Security_AI_Assistant_API_Provider":{"description":"Provider","enum":["OpenAI","Azure OpenAI","Other"],"example":"OpenAI","type":"string"},"Security_AI_Assistant_API_Reader":{"additionalProperties":true,"type":"object"},"Security_AI_Assistant_API_Replacements":{"additionalProperties":{"type":"string"},"description":"Replacements object used to anonymize\/deanonymize messages","type":"object"},"Security_AI_Assistant_API_ResponseFields":{"type":"object","properties":{"createdAt":{"description":"Time the Knowledge Base Entry was created.","example":"2023-01-01T12:00:00Z","type":"string"},"createdBy":{"description":"User who created the Knowledge Base Entry.","example":"admin","type":"string"},"id":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_NonEmptyString"},"updatedAt":{"description":"Time the Knowledge Base Entry was last updated.","example":"2023-01-02T12:00:00Z","type":"string"},"updatedBy":{"description":"User who last updated the Knowledge Base Entry.","example":"editor","type":"string"}},"required":["id","createdAt","createdBy","updatedAt","updatedBy"]},"Security_AI_Assistant_API_SecurityAlertContentReference":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"alertId":{"description":"ID of the Alert","example":"alert789","type":"string"},"type":{"enum":["SecurityAlert"],"example":"SecurityAlert","type":"string"}},"required":["type","alertId"]}],"description":"References a security alert"},"Security_AI_Assistant_API_SecurityAlertsPageContentReference":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseContentReference"},{"type":"object","properties":{"type":{"enum":["SecurityAlertsPage"],"example":"SecurityAlertsPage","type":"string"}},"required":["type"]}],"description":"References the security alerts page"},"Security_AI_Assistant_API_SelectOptionInterruptOption":{"description":"A request approval option","type":"object","properties":{"buttonColor":{"enum":["text","accent","accentSecondary","primary","success","warning","danger","neutral","risk"],"example":"danger","type":"string"},"label":{"example":"Option 1","type":"string"},"value":{"example":"option_1","type":"string"}},"required":["label","value"]},"Security_AI_Assistant_API_SelectOptionInterruptResumeValue":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseInterruptResumeValue"},{"type":"object","properties":{"type":{"enum":["SELECT_OPTION"],"example":"SELECT_OPTION","type":"string"},"value":{"description":"The value of the selected option to resume the graph execution with","example":"option_1","type":"string"}},"required":["value","type"]}],"description":"A request approval resume schema"},"Security_AI_Assistant_API_SelectOptionInterruptValue":{"allOf":[{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_BaseInterruptValue"},{"type":"object","properties":{"description":{"description":"Description of action required","example":"Select one of the options","type":"string"},"options":{"description":"List of actions to choose from","example":[{"label":"Option 1"},{"label":"Option 2"}],"items":{"$ref":"#\/components\/schemas\/Security_AI_Assistant_API_SelectOptionInterruptOption"},"type":"array"},"type":{"enum":["SELECT_OPTION"],"example":"SELECT_OPTION","type":"string"}},"required":["type","description","options"]}],"description":"Interrupt that requests user to select one of the provided options"},"Security_AI_Assistant_API_SortOrder":{"description":"The order in which results are sorted.","enum":["asc","desc"],"example":"asc","type":"string"},"Security_AI_Assistant_API_TraceData":{"description":"Trace Data","type":"object","properties":{"traceId":{"description":"Could be any string, not necessarily a UUID","example":"d9876543-f0a1-2345-6789-abcdef123456","type":"string"},"transactionId":{"description":"Could be any string, not necessarily a UUID","example":"a1234567-bc89-0def-1234-56789abcdef0","type":"string"}}},"Security_AI_Assistant_API_User":{"description":"Could be any string, not necessarily a UUID.","type":"object","properties":{"id":{"description":"User id.","example":"user123","type":"string"},"name":{"description":"User name.","example":"John Doe","type":"string"}}},"Security_AI_Assistant_API_Vector":{"description":"Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings.","type":"object","properties":{"modelId":{"description":"ID of the model used to create the embeddings.","example":"bert-base-uncased","type":"string"},"tokens":{"additionalProperties":{"type":"number"},"description":"Tokens with their corresponding values.","example":{"token1":0.123,"token2":0.456},"type":"object"}},"required":["modelId","tokens"]},"Security_Attack_discovery_API_AnonymizationFieldResponse":{"type":"object","properties":{"allowed":{"description":"Whether this field is allowed to be sent to the model.","example":true,"type":"boolean"},"anonymized":{"description":"Whether this field should be anonymized.","example":false,"type":"boolean"},"createdAt":{"description":"Timestamp of when the anonymization field was created.","example":"2023-10-31T12:00:00Z","type":"string"},"createdBy":{"description":"Username of the person who created the anonymization field.","example":"user1","type":"string"},"field":{"description":"Name of the anonymization field.","example":"url.domain","type":"string"},"id":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString","description":"The ID of the anonymization field."},"namespace":{"description":"Kibana space in which this anonymization field exists.","example":"default","type":"string"},"timestamp":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyTimestamp","description":"Timestamp when the anonymization field was initially created."},"updatedAt":{"description":"Timestamp of the last update.","example":"2023-10-31T12:00:00Z","type":"string"},"updatedBy":{"description":"Username of the person who last updated the field.","example":"user1","type":"string"}},"required":["id","field"]},"Security_Attack_discovery_API_ApiConfig":{"type":"object","properties":{"actionTypeId":{"description":"Action type ID","example":"actionType456","type":"string"},"connectorId":{"description":"Connector ID","example":"connector123","type":"string"},"defaultSystemPromptId":{"description":"Default system prompt ID","example":"systemPrompt001","type":"string"},"model":{"description":"Model","example":"gpt-4","type":"string"},"provider":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_Provider","description":"Provider","example":"OpenAI"}},"required":["connectorId","actionTypeId"]},"Security_Attack_discovery_API_AttackDiscoveryApiAlert":{"description":"An attack discovery that's also an alert (Public API with snake_case)","type":"object","properties":{"alert_ids":{"description":"The alert IDs that the attack discovery is based on","items":{"type":"string"},"type":"array"},"alert_rule_uuid":{"description":"The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs)","type":"string"},"alert_start":{"description":"The optional time the attack discovery alert was created","type":"string"},"alert_updated_at":{"description":"The optional time the attack discovery alert was last updated","type":"string"},"alert_updated_by_user_id":{"description":"The optional id of the user who last updated the attack discovery alert","type":"string"},"alert_updated_by_user_name":{"description":"The optional username of the user who updated the attack discovery alert","type":"string"},"alert_workflow_status":{"description":"The optional kibana.alert.workflow_status of this attack discovery","type":"string"},"alert_workflow_status_updated_at":{"description":"The optional time the attack discovery alert workflow status was last updated","type":"string"},"assignees":{"description":"The optional array of user-IDs who have been assigned the attack","items":{"type":"string"},"type":"array"},"connector_id":{"description":"The ID of the connector that generated the attack discovery","type":"string"},"connector_name":{"description":"The (human readable) name of the connector that generated the attack discovery","type":"string"},"details_markdown":{"description":"Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.","type":"string"},"entity_summary_markdown":{"description":"An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax","type":"string"},"generation_uuid":{"description":"The generation ID of the run that created the attack discovery","type":"string"},"id":{"description":"The unique ID of the attack discovery","type":"string"},"index":{"description":"The concrete Elasticsearch index where this attack discovery is stored","type":"string"},"mitre_attack_tactics":{"description":"An optional array of MITRE ATT&CK tactic for the attack discovery","items":{"type":"string"},"type":"array"},"replacements":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_Replacements","description":"Key-value pairs that are used to replace placeholders in the markdown fields"},"risk_score":{"description":"The optional, (but typically populated after generation) risk score of the alert","type":"integer"},"summary_markdown":{"description":"A markdown summary of attack discovery, using the same syntax","type":"string"},"tags":{"description":"The optional array of tags assigned the attack","items":{"type":"string"},"type":"array"},"timestamp":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyTimestamp","description":"The time the attack discovery was generated"},"title":{"description":"A title for the attack discovery, in plain text","type":"string"},"user_id":{"description":"The optional id of the user who generated the attack discovery","type":"string"},"user_name":{"description":"The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules)","type":"string"},"users":{"description":"The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery.","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_User"},"type":"array"}},"required":["alert_ids","connector_id","connector_name","details_markdown","generation_uuid","id","summary_markdown","timestamp","title"]},"Security_Attack_discovery_API_AttackDiscoveryApiSchedule":{"description":"An Attack Discovery schedule","type":"object","properties":{"actions":{"description":"The Attack Discovery schedule actions","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction"},"type":"array"},"created_at":{"description":"The date the schedule was created","format":"date-time","type":"string"},"created_by":{"description":"The name of the user that created the schedule","type":"string"},"enabled":{"description":"Indicates whether the schedule is enabled","type":"boolean"},"id":{"description":"UUID of Attack Discovery schedule","type":"string"},"last_execution":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution","description":"The Attack Discovery schedule last execution summary"},"name":{"description":"The name of the schedule","type":"string"},"params":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams","description":"The Attack Discovery schedule configuration parameters"},"schedule":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_IntervalApiSchedule","description":"The Attack Discovery schedule interval"},"updated_at":{"description":"The date the schedule was updated","format":"date-time","type":"string"},"updated_by":{"description":"The name of the user that updated the schedule","type":"string"}},"required":["id","name","created_by","updated_by","created_at","updated_at","enabled","params","schedule","actions"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction"},{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction"}]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter":{"additionalProperties":true,"type":"object"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency":{"description":"The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals).","type":"object","properties":{"notify_when":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen"},"summary":{"description":"Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert","type":"boolean"},"throttle":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle","nullable":true}},"required":["summary","notify_when","throttle"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup":{"description":"Groups actions by use cases. Use `default` for alert notifications.","type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId":{"description":"The connector ID.","type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen":{"description":"The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`","enum":["onActiveAlert","onThrottleInterval","onActionGroupChange"],"type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams":{"additionalProperties":true,"description":"Object containing the allowed connector fields, which varies according to the connector type.","type":"object"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle":{"description":"Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days.","example":"1h","pattern":"^[1-9]\\d*[smhd]$","type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps":{"description":"An Attack Discovery schedule create properties","type":"object","properties":{"actions":{"description":"The Attack Discovery schedule actions","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction"},"type":"array"},"enabled":{"description":"Indicates whether the schedule is enabled","type":"boolean"},"name":{"description":"The name of the schedule","type":"string"},"params":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams","description":"The Attack Discovery schedule configuration parameters"},"schedule":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_IntervalApiSchedule","description":"The Attack Discovery schedule interval"}},"required":["name","params","schedule"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution":{"description":"An Attack Discovery schedule execution information","type":"object","properties":{"date":{"description":"Date of the execution","format":"date-time","type":"string"},"duration":{"description":"Duration of the execution","type":"number"},"message":{"type":"string"},"status":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus","description":"Status of the execution"}},"required":["date","status","last_duration"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus":{"description":"An Attack Discovery schedule execution status","enum":["ok","active","error","unknown","warning"],"type":"string"},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction":{"type":"object","properties":{"action_type_id":{"description":"The action type used for sending notifications.","type":"string"},"alerts_filter":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter"},"frequency":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency"},"group":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup"},"id":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId"},"params":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams"},"uuid":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}},"required":["action_type_id","group","id","params"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams":{"description":"An Attack Discovery schedule params","type":"object","properties":{"alerts_index_pattern":{"description":"The index pattern to get alerts from","type":"string"},"api_config":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_ApiConfig"},{"type":"object","properties":{"name":{"description":"The name of the connector","type":"string"}},"required":["name"]}],"description":"LLM API configuration."},"combined_filter":{"additionalProperties":true,"type":"object"},"end":{"type":"string"},"filters":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_Filters"},"query":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_Query"},"size":{"type":"number"},"start":{"type":"string"}},"required":["alerts_index_pattern","api_config","size"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction":{"type":"object","properties":{"action_type_id":{"description":"The action type used for sending notifications.","type":"string"},"id":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId"},"params":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams"},"uuid":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_NonEmptyString"}},"required":["action_type_id","id","params"]},"Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps":{"description":"An Attack Discovery schedule update properties","type":"object","properties":{"actions":{"description":"The Attack Discovery schedule actions","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction"},"type":"array"},"name":{"description":"The name of the schedule","type":"string"},"params":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams","description":"The Attack Discovery schedule configuration parameters"},"schedule":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_IntervalApiSchedule","description":"The Attack Discovery schedule interval"}},"required":["name","params","schedule","actions"]},"Security_Attack_discovery_API_AttackDiscoveryFindSortField":{"description":"Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values.","enum":["@timestamp"],"type":"string"},"Security_Attack_discovery_API_AttackDiscoveryGeneration":{"type":"object","properties":{"alerts_context_count":{"description":"The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation","type":"number"},"connector_id":{"description":"The connector id (event.dataset) for this generation","type":"string"},"connector_stats":{"description":"Stats applicable to the connector for this generation","type":"object","properties":{"average_successful_duration_nanoseconds":{"description":"The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user","type":"number"},"successful_generations":{"description":"The number of successful generations for the same connector id, for the current user","type":"number"}}},"discoveries":{"description":"The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation","type":"number"},"end":{"description":"When generation ended (max event.end)","type":"string"},"execution_uuid":{"description":"The unique identifier (kibana.alert.rule.execution.uuid) for the generation","type":"string"},"loading_message":{"description":"Generation loading message (kibana.alert.rule.execution.status)","type":"string"},"reason":{"description":"Reason for failed generations (event.reason)","type":"string"},"start":{"description":"When generation started (min event.start)","type":"string"},"status":{"description":"The status of the attack discovery generation","enum":["canceled","dismissed","failed","started","succeeded"],"type":"string"}},"required":["connector_id","discoveries","execution_uuid","loading_message","start","status"]},"Security_Attack_discovery_API_AttackDiscoveryGenerationConfig":{"type":"object","properties":{"alertsIndexPattern":{"description":"The (space specific) index pattern that contains the alerts to use as\ncontext for the attack discovery.\nExample: .alerts-security.alerts-default\n","type":"string"},"anonymizationFields":{"description":"The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `\/api\/security_ai_assistant\/anonymization_fields\/_find` API (for a specific Kibana space) to provide this value.","items":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_AnonymizationFieldResponse"},"type":"array"},"apiConfig":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_ApiConfig","description":"LLM API configuration."},"connectorName":{"type":"string"},"end":{"type":"string"},"filter":{"additionalProperties":true,"description":"An Elasticsearch-style query DSL object used to filter alerts. For example:\n```json {\n \"filter\": {\n \"bool\": {\n \"must\": [],\n \"filter\": [\n {\n \"bool\": {\n \"should\": [\n {\n \"term\": {\n \"user.name\": { \"value\": \"james\" }\n }\n }\n ],\n \"minimum_should_match\": 1\n }\n }\n ],\n \"should\": [],\n \"must_not\": []\n }\n }\n} ```","type":"object"},"model":{"type":"string"},"replacements":{"$ref":"#\/components\/schemas\/Security_Attack_discovery_API_Replacements"},"size":{"type":"number"},"start":{"type":"string"},"subAction":{"enum":["invokeAI","invokeStream"],"type":"string"}},"required":["apiConfig","alertsIndexPattern","anonymizationFields","size","subAction"]},"Security_Attack_discovery_API_AttackDiscoveryGenericError":{"description":"Error response for Attack discovery schedule operations when the request is rejected. Uses `status_code` (snake_case), `error`, and `message` to match the implementation.","type":"object","properties":{"error":{"description":"Error type","example":"Bad Request","type":"string"},"message":{"description":"Human-readable error message describing what went wrong","example":"Invalid request parameters.","type":"string"},"status_code":{"description":"HTTP status code","example":400,"type":"number"}}},"Security_Attack_discovery_API_Filters":{"description":"The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array.","items":{},"type":"array"},"Security_Attack_discovery_API_IntervalApiSchedule":{"type":"object","properties":{"interval":{"description":"The schedule interval","type":"string"}},"required":["interval"]},"Security_Attack_discovery_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters.","example":"I am a string","format":"nonempty","minLength":1,"type":"string"},"Security_Attack_discovery_API_NonEmptyTimestamp":{"description":"A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.","example":"2023-10-31T12:00:00Z","format":"nonempty","minLength":1,"type":"string"},"Security_Attack_discovery_API_Provider":{"description":"Provider","enum":["OpenAI","Azure OpenAI","Other"],"example":"OpenAI","type":"string"},"Security_Attack_discovery_API_Query":{"description":"An query condition to filter alerts","type":"object","properties":{"language":{"type":"string"},"query":{"oneOf":[{"type":"string"},{"additionalProperties":true,"type":"object"}]}},"required":["query","language"]},"Security_Attack_discovery_API_Replacements":{"additionalProperties":{"type":"string"},"description":"Replacements object used to anonymize\/deanonymize messages","type":"object"},"Security_Attack_discovery_API_SortOrder":{"description":"The order in which results are sorted.","enum":["asc","desc"],"example":"asc","type":"string"},"Security_Attack_discovery_API_User":{"description":"Could be any string, not necessarily a UUID.","type":"object","properties":{"id":{"description":"User id.","example":"user123","type":"string"},"name":{"description":"User name.","example":"John Doe","type":"string"}}},"Security_Detections_API_AlertAssignees":{"type":"object","properties":{"add":{"items":{"description":"A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once.","format":"nonempty","minLength":1,"type":"string"},"type":"array"},"remove":{"items":{"description":"A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once.","format":"nonempty","minLength":1,"type":"string"},"type":"array"}},"required":["add","remove"]},"Security_Detections_API_AlertIds":{"description":"A list of alerts `id`s.","items":{"format":"nonempty","minLength":1,"type":"string"},"minItems":1,"type":"array"},"Security_Detections_API_AlertsIndex":{"deprecated":true,"description":"(deprecated) Has no effect.","type":"string"},"Security_Detections_API_AlertsIndexNamespace":{"description":"Has no effect.","type":"string"},"Security_Detections_API_AlertsSort":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsSortCombinations"},{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsSortCombinations"},"type":"array"}]},"Security_Detections_API_AlertsSortCombinations":{"anyOf":[{"type":"string"},{"additionalProperties":true,"type":"object"}]},"Security_Detections_API_AlertStatusExceptClosed":{"description":"The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`.","enum":["open","acknowledged","in-progress"],"type":"string"},"Security_Detections_API_AlertSuppression":{"description":"Defines alert suppression configuration.","type":"object","properties":{"duration":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppressionDuration"},"group_by":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppressionGroupBy"},"missing_fields_strategy":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppressionMissingFieldsStrategy"}},"required":["group_by"]},"Security_Detections_API_AlertSuppressionDuration":{"type":"object","properties":{"unit":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppressionDurationUnit"},"value":{"minimum":1,"type":"integer"}},"required":["value","unit"]},"Security_Detections_API_AlertSuppressionDurationUnit":{"description":"Time unit","enum":["s","m","h"],"type":"string"},"Security_Detections_API_AlertSuppressionGroupBy":{"items":{"type":"string"},"maxItems":3,"minItems":1,"type":"array"},"Security_Detections_API_AlertSuppressionMissingFieldsStrategy":{"description":"Describes how alerts will be generated for documents with missing suppress by fields:\ndoNotSuppress - per each document a separate alert will be created\nsuppress - only alert will be created per suppress by bucket","enum":["doNotSuppress","suppress"],"type":"string"},"Security_Detections_API_AlertTag":{"description":"Use alert tags to organize related alerts into categories that you can filter and group.","format":"nonempty","minLength":1,"type":"string"},"Security_Detections_API_AlertTags":{"description":"List of keywords to organize related alerts into categories that you can filter and group.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertTag"},"type":"array"},"Security_Detections_API_AnomalyThreshold":{"description":"Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.","minimum":0,"type":"integer"},"Security_Detections_API_BuildingBlockType":{"description":"Determines if the rule acts as a building block. If yes, the value must be `default`.\nBy default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts.\nFor more information, refer to [About building block rules](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/about-building-block-rules).\n","type":"string"},"Security_Detections_API_BulkActionEditPayload":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadTags"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadIndexPatterns"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadInvestigationFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadTimeline"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadRuleActions"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadSchedule"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadAlertSuppression"}]},"Security_Detections_API_BulkActionEditPayloadAlertSuppression":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression"}]},"Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression":{"type":"object","properties":{"type":{"enum":["delete_alert_suppression"],"type":"string"}},"required":["type"]},"Security_Detections_API_BulkActionEditPayloadIndexPatterns":{"description":"Edits index patterns of rulesClient.\n\n- `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made.\n- `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made.\n- `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made.\n","type":"object","properties":{"overwrite_data_views":{"description":"Resets the data view for the rule.","type":"boolean"},"type":{"enum":["add_index_patterns","delete_index_patterns","set_index_patterns"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Detections_API_IndexPatternArray"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadInvestigationFields":{"description":"Edits investigation fields of rules.\n\n- `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made.\n- `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made.\n- `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made.\n","type":"object","properties":{"type":{"enum":["add_investigation_fields","delete_investigation_fields","set_investigation_fields"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadRuleActions":{"description":"Edits rule actions of rules.\n\n- `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID.\n- `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs.\n","type":"object","properties":{"type":{"enum":["add_rule_actions","set_rule_actions"],"type":"string"},"value":{"type":"object","properties":{"actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_NormalizedRuleAction"},"type":"array"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThrottleForBulkActions"}},"required":["actions"]}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadSchedule":{"description":"Overwrites schedule of rules. \n\n- `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made.\n\nBoth `interval` and `lookback` have a format of \"{integer}{time_unit}\", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: \"45s\", \"30m\", \"6h\"\n","type":"object","properties":{"type":{"enum":["set_schedule"],"type":"string"},"value":{"type":"object","properties":{"interval":{"description":"Interval in which the rule runs. For example, `\"1h\"` means the rule runs every hour.","example":"1h","pattern":"^[1-9]\\d*[smh]$","type":"string"},"lookback":{"description":"Lookback time for the rules.\n\nAdditional look-back time that the rule analyzes. For example, \"10m\" means the rule analyzes the last 10 minutes of data in addition to the frequency interval.\n","example":"1h","pattern":"^[1-9]\\d*[smh]$","type":"string"}},"required":["interval","lookback"]}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadSetAlertSuppression":{"type":"object","properties":{"type":{"enum":["set_alert_suppression"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppression"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold":{"type":"object","properties":{"type":{"enum":["set_alert_suppression_for_threshold"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdAlertSuppression"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadTags":{"description":"Edits tags of rules.\n\n- `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made.\n- `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made.\n- `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made.\n","type":"object","properties":{"type":{"enum":["add_tags","delete_tags","set_tags"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"}},"required":["type","value"]},"Security_Detections_API_BulkActionEditPayloadTimeline":{"description":"Edits timeline of rules.\n\n- `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made.\n","type":"object","properties":{"type":{"enum":["set_timeline"],"type":"string"},"value":{"type":"object","properties":{"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"}},"required":["timeline_id","timeline_title"]}},"required":["type","value"]},"Security_Detections_API_BulkActionsDryRunErrCode":{"enum":["IMMUTABLE","PREBUILT_CUSTOMIZATION_LICENSE","MACHINE_LEARNING_AUTH","MACHINE_LEARNING_INDEX_PATTERN","ESQL_INDEX_PATTERN","MANUAL_RULE_RUN_FEATURE","MANUAL_RULE_RUN_DISABLED_RULE","THRESHOLD_RULE_TYPE_IN_SUPPRESSION","UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD","RULE_FILL_GAPS_DISABLED_RULE","USER_INSUFFICIENT_RULE_PRIVILEGES"],"type":"string"},"Security_Detections_API_BulkActionSkipResult":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"},"skip_reason":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkEditSkipReason"},{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkGapsFillingSkipReason"}]}},"required":["id","skip_reason"]},"Security_Detections_API_BulkDeleteRules":{"type":"object","properties":{"action":{"enum":["delete"],"type":"string"},"gap_auto_fill_scheduler_id":{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkDisableRules":{"type":"object","properties":{"action":{"enum":["disable"],"type":"string"},"gap_auto_fill_scheduler_id":{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkDuplicateRules":{"type":"object","properties":{"action":{"enum":["duplicate"],"type":"string"},"duplicate":{"description":"Duplicate object that describes applying an update action.","type":"object","properties":{"include_exceptions":{"description":"Whether to copy exceptions from the original rule","type":"boolean"},"include_expired_exceptions":{"description":"Whether to copy expired exceptions from the original rule","type":"boolean"}},"required":["include_exceptions","include_expired_exceptions"]},"gap_auto_fill_scheduler_id":{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkEditActionResponse":{"type":"object","properties":{"attributes":{"type":"object","properties":{"errors":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_NormalizedRuleError"},"type":"array"},"results":{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkEditActionResults"},"summary":{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkEditActionSummary"}},"required":["results","summary"]},"message":{"type":"string"},"rules_count":{"type":"integer"},"status_code":{"type":"integer"},"success":{"type":"boolean"}},"required":["attributes"]},"Security_Detections_API_BulkEditActionResults":{"type":"object","properties":{"created":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"},"type":"array"},"deleted":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"},"type":"array"},"skipped":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionSkipResult"},"type":"array"},"updated":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleResponse"},"type":"array"}},"required":["updated","created","deleted","skipped"]},"Security_Detections_API_BulkEditActionSummary":{"description":"A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`.","type":"object","properties":{"failed":{"type":"integer"},"skipped":{"type":"integer"},"succeeded":{"type":"integer"},"total":{"type":"integer"}},"required":["failed","skipped","succeeded","total"]},"Security_Detections_API_BulkEditRules":{"type":"object","properties":{"action":{"enum":["edit"],"type":"string"},"edit":{"description":"Array of objects containing the edit operations","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionEditPayload"},"minItems":1,"type":"array"},"gap_auto_fill_scheduler_id":{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action","edit"]},"Security_Detections_API_BulkEditSkipReason":{"enum":["RULE_NOT_MODIFIED"],"type":"string"},"Security_Detections_API_BulkEnableRules":{"type":"object","properties":{"action":{"enum":["enable"],"type":"string"},"gap_auto_fill_scheduler_id":{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkExportActionResponse":{"type":"string"},"Security_Detections_API_BulkExportRules":{"type":"object","properties":{"action":{"enum":["export"],"type":"string"},"gap_auto_fill_scheduler_id":{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action"]},"Security_Detections_API_BulkGapsFillingSkipReason":{"enum":["NO_GAPS_TO_FILL"],"type":"string"},"Security_Detections_API_BulkManualRuleFillGaps":{"type":"object","properties":{"action":{"enum":["fill_gaps"],"type":"string"},"fill_gaps":{"description":"Object that describes applying a manual gap fill action for the specified time range.","type":"object","properties":{"end_date":{"description":"End date of the manual gap fill","type":"string"},"start_date":{"description":"Start date of the manual gap fill","type":"string"}},"required":["start_date","end_date"]},"gap_auto_fill_scheduler_id":{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"}},"required":["action","fill_gaps"]},"Security_Detections_API_BulkManualRuleRun":{"type":"object","properties":{"action":{"enum":["run"],"type":"string"},"gap_auto_fill_scheduler_id":{"description":"Gap auto fill scheduler ID used to determine gap fill status for rules","type":"string"},"gap_fill_statuses":{"description":"Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_GapFillStatus"},"type":"array"},"gaps_range_end":{"description":"Gaps range end, valid only when query is provided","type":"string"},"gaps_range_start":{"description":"Gaps range start, valid only when query is provided","type":"string"},"ids":{"description":"Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.\nOnly valid when query property is undefined.\n","items":{"type":"string"},"minItems":1,"type":"array"},"query":{"description":"Query to filter rules.","type":"string"},"run":{"description":"Object that describes applying a manual rule run action.","type":"object","properties":{"end_date":{"description":"End date of the manual rule run","type":"string"},"start_date":{"description":"Start date of the manual rule run","type":"string"}},"required":["start_date","end_date"]}},"required":["action","run"]},"Security_Detections_API_CloseAlertsByIds":{"type":"object","properties":{"reason":{"$ref":"#\/components\/schemas\/Security_Detections_API_Reason"},"signal_ids":{"description":"List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.","items":{"format":"nonempty","minLength":1,"type":"string"},"minItems":1,"type":"array"},"status":{"enum":["closed"],"type":"string"}},"required":["signal_ids","status"]},"Security_Detections_API_CloseAlertsByQuery":{"type":"object","properties":{"conflicts":{"default":"abort","enum":["abort","proceed"],"type":"string"},"query":{"additionalProperties":true,"type":"object"},"reason":{"$ref":"#\/components\/schemas\/Security_Detections_API_Reason"},"status":{"enum":["closed"],"type":"string"}},"required":["query","status"]},"Security_Detections_API_ConcurrentSearches":{"minimum":1,"type":"integer"},"Security_Detections_API_DataViewId":{"type":"string"},"Security_Detections_API_DefaultParams":{"type":"object","properties":{"command":{"enum":["isolate"],"type":"string"},"comment":{"type":"string"}},"required":["command"]},"Security_Detections_API_EcsMapping":{"additionalProperties":{"type":"object","properties":{"field":{"type":"string"},"value":{"oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]}}},"description":"Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: \"ecs_mapping\": {\"process.pid\": {\"field\": \"pid\"}}","type":"object"},"Security_Detections_API_EndpointResponseAction":{"type":"object","properties":{"action_type_id":{"enum":[".endpoint"],"type":"string"},"params":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_DefaultParams"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ProcessesParams"},{"$ref":"#\/components\/schemas\/Security_Detections_API_RunscriptParams"}]}},"required":["action_type_id","params"]},"Security_Detections_API_EqlOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppression"},"data_view_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_DataViewId"},"event_category_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_EventCategoryOverride"},"filters":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#\/components\/schemas\/Security_Detections_API_IndexPatternArray"},"tiebreaker_field":{"$ref":"#\/components\/schemas\/Security_Detections_API_TiebreakerField"},"timestamp_field":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampField"}}},"Security_Detections_API_EqlQueryLanguage":{"enum":["eql"],"type":"string"},"Security_Detections_API_EqlRequiredFields":{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlQueryLanguage","description":"Query language to use"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["eql"],"type":"string"}},"required":["type","query","language"]},"Security_Detections_API_EqlRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRuleResponseFields"}]},"Security_Detections_API_EqlRuleCreateFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlOptionalFields"}]},"Security_Detections_API_EqlRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRuleCreateFields"}]},"Security_Detections_API_EqlRulePatchFields":{"allOf":[{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlQueryLanguage","description":"Query language to use"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["eql"],"type":"string"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlOptionalFields"}]},"Security_Detections_API_EqlRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRulePatchFields"}]},"Security_Detections_API_EqlRuleResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlOptionalFields"}]},"Security_Detections_API_EqlRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRuleCreateFields"}]},"Security_Detections_API_ErrorSchema":{"additionalProperties":false,"type":"object","properties":{"error":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"minimum":400,"type":"integer"}},"required":["status_code","message"]},"id":{"type":"string"},"item_id":{"minLength":1,"type":"string"},"list_id":{"minLength":1,"type":"string"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"}},"required":["error"]},"Security_Detections_API_EsqlQueryLanguage":{"enum":["esql"],"type":"string"},"Security_Detections_API_EsqlRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleResponseFields"}]},"Security_Detections_API_EsqlRuleCreateFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleRequiredFields"}]},"Security_Detections_API_EsqlRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleCreateFields"}]},"Security_Detections_API_EsqlRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppression"}}},"Security_Detections_API_EsqlRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlQueryLanguage"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"type":{"description":"Rule type","enum":["esql"],"type":"string"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleOptionalFields"}]},"Security_Detections_API_EsqlRuleRequiredFields":{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlQueryLanguage"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["esql"],"type":"string"}},"required":["type","language","query"]},"Security_Detections_API_EsqlRuleResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleRequiredFields"}]},"Security_Detections_API_EsqlRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleCreateFields"}]},"Security_Detections_API_EventCategoryOverride":{"type":"string"},"Security_Detections_API_ExceptionListType":{"description":"The exception type","enum":["detection","rule_default","endpoint","endpoint_trusted_apps","endpoint_trusted_devices","endpoint_events","endpoint_host_isolation_exceptions","endpoint_blocklists"],"type":"string"},"Security_Detections_API_ExternalRuleCustomizedFields":{"description":"An array of customized field names \u2014 that is, fields that the user has modified from their base value. Defaults to an empty array.","items":{"type":"object","properties":{"field_name":{"description":"Name of a user-modified field in the rule object.","type":"string"}},"required":["field_name"]},"type":"array"},"Security_Detections_API_ExternalRuleHasBaseVersion":{"description":"Determines whether an external\/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`).","type":"boolean"},"Security_Detections_API_ExternalRuleSource":{"description":"Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.","type":"object","properties":{"customized_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_ExternalRuleCustomizedFields"},"has_base_version":{"$ref":"#\/components\/schemas\/Security_Detections_API_ExternalRuleHasBaseVersion"},"is_customized":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsExternalRuleCustomized"},"type":{"enum":["external"],"type":"string"}},"required":["type","is_customized","has_base_version","customized_fields"]},"Security_Detections_API_FindRulesSortField":{"enum":["created_at","createdAt","enabled","execution_summary.last_execution.date","execution_summary.last_execution.metrics.execution_gap_duration_s","execution_summary.last_execution.metrics.total_indexing_duration_ms","execution_summary.last_execution.metrics.total_search_duration_ms","execution_summary.last_execution.status","name","risk_score","riskScore","severity","updated_at","updatedAt"],"type":"string"},"Security_Detections_API_GapFillStatus":{"enum":["unfilled","in_progress","filled","error"],"type":"string"},"Security_Detections_API_HistoryWindowStart":{"description":"Start date to use when checking if a term has been seen before. Supports relative dates \u2013 for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.","format":"nonempty","minLength":1,"type":"string"},"Security_Detections_API_IndexPatternArray":{"description":"Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana \u2192 Stack Management \u2192 Advanced Settings \u2192 `securitySolution:defaultIndex`).\n> info\n> This field is not supported for ES|QL rules.\n","items":{"type":"string"},"type":"array"},"Security_Detections_API_InternalRuleSource":{"description":"Type of rule source for internally sourced rules, i.e. created within the Kibana apps.","type":"object","properties":{"type":{"enum":["internal"],"type":"string"}},"required":["type"]},"Security_Detections_API_InvestigationFields":{"description":"Schema for fields relating to investigation fields. These are user defined fields we use to highlight\nin various features in the UI such as alert details flyout and exceptions auto-population from alert.\n","type":"object","properties":{"field_names":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"minItems":1,"type":"array"}},"required":["field_names"]},"Security_Detections_API_InvestigationGuide":{"description":"Notes to help investigate alerts produced by the rule.","type":"string"},"Security_Detections_API_IsExternalRuleCustomized":{"description":"Determines whether an external\/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).","type":"boolean"},"Security_Detections_API_IsRuleEnabled":{"description":"Determines whether the rule is enabled. Defaults to true.","type":"boolean"},"Security_Detections_API_IsRuleImmutable":{"deprecated":true,"description":"This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field.","type":"boolean"},"Security_Detections_API_ItemsPerSearch":{"minimum":1,"type":"integer"},"Security_Detections_API_KqlQueryLanguage":{"enum":["kuery","lucene"],"type":"string"},"Security_Detections_API_MachineLearningJobId":{"description":"Machine learning job ID(s) the rule monitors for anomaly scores.","oneOf":[{"type":"string"},{"items":{"type":"string"},"minItems":1,"type":"array"}]},"Security_Detections_API_MachineLearningRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleResponseFields"}]},"Security_Detections_API_MachineLearningRuleCreateFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleOptionalFields"}]},"Security_Detections_API_MachineLearningRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleCreateFields"}]},"Security_Detections_API_MachineLearningRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppression"}}},"Security_Detections_API_MachineLearningRulePatchFields":{"allOf":[{"type":"object","properties":{"anomaly_threshold":{"$ref":"#\/components\/schemas\/Security_Detections_API_AnomalyThreshold"},"machine_learning_job_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningJobId"},"type":{"description":"Rule type","enum":["machine_learning"],"type":"string"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleOptionalFields"}]},"Security_Detections_API_MachineLearningRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRulePatchFields"}]},"Security_Detections_API_MachineLearningRuleRequiredFields":{"type":"object","properties":{"anomaly_threshold":{"$ref":"#\/components\/schemas\/Security_Detections_API_AnomalyThreshold"},"machine_learning_job_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningJobId"},"type":{"description":"Rule type","enum":["machine_learning"],"type":"string"}},"required":["type","machine_learning_job_id","anomaly_threshold"]},"Security_Detections_API_MachineLearningRuleResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleOptionalFields"}]},"Security_Detections_API_MachineLearningRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleCreateFields"}]},"Security_Detections_API_MaxSignals":{"default":100,"description":"Maximum number of alerts the rule can create during a single run (the rule\u2019s Max alerts per run [advanced setting](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/create-detection-rule#rule-ui-advanced-params) value).\n> info\n> This setting can be superseded by the [Kibana configuration setting](https:\/\/www.elastic.co\/docs\/reference\/kibana\/configuration-reference\/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher.\n","minimum":1,"type":"integer"},"Security_Detections_API_NewTermsFields":{"description":"Fields to monitor for new values.","items":{"type":"string"},"maxItems":3,"minItems":1,"type":"array"},"Security_Detections_API_NewTermsRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleResponseFields"}]},"Security_Detections_API_NewTermsRuleCreateFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleDefaultableFields"}]},"Security_Detections_API_NewTermsRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleCreateFields"}]},"Security_Detections_API_NewTermsRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_NewTermsRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppression"},"data_view_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_DataViewId"},"filters":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#\/components\/schemas\/Security_Detections_API_IndexPatternArray"}}},"Security_Detections_API_NewTermsRulePatchFields":{"allOf":[{"type":"object","properties":{"history_window_start":{"$ref":"#\/components\/schemas\/Security_Detections_API_HistoryWindowStart"},"new_terms_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsFields"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["new_terms"],"type":"string"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleDefaultableFields"}]},"Security_Detections_API_NewTermsRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRulePatchFields"}]},"Security_Detections_API_NewTermsRuleRequiredFields":{"type":"object","properties":{"history_window_start":{"$ref":"#\/components\/schemas\/Security_Detections_API_HistoryWindowStart"},"new_terms_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsFields"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"type":{"description":"Rule type","enum":["new_terms"],"type":"string"}},"required":["type","query","new_terms_fields","history_window_start"]},"Security_Detections_API_NewTermsRuleResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}},"required":["language"]}]},"Security_Detections_API_NewTermsRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleCreateFields"}]},"Security_Detections_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters","format":"nonempty","minLength":1,"type":"string"},"Security_Detections_API_NormalizedRuleAction":{"additionalProperties":false,"type":"object","properties":{"alerts_filter":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionAlertsFilter"},"frequency":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionFrequency"},"group":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionGroup"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionId"},"params":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionParams"}},"required":["id","params"]},"Security_Detections_API_NormalizedRuleError":{"type":"object","properties":{"err_code":{"$ref":"#\/components\/schemas\/Security_Detections_API_BulkActionsDryRunErrCode"},"message":{"type":"string"},"rules":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDetailsInError"},"type":"array"},"status_code":{"type":"integer"}},"required":["message","status_code","rules"]},"Security_Detections_API_OsqueryParams":{"type":"object","properties":{"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_EcsMapping"},"pack_id":{"description":"To specify a query pack, use the packId field. Example: \"packId\": \"processes_elastic\"","type":"string"},"queries":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_OsqueryQuery"},"type":"array"},"query":{"description":"To run a single query, use the query field and enter a SQL query. Example: \"query\": \"SELECT * FROM processes;\"","type":"string"},"saved_query_id":{"description":"To run a saved query, use the saved_query_id field and specify the saved query ID. Example: \"saved_query_id\": \"processes_elastic\"","type":"string"},"timeout":{"description":"A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: \"timeout\": 120.","type":"number"}}},"Security_Detections_API_OsqueryQuery":{"type":"object","properties":{"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_EcsMapping"},"id":{"description":"Query ID","type":"string"},"platform":{"type":"string"},"query":{"description":"Query to run","type":"string"},"removed":{"type":"boolean"},"snapshot":{"type":"boolean"},"version":{"description":"Query version","type":"string"}},"required":["id","query"]},"Security_Detections_API_OsqueryResponseAction":{"type":"object","properties":{"action_type_id":{"enum":[".osquery"],"type":"string"},"params":{"$ref":"#\/components\/schemas\/Security_Detections_API_OsqueryParams"}},"required":["action_type_id","params"]},"Security_Detections_API_PlatformErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"integer"}},"required":["statusCode","error","message"]},"Security_Detections_API_ProcessesParams":{"type":"object","properties":{"command":{"description":"To run an endpoint response action, specify a value for the command field. Example: \"command\": \"isolate\"","enum":["kill-process","suspend-process"],"type":"string"},"comment":{"description":"Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: \"comment\": \"Check processes\"","type":"string"},"config":{"type":"object","properties":{"field":{"description":"Field to use instead of process.pid","type":"string"},"overwrite":{"default":true,"description":"Whether to overwrite field with process.pid","type":"boolean"}},"required":["field"]}},"required":["command","config"]},"Security_Detections_API_QueryAlertsBodyParams":{"type":"object","properties":{"_source":{"oneOf":[{"type":"boolean"},{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"aggs":{"additionalProperties":true,"type":"object"},"fields":{"items":{"type":"string"},"type":"array"},"query":{"additionalProperties":true,"type":"object"},"runtime_mappings":{"additionalProperties":true,"type":"object"},"size":{"minimum":0,"type":"integer"},"sort":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsSort"},"track_total_hits":{"type":"boolean"}}},"Security_Detections_API_QueryRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleResponseFields"}]},"Security_Detections_API_QueryRuleCreateFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleDefaultableFields"}]},"Security_Detections_API_QueryRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleCreateFields"}]},"Security_Detections_API_QueryRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"}}},"Security_Detections_API_QueryRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppression"},"data_view_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_DataViewId"},"filters":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#\/components\/schemas\/Security_Detections_API_IndexPatternArray"},"saved_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryId"}}},"Security_Detections_API_QueryRulePatchFields":{"allOf":[{"type":"object","properties":{"type":{"description":"Rule type","enum":["query"],"type":"string"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleDefaultableFields"}]},"Security_Detections_API_QueryRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRulePatchFields"}]},"Security_Detections_API_QueryRuleRequiredFields":{"type":"object","properties":{"type":{"description":"Rule type","enum":["query"],"type":"string"}},"required":["type"]},"Security_Detections_API_QueryRuleResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"}},"required":["query","language"]}]},"Security_Detections_API_QueryRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleCreateFields"}]},"Security_Detections_API_Reason":{"description":"The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.","oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_ReasonEnum"},{"type":"string"}]},"Security_Detections_API_ReasonEnum":{"enum":["false_positive","duplicate","true_positive","benign_positive","automated_closure","other"],"type":"string"},"Security_Detections_API_RelatedIntegration":{"description":"Related integration is a potential dependency of a rule. It's assumed that if the user installs\none of the related integrations of a rule, the rule might start to work properly because it will\nhave source events (generated by this integration) potentially matching the rule's query.\n\nNOTE: Proper work is not guaranteed, because a related integration, if installed, can be\nconfigured differently or generate data that is not necessarily relevant for this rule.\n\nRelated integration is a combination of a Fleet package and (optionally) one of the\npackage's \"integrations\" that this package contains. It is represented by 3 properties:\n\n- `package`: name of the package (required, unique id)\n- `version`: version of the package (required, semver-compatible)\n- `integration`: name of the integration of this package (optional, id within the package)\n\nThere are Fleet packages like `windows` that contain only one integration; in this case,\n`integration` should be unspecified. There are also packages like `aws` and `azure` that contain\nseveral integrations; in this case, `integration` should be specified.\n","example":{"integration":"activitylogs","package":"azure","version":"~1.1.6"},"type":"object","properties":{"integration":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"package":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"}},"required":["package","version"]},"Security_Detections_API_RelatedIntegrationArray":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegration"},"type":"array"},"Security_Detections_API_RequiredField":{"description":"Describes an Elasticsearch field that is needed for the rule to function.\n\nAlmost all types of Security rules check source event documents for a match to some kind of\nquery or filter. If a document has certain field with certain values, then it's a match and\nthe rule will generate an alert.\n\nRequired field is an event field that must be present in the source indices of a given rule.\n\n@example\nconst standardEcsField: RequiredField = {\n name: 'event.action',\n type: 'keyword',\n ecs: true,\n};\n\n@example\nconst nonEcsField: RequiredField = {\n name: 'winlog.event_data.AttributeLDAPDisplayName',\n type: 'keyword',\n ecs: false,\n};\n","type":"object","properties":{"ecs":{"description":"Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field\u2019s name and type.","type":"boolean"},"name":{"description":"Name of an Elasticsearch field","format":"nonempty","minLength":1,"type":"string"},"type":{"description":"Type of the Elasticsearch field","format":"nonempty","minLength":1,"type":"string"}},"required":["name","type","ecs"]},"Security_Detections_API_RequiredFieldArray":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredField"},"type":"array"},"Security_Detections_API_RequiredFieldInput":{"description":"Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type.","type":"object","properties":{"name":{"description":"Name of an Elasticsearch field","format":"nonempty","minLength":1,"type":"string"},"type":{"description":"Type of the Elasticsearch field","format":"nonempty","minLength":1,"type":"string"}},"required":["name","type"]},"Security_Detections_API_ResponseAction":{"discriminator":{"mapping":{".endpoint":"#\/components\/schemas\/Security_Detections_API_EndpointResponseAction",".osquery":"#\/components\/schemas\/Security_Detections_API_OsqueryResponseAction"},"propertyName":"action_type_id"},"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_OsqueryResponseAction"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EndpointResponseAction"}]},"Security_Detections_API_ResponseFields":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"type":"string"},"execution_summary":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExecutionSummary"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"immutable":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleImmutable"},"required_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldArray"},"revision":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleRevision"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_source":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSource"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"type":"string"}},"required":["id","rule_id","immutable","rule_source","updated_at","updated_by","created_at","created_by","revision","related_integrations","required_fields"]},"Security_Detections_API_RiskScore":{"description":"A numerical representation of the alert's severity from 0 to 100, where:\n* `0` - `21` represents low severity\n* `22` - `47` represents medium severity\n* `48` - `73` represents high severity\n* `74` - `100` represents critical severity\n","maximum":100,"minimum":0,"type":"integer"},"Security_Detections_API_RiskScoreMapping":{"description":"Overrides generated alerts' risk_score with a value from the source event","items":{"type":"object","properties":{"field":{"description":"Source event field used to override the default `risk_score`.","type":"string"},"operator":{"enum":["equals"],"type":"string"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"value":{"type":"string"}},"required":["field","operator","value"]},"type":"array"},"Security_Detections_API_RuleAction":{"type":"object","properties":{"action_type_id":{"description":"The action type used for sending notifications, can be:\n\n - `.slack`\n - `.slack_api`\n - `.email`\n - `.index`\n - `.pagerduty`\n - `.swimlane`\n - `.webhook`\n - `.servicenow`\n - `.servicenow-itom`\n - `.servicenow-sir`\n - `.jira`\n - `.resilient`\n - `.opsgenie`\n - `.teams`\n - `.torq`\n - `.tines`\n - `.d3security`\n","type":"string"},"alerts_filter":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionAlertsFilter"},"frequency":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionFrequency"},"group":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionGroup"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionId"},"params":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionParams"},"uuid":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"}},"required":["action_type_id","id","params"]},"Security_Detections_API_RuleActionAlertsFilter":{"additionalProperties":true,"description":"Object containing an action\u2019s conditional filters.\n\n- `timeframe` (object, optional): Object containing the time frame for when this action can be run.\n - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array.\n - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day.\n - start (string, required): Start time in `hh:mm` format.\n - end (string, required): End time in `hh:mm` format.\n - `timezone` (string, required): An ISO timezone name, such as `Europe\/Madrid` or `America\/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST.\n- `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.\n - `kql` (string, required): A KQL string.\n - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.\n","type":"object"},"Security_Detections_API_RuleActionFrequency":{"description":"The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).","type":"object","properties":{"notifyWhen":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionNotifyWhen"},"summary":{"description":"Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert","type":"boolean"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle","nullable":true}},"required":["summary","notifyWhen","throttle"]},"Security_Detections_API_RuleActionGroup":{"description":"Optionally groups actions by use cases. Use `default` for alert notifications.","type":"string"},"Security_Detections_API_RuleActionId":{"description":"The connector ID.","type":"string"},"Security_Detections_API_RuleActionNotifyWhen":{"description":"Defines how often rules run actions.","enum":["onActiveAlert","onThrottleInterval","onActionGroupChange"],"type":"string"},"Security_Detections_API_RuleActionParams":{"additionalProperties":true,"description":"Object containing the allowed connector fields, which varies according to the connector type.\n\nFor Slack:\n\n - `message` (string, required): The notification message.\n\nFor email:\n\n - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value.\n - `subject` (string, optional): Email subject line.\n - `message` (string, required): Email body text.\n\nFor Webhook:\n\n - `body` (string, required): JSON payload.\n\nFor PagerDuty:\n\n - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`.\n - `eventAction` (string, required): Event [action type](https:\/\/v2.developer.pagerduty.com\/docs\/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`.\n - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert.\n - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https:\/\/v2.developer.pagerduty.com\/docs\/types#datetime).\n - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`.\n - `group` (string, optional): Enables logical grouping of service components.\n - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.\n - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters.\n - `class` (string, optional): Value indicating the class\/type of the event.\n","type":"object"},"Security_Detections_API_RuleActionThrottle":{"description":"Defines how often rule actions are taken.","oneOf":[{"enum":["no_actions","rule"],"type":"string"},{"description":"Time interval in seconds, minutes, hours, or days.","example":"1h","pattern":"^[1-9]\\d*[smhd]$","type":"string"}]},"Security_Detections_API_RuleAuthorArray":{"description":"The rule\u2019s author.","items":{"type":"string"},"type":"array"},"Security_Detections_API_RuleCreateProps":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleCreateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleCreateProps"}],"discriminator":{"mapping":{"eql":"#\/components\/schemas\/Security_Detections_API_EqlRuleCreateProps","esql":"#\/components\/schemas\/Security_Detections_API_EsqlRuleCreateProps","machine_learning":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleCreateProps","new_terms":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleCreateProps","query":"#\/components\/schemas\/Security_Detections_API_QueryRuleCreateProps","saved_query":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleCreateProps","threat_match":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleCreateProps","threshold":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleCreateProps"},"propertyName":"type"}},"Security_Detections_API_RuleDescription":{"description":"The rule\u2019s description.","example":"Detects anomalous Windows process creation events.","minLength":1,"type":"string"},"Security_Detections_API_RuleDetailsInError":{"type":"object","properties":{"id":{"type":"string"},"name":{"type":"string"}},"required":["id"]},"Security_Detections_API_RuleExceptionList":{"description":"Array of [exception containers](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met.\n","type":"object","properties":{"id":{"description":"ID of the exception container","format":"nonempty","minLength":1,"type":"string"},"list_id":{"description":"List ID of the exception container","format":"nonempty","minLength":1,"type":"string"},"namespace_type":{"description":"Determines the exceptions validity in rule's Kibana space","enum":["agnostic","single"],"type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_Detections_API_ExceptionListType"}},"required":["id","list_id","type","namespace_type"]},"Security_Detections_API_RuleExecutionMetrics":{"type":"object","properties":{"execution_gap_duration_s":{"description":"Duration in seconds of execution gap","minimum":0,"type":"integer"},"frozen_indices_queried_count":{"description":"Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter.","minimum":0,"type":"integer"},"gap_range":{"description":"Range of the execution gap","type":"object","properties":{"gte":{"description":"Start date of the execution gap","type":"string"},"lte":{"description":"End date of the execution gap","type":"string"}},"required":["gte","lte"]},"gap_reason":{"description":"Detected reason for the execution gap","type":"object","properties":{"type":{"description":"The type of reason for the gap (rule_disabled or rule_did_not_run)","enum":["rule_disabled","rule_did_not_run"],"type":"string"}},"required":["type"]},"total_enrichment_duration_ms":{"description":"Total time spent enriching documents during current rule execution cycle","minimum":0,"type":"integer"},"total_indexing_duration_ms":{"description":"Total time spent indexing documents during current rule execution cycle","minimum":0,"type":"integer"},"total_search_duration_ms":{"description":"Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing\/deserializing request\/response","minimum":0,"type":"integer"}}},"Security_Detections_API_RuleExecutionStatus":{"description":"Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule.\n- going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes.\n- running - Rule execution started but not reached any intermediate or final status.\n- partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist.\n- failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function.\n- succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's \"health\". The rule might or might not generate any alerts despite of it.","enum":["going to run","running","partial failure","failed","succeeded"],"type":"string"},"Security_Detections_API_RuleExecutionStatusOrder":{"type":"integer"},"Security_Detections_API_RuleExecutionSummary":{"description":"Summary of the last execution of a rule.\n> info\n> This field is under development and its usage or schema may change\n","type":"object","properties":{"last_execution":{"type":"object","properties":{"date":{"description":"Date of the last execution","format":"date-time","type":"string"},"message":{"type":"string"},"metrics":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExecutionMetrics"},"status":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExecutionStatus","description":"Status of the last execution"},"status_order":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExecutionStatusOrder"}},"required":["date","status","status_order","message","metrics"]}},"required":["last_execution"]},"Security_Detections_API_RuleFalsePositiveArray":{"description":"String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.","items":{"type":"string"},"type":"array"},"Security_Detections_API_RuleFilterArray":{"description":"The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.\n> info\n> This field is not supported for ES|QL rules.\n","items":{},"type":"array"},"Security_Detections_API_RuleInterval":{"description":"Frequency of rule execution, using a date math range. For example, \"1h\" means the rule runs every hour. Defaults to 5m (5 minutes).","type":"string"},"Security_Detections_API_RuleIntervalFrom":{"description":"Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).","format":"date-math","type":"string"},"Security_Detections_API_RuleIntervalTo":{"type":"string"},"Security_Detections_API_RuleLicense":{"description":"The rule's license.","type":"string"},"Security_Detections_API_RuleMetadata":{"additionalProperties":true,"description":"Placeholder for metadata about the rule.\n> info\n> This field is overwritten when you save changes to the rule\u2019s settings.\n","type":"object"},"Security_Detections_API_RuleName":{"description":"A human-readable name for the rule.","example":"Anomalous Windows Process Creation","minLength":1,"type":"string"},"Security_Detections_API_RuleNameOverride":{"description":"Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule\u2019s `name` value is used. The source field must be a string data type.","type":"string"},"Security_Detections_API_RuleObjectId":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID","description":"A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s."},"Security_Detections_API_RulePatchProps":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRulePatchProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRulePatchProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRulePatchProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRulePatchProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRulePatchProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRulePatchProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRulePatchProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRulePatchProps"}]},"Security_Detections_API_RulePreviewLoggedRequest":{"type":"object","properties":{"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"duration":{"type":"integer"},"request":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"request_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"}}},"Security_Detections_API_RulePreviewLogs":{"type":"object","properties":{"duration":{"description":"Execution duration in milliseconds","type":"integer"},"errors":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"type":"array"},"requests":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RulePreviewLoggedRequest"},"type":"array"},"startedAt":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"warnings":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"type":"array"}},"required":["errors","warnings","duration"]},"Security_Detections_API_RulePreviewParams":{"type":"object","properties":{"invocationCount":{"type":"integer"},"timeframeEnd":{"format":"date-time","type":"string"}},"required":["invocationCount","timeframeEnd"]},"Security_Detections_API_RuleQuery":{"description":"[Query](https:\/\/www.elastic.co\/docs\/explore-analyze\/query-filter) used by the rule to create alerts.\n\n- For indicator match rules, only the query\u2019s results are used to determine whether an alert is generated.\n- ES|QL rules have additional query requirements. Refer to [Create ES|QL](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/create-detection-rule#create-esql-rule) rules for more information.\n","type":"string"},"Security_Detections_API_RuleReferenceArray":{"description":"Array containing notes about or references to relevant information about the rule. Defaults to an empty array.","items":{"type":"string"},"type":"array"},"Security_Detections_API_RuleResponse":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRule"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRule"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRule"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRule"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRule"},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRule"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRule"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRule"}],"discriminator":{"mapping":{"eql":"#\/components\/schemas\/Security_Detections_API_EqlRule","esql":"#\/components\/schemas\/Security_Detections_API_EsqlRule","machine_learning":"#\/components\/schemas\/Security_Detections_API_MachineLearningRule","new_terms":"#\/components\/schemas\/Security_Detections_API_NewTermsRule","query":"#\/components\/schemas\/Security_Detections_API_QueryRule","saved_query":"#\/components\/schemas\/Security_Detections_API_SavedQueryRule","threat_match":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRule","threshold":"#\/components\/schemas\/Security_Detections_API_ThresholdRule"},"propertyName":"type"}},"Security_Detections_API_RuleRevision":{"description":"The rule's revision number.\n\nIt represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update.\n> info\n> Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.\n","minimum":0,"type":"integer"},"Security_Detections_API_RuleSignatureId":{"description":"A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s.","type":"string"},"Security_Detections_API_RuleSource":{"description":"Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.","discriminator":{"propertyName":"type"},"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_ExternalRuleSource"},{"$ref":"#\/components\/schemas\/Security_Detections_API_InternalRuleSource"}]},"Security_Detections_API_RuleTagArray":{"description":"String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.","items":{"type":"string"},"type":"array"},"Security_Detections_API_RuleUpdateProps":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_EqlRuleUpdateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_QueryRuleUpdateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleUpdateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleUpdateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleUpdateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleUpdateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleUpdateProps"},{"$ref":"#\/components\/schemas\/Security_Detections_API_EsqlRuleUpdateProps"}],"discriminator":{"mapping":{"eql":"#\/components\/schemas\/Security_Detections_API_EqlRuleUpdateProps","esql":"#\/components\/schemas\/Security_Detections_API_EsqlRuleUpdateProps","machine_learning":"#\/components\/schemas\/Security_Detections_API_MachineLearningRuleUpdateProps","new_terms":"#\/components\/schemas\/Security_Detections_API_NewTermsRuleUpdateProps","query":"#\/components\/schemas\/Security_Detections_API_QueryRuleUpdateProps","saved_query":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleUpdateProps","threat_match":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleUpdateProps","threshold":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleUpdateProps"},"propertyName":"type"}},"Security_Detections_API_RuleVersion":{"description":"The rule's version number.\n\n- For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https:\/\/github.com\/elastic\/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). \n- For custom rules it is set to `1` when the rule is created. \n> info\n> It is not incremented on each update. Compare this to the `revision` field.\n","minimum":1,"type":"integer"},"Security_Detections_API_RunScriptOsConfigValues":{"minProperties":1,"type":"object","properties":{"scriptId":{"type":"string"},"scriptInput":{"type":"string"},"timeout":{"description":"Specify the timeout in seconds for the script execution","example":60,"type":"integer"}}},"Security_Detections_API_RunscriptParams":{"description":"> warn\n> This functionality is currently not available\n","type":"object","properties":{"command":{"enum":["runscript"],"type":"string"},"comment":{"description":"Add a note that explains or describes the action. You can find your comment in the response actions history log","type":"string"},"config":{"type":"object","properties":{"linux":{"$ref":"#\/components\/schemas\/Security_Detections_API_RunScriptOsConfigValues"},"macos":{"$ref":"#\/components\/schemas\/Security_Detections_API_RunScriptOsConfigValues"},"windows":{"$ref":"#\/components\/schemas\/Security_Detections_API_RunScriptOsConfigValues"}}}},"required":["command"]},"Security_Detections_API_SavedObjectResolveAliasPurpose":{"enum":["savedObjectConversion","savedObjectImport"],"type":"string"},"Security_Detections_API_SavedObjectResolveAliasTargetId":{"type":"string"},"Security_Detections_API_SavedObjectResolveOutcome":{"enum":["exactMatch","aliasMatch","conflict"],"type":"string"},"Security_Detections_API_SavedQueryId":{"description":"Kibana [saved search](https:\/\/www.elastic.co\/docs\/explore-analyze\/discover\/search-sessions) used by the rule to create alerts.","type":"string"},"Security_Detections_API_SavedQueryRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleResponseFields"}]},"Security_Detections_API_SavedQueryRuleCreateFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleDefaultableFields"}]},"Security_Detections_API_SavedQueryRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleCreateFields"}]},"Security_Detections_API_SavedQueryRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_SavedQueryRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppression"},"data_view_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_DataViewId"},"filters":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#\/components\/schemas\/Security_Detections_API_IndexPatternArray"},"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"}}},"Security_Detections_API_SavedQueryRulePatchFields":{"allOf":[{"type":"object","properties":{"saved_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryId"},"type":{"description":"Rule type","enum":["saved_query"],"type":"string"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleDefaultableFields"}]},"Security_Detections_API_SavedQueryRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRulePatchFields"}]},"Security_Detections_API_SavedQueryRuleRequiredFields":{"type":"object","properties":{"saved_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryId"},"type":{"description":"Rule type","enum":["saved_query"],"type":"string"}},"required":["type","saved_id"]},"Security_Detections_API_SavedQueryRuleResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}},"required":["language"]}]},"Security_Detections_API_SavedQueryRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryRuleCreateFields"}]},"Security_Detections_API_SetAlertAssigneesBody":{"type":"object","properties":{"assignees":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertAssignees","description":"Details about the assignees to assign and unassign."},"ids":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertIds"}},"required":["assignees","ids"]},"Security_Detections_API_SetAlertsStatusByIds":{"discriminator":{"mapping":{"closed":"#\/components\/schemas\/Security_Detections_API_CloseAlertsByIds"},"propertyName":"status"},"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_CloseAlertsByIds"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SetAlertsStatusByIdsBase"}]},"Security_Detections_API_SetAlertsStatusByIdsBase":{"type":"object","properties":{"signal_ids":{"description":"List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.","items":{"format":"nonempty","minLength":1,"type":"string"},"minItems":1,"type":"array"},"status":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertStatusExceptClosed"}},"required":["signal_ids","status"]},"Security_Detections_API_SetAlertsStatusByQuery":{"discriminator":{"mapping":{"closed":"#\/components\/schemas\/Security_Detections_API_CloseAlertsByQuery"},"propertyName":"status"},"oneOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_CloseAlertsByQuery"},{"$ref":"#\/components\/schemas\/Security_Detections_API_SetAlertsStatusByQueryBase"}]},"Security_Detections_API_SetAlertsStatusByQueryBase":{"type":"object","properties":{"conflicts":{"default":"abort","enum":["abort","proceed"],"type":"string"},"query":{"additionalProperties":true,"type":"object"},"status":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertStatusExceptClosed"}},"required":["query","status"]},"Security_Detections_API_SetAlertTags":{"description":"Object with list of tags to add and remove.","type":"object","properties":{"tags_to_add":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertTags"},"tags_to_remove":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertTags"}},"required":["tags_to_add","tags_to_remove"]},"Security_Detections_API_SetAlertTagsBody":{"type":"object","properties":{"ids":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertIds"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetAlertTags"}},"required":["ids","tags"]},"Security_Detections_API_SetupGuide":{"description":"Populates the rule\u2019s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.","type":"string"},"Security_Detections_API_Severity":{"description":"Severity level of alerts produced by the rule, which must be one of the following:\n* `low`: Alerts that are of interest but generally not considered to be security incidents\n* `medium`: Alerts that require investigation\n* `high`: Alerts that require immediate investigation\n* `critical`: Alerts that indicate it is highly likely a security incident has occurred\n","enum":["low","medium","high","critical"],"type":"string"},"Security_Detections_API_SeverityMapping":{"description":"Overrides generated alerts' severity with values from the source event","items":{"type":"object","properties":{"field":{"description":"Source event field used to override the default `severity`.","type":"string"},"operator":{"enum":["equals"],"type":"string"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"value":{"type":"string"}},"required":["field","operator","severity","value"]},"type":"array"},"Security_Detections_API_SiemErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"Security_Detections_API_SortOrder":{"enum":["asc","desc"],"type":"string"},"Security_Detections_API_Threat":{"description":"> info\n> Currently, only threats described using the MITRE ATT&CK™ framework are supported.\n","type":"object","properties":{"framework":{"description":"Relevant attack framework","type":"string"},"tactic":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatTactic"},"technique":{"description":"Array containing information on the attack techniques (optional)","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatTechnique"},"type":"array"}},"required":["framework","tactic"]},"Security_Detections_API_ThreatArray":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_Threat"},"type":"array"},"Security_Detections_API_ThreatFilters":{"items":{"description":"Query and filter context array used to filter documents from the Elasticsearch index containing the threat values"},"type":"array"},"Security_Detections_API_ThreatIndex":{"description":"Elasticsearch indices used to check which field values generate alerts.","items":{"type":"string"},"type":"array"},"Security_Detections_API_ThreatIndicatorPath":{"description":"Defines the path to the threat indicator in the indicator documents (optional)","type":"string"},"Security_Detections_API_ThreatMapping":{"description":"Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:\n\n- field: field from the event indices on which the rule runs\n- type: must be mapping\n- value: field from the Elasticsearch threat index\n \nYou can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic.\n","items":{"type":"object","properties":{"entries":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMappingEntry"},"type":"array"}},"required":["entries"]},"minItems":1,"type":"array"},"Security_Detections_API_ThreatMappingEntry":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"},"negate":{"type":"boolean"},"type":{"enum":["mapping"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Detections_API_NonEmptyString"}},"required":["field","type","value"]},"Security_Detections_API_ThreatMatchRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleResponseFields"}]},"Security_Detections_API_ThreatMatchRuleCreateFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleDefaultableFields"}]},"Security_Detections_API_ThreatMatchRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleCreateFields"}]},"Security_Detections_API_ThreatMatchRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_ThreatMatchRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppression"},"concurrent_searches":{"$ref":"#\/components\/schemas\/Security_Detections_API_ConcurrentSearches"},"data_view_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_DataViewId"},"filters":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#\/components\/schemas\/Security_Detections_API_IndexPatternArray"},"items_per_search":{"$ref":"#\/components\/schemas\/Security_Detections_API_ItemsPerSearch"},"saved_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryId"},"threat_filters":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatFilters"},"threat_indicator_path":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatIndicatorPath"},"threat_language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_ThreatMatchRulePatchFields":{"allOf":[{"type":"object","properties":{"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"threat_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatIndex"},"threat_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMapping"},"threat_query":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatQuery"},"type":{"description":"Rule type","enum":["threat_match"],"type":"string"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleDefaultableFields"}]},"Security_Detections_API_ThreatMatchRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRulePatchFields"}]},"Security_Detections_API_ThreatMatchRuleRequiredFields":{"type":"object","properties":{"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"threat_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatIndex"},"threat_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMapping"},"threat_query":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatQuery"},"type":{"description":"Rule type","enum":["threat_match"],"type":"string"}},"required":["type","query","threat_query","threat_mapping","threat_index"]},"Security_Detections_API_ThreatMatchRuleResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}},"required":["language"]}]},"Security_Detections_API_ThreatMatchRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatMatchRuleCreateFields"}]},"Security_Detections_API_ThreatQuery":{"description":"Query used to determine which fields in the Elasticsearch index are used for generating alerts.","type":"string"},"Security_Detections_API_ThreatSubtechnique":{"type":"object","properties":{"id":{"description":"Subtechnique ID","type":"string"},"name":{"description":"Subtechnique name","type":"string"},"reference":{"description":"Subtechnique reference","type":"string"}},"required":["id","name","reference"]},"Security_Detections_API_ThreatTactic":{"description":"Object containing information on the attack type\n","type":"object","properties":{"id":{"description":"Tactic ID","type":"string"},"name":{"description":"Tactic name","type":"string"},"reference":{"description":"Tactic reference","type":"string"}},"required":["id","name","reference"]},"Security_Detections_API_ThreatTechnique":{"type":"object","properties":{"id":{"description":"Technique ID","type":"string"},"name":{"description":"Technique name","type":"string"},"reference":{"description":"Technique reference","type":"string"},"subtechnique":{"description":"Array containing more specific information on the attack technique.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatSubtechnique"},"type":"array"}},"required":["id","name","reference"]},"Security_Detections_API_Threshold":{"type":"object","properties":{"cardinality":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdCardinality"},"field":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdField"},"value":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdValue"}},"required":["field","value"]},"Security_Detections_API_ThresholdAlertSuppression":{"description":"Defines alert suppression configuration.","type":"object","properties":{"duration":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertSuppressionDuration"}},"required":["duration"]},"Security_Detections_API_ThresholdCardinality":{"description":"The field on which the cardinality is applied.","items":{"type":"object","properties":{"field":{"description":"The field on which to calculate and compare the cardinality.","type":"string"},"value":{"description":"The threshold value from which an alert is generated based on unique number of values of cardinality.field.","minimum":0,"type":"integer"}},"required":["field","value"]},"type":"array"},"Security_Detections_API_ThresholdField":{"description":"The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field.","oneOf":[{"type":"string"},{"items":{"type":"string"},"maxItems":5,"minItems":0,"type":"array"}]},"Security_Detections_API_ThresholdRule":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity","version","tags","enabled","risk_score_mapping","severity_mapping","interval","from","to","actions","exceptions_list","author","false_positives","references","max_signals","threat","setup","related_integrations","required_fields"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleResponseFields"}]},"Security_Detections_API_ThresholdRuleCreateFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleDefaultableFields"}]},"Security_Detections_API_ThresholdRuleCreateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleCreateFields"}]},"Security_Detections_API_ThresholdRuleDefaultableFields":{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}}},"Security_Detections_API_ThresholdRuleOptionalFields":{"type":"object","properties":{"alert_suppression":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdAlertSuppression"},"data_view_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_DataViewId"},"filters":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFilterArray"},"index":{"$ref":"#\/components\/schemas\/Security_Detections_API_IndexPatternArray"},"saved_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedQueryId"}}},"Security_Detections_API_ThresholdRulePatchFields":{"allOf":[{"type":"object","properties":{"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"threshold":{"$ref":"#\/components\/schemas\/Security_Detections_API_Threshold"},"type":{"description":"Rule type","enum":["threshold"],"type":"string"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleOptionalFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleDefaultableFields"}]},"Security_Detections_API_ThresholdRulePatchProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}}},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRulePatchFields"}]},"Security_Detections_API_ThresholdRuleRequiredFields":{"type":"object","properties":{"query":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleQuery"},"threshold":{"$ref":"#\/components\/schemas\/Security_Detections_API_Threshold"},"type":{"description":"Rule type","enum":["threshold"],"type":"string"}},"required":["type","query","threshold"]},"Security_Detections_API_ThresholdRuleResponseFields":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleRequiredFields"},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleOptionalFields"},{"type":"object","properties":{"language":{"$ref":"#\/components\/schemas\/Security_Detections_API_KqlQueryLanguage"}},"required":["language"]}]},"Security_Detections_API_ThresholdRuleUpdateProps":{"allOf":[{"type":"object","properties":{"actions":{"description":"Array defining the automated actions (notifications) taken when alerts are generated.","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAction"},"type":"array"},"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveAliasTargetId"},"author":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleAuthorArray"},"building_block_type":{"$ref":"#\/components\/schemas\/Security_Detections_API_BuildingBlockType"},"description":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_IsRuleEnabled"},"exceptions_list":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleExceptionList"},"type":"array"},"false_positives":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleFalsePositiveArray"},"from":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalFrom"},"id":{"$ref":"#\/components\/schemas\/Security_Detections_API_UUID"},"interval":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleInterval"},"investigation_fields":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationFields"},"license":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleLicense"},"max_signals":{"$ref":"#\/components\/schemas\/Security_Detections_API_MaxSignals"},"meta":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleName"},"namespace":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndexNamespace"},"note":{"$ref":"#\/components\/schemas\/Security_Detections_API_InvestigationGuide"},"outcome":{"$ref":"#\/components\/schemas\/Security_Detections_API_SavedObjectResolveOutcome"},"output_index":{"$ref":"#\/components\/schemas\/Security_Detections_API_AlertsIndex"},"references":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleReferenceArray"},"related_integrations":{"$ref":"#\/components\/schemas\/Security_Detections_API_RelatedIntegrationArray"},"required_fields":{"description":"Elasticsearch fields and their types that need to be present for the rule to function.\n> info\n> The value of `required_fields` does not affect the rule\u2019s behavior, and specifying it incorrectly won\u2019t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.\n","items":{"$ref":"#\/components\/schemas\/Security_Detections_API_RequiredFieldInput"},"type":"array"},"response_actions":{"items":{"$ref":"#\/components\/schemas\/Security_Detections_API_ResponseAction"},"type":"array"},"risk_score":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScore"},"risk_score_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_RiskScoreMapping"},"rule_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleSignatureId"},"rule_name_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleNameOverride"},"setup":{"$ref":"#\/components\/schemas\/Security_Detections_API_SetupGuide"},"severity":{"$ref":"#\/components\/schemas\/Security_Detections_API_Severity"},"severity_mapping":{"$ref":"#\/components\/schemas\/Security_Detections_API_SeverityMapping"},"tags":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleTagArray"},"threat":{"$ref":"#\/components\/schemas\/Security_Detections_API_ThreatArray"},"throttle":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleActionThrottle"},"timeline_id":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateId"},"timeline_title":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimelineTemplateTitle"},"timestamp_override":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverride"},"timestamp_override_fallback_disabled":{"$ref":"#\/components\/schemas\/Security_Detections_API_TimestampOverrideFallbackDisabled"},"to":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleIntervalTo"},"version":{"$ref":"#\/components\/schemas\/Security_Detections_API_RuleVersion"}},"required":["name","description","risk_score","severity"]},{"$ref":"#\/components\/schemas\/Security_Detections_API_ThresholdRuleCreateFields"}]},"Security_Detections_API_ThresholdValue":{"description":"The threshold value from which an alert is generated.","minimum":1,"type":"integer"},"Security_Detections_API_ThrottleForBulkActions":{"description":"Defines the maximum interval in which a rule\u2019s actions are executed.\n> info\n> The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months.\n> In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule\u2019s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field.\n","enum":["rule","1h","1d","7d"],"type":"string"},"Security_Detections_API_TiebreakerField":{"description":"Sets a secondary field for sorting events","type":"string"},"Security_Detections_API_TimelineTemplateId":{"description":"Timeline template ID","type":"string"},"Security_Detections_API_TimelineTemplateTitle":{"description":"Timeline template title","type":"string"},"Security_Detections_API_TimestampField":{"description":"Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.","type":"string"},"Security_Detections_API_TimestampOverride":{"description":"Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type.","type":"string"},"Security_Detections_API_TimestampOverrideFallbackDisabled":{"description":"Disables the fallback to the event's @timestamp field","type":"boolean"},"Security_Detections_API_UUID":{"description":"A universally unique identifier","format":"uuid","type":"string"},"Security_Detections_API_WarningSchema":{"type":"object","properties":{"actionPath":{"type":"string"},"buttonLabel":{"type":"string"},"message":{"type":"string"},"type":{"type":"string"}},"required":["type","message","actionPath"]},"Security_Endpoint_Exceptions_API_EndpointList":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionList"},{"additionalProperties":false,"type":"object"}]},"Security_Endpoint_Exceptions_API_EndpointListItem":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItem"},"Security_Endpoint_Exceptions_API_ExceptionList":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListDescription"},"id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListId"},"immutable":{"type":"boolean"},"list_id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionNamespaceType"},"os_types":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray"},"tags":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListTags"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListType"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","type":"string"},"version":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListVersion"}},"required":["id","list_id","type","name","description","immutable","namespace_type","version","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Endpoint_Exceptions_API_ExceptionListDescription":{"description":"Describes the exception list.","example":"This list tracks allowlisted values.","type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListHumanId":{"description":"The exception list's human-readable string identifier.\n\nFor endpoint artifacts, use one of the following values:\n\n* `endpoint_list`: [Elastic Endpoint exception list](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/add-manage-exceptions)\n* `endpoint_trusted_apps`: [Trusted applications list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/trusted-applications)\n* `endpoint_trusted_devices`: [Trusted devices list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/trusted-devices)\n* `endpoint_event_filters`: [Event filters list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/event-filters)\n* `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/host-isolation-exceptions)\n* `endpoint_blocklists`: [Blocklists list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/blocklist)\n","example":"simple_list","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListId":{"description":"Exception list's identifier.","example":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItem":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"comments":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray"},"expire_time":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime"},"id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemId"},"item_id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId"},"list_id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionNamespaceType"},"os_types":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray"},"tags":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemTags"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemType"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","type":"string"}},"required":["id","item_id","list_id","type","name","description","entries","namespace_type","comments","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Endpoint_Exceptions_API_ExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"}},"required":["id","comment","created_at","created_by"]},"Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray":{"description":"Array of comment fields:\n\n- comment (string): Comments about the exception item.\n","items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemComment"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListItemDescription":{"description":"Describes the exception list.","type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemEntry":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard"}],"discriminator":{"propertyName":"type"}},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray":{"items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntry"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["exists"],"type":"string"}},"required":["type","field","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryList":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"list":{"type":"object","properties":{"id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ListId"},"type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ListType"}},"required":["id","type"]},"operator":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["list"],"type":"string"}},"required":["type","field","list","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["match"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"}},"required":["type","field","value","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["match_any"],"type":"string"},"value":{"items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"minItems":1,"type":"array"}},"required":["type","field","value","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["wildcard"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"}},"required":["type","field","value","operator"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested":{"type":"object","properties":{"entries":{"items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem"},"minItems":1,"type":"array"},"field":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"type":{"enum":["nested"],"type":"string"}},"required":["type","field","entries"]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists"}]},"Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator":{"enum":["excluded","included"],"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime":{"description":"The exception item\u2019s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.","format":"date-time","type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemHumanId":{"description":"Human readable string identifier, e.g. `trusted-linux-processes`","example":"simple_list_item","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemId":{"description":"Exception's identifier.","example":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemMeta":{"additionalProperties":true,"type":"object"},"Security_Endpoint_Exceptions_API_ExceptionListItemName":{"description":"Exception list name.","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray":{"items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListOsType"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListItemTags":{"items":{"description":"String array containing words and phrases to help categorize exception items.","format":"nonempty","minLength":1,"type":"string"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListItemType":{"enum":["simple"],"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListMeta":{"additionalProperties":true,"description":"Placeholder for metadata about the list container.","type":"object"},"Security_Endpoint_Exceptions_API_ExceptionListName":{"description":"The name of the exception list.","example":"My exception list","type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListOsType":{"description":"Use this field to specify the operating system.","enum":["linux","macos","windows"],"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray":{"description":"Use this field to specify the operating system. Only enter one value.","items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_ExceptionListOsType"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListTags":{"description":"String array containing words and phrases to help categorize exception containers.","items":{"type":"string"},"type":"array"},"Security_Endpoint_Exceptions_API_ExceptionListType":{"description":"The type of exception list to be created. Different list types may denote where they can be utilized.","enum":["detection","rule_default","endpoint","endpoint_trusted_apps","endpoint_trusted_devices","endpoint_events","endpoint_host_isolation_exceptions","endpoint_blocklists"],"type":"string"},"Security_Endpoint_Exceptions_API_ExceptionListVersion":{"description":"The document version, automatically increasd on updates.","minimum":1,"type":"integer"},"Security_Endpoint_Exceptions_API_ExceptionNamespaceType":{"description":"Determines whether the exception container is available in all Kibana spaces or just the space\nin which it is created, where:\n\n- `single`: Only available in the Kibana space in which it is created.\n- `agnostic`: Available in all Kibana spaces.\n\nFor endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.\n","enum":["agnostic","single"],"type":"string"},"Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter":{"$ref":"#\/components\/schemas\/Security_Endpoint_Exceptions_API_NonEmptyString"},"Security_Endpoint_Exceptions_API_ListId":{"description":"Value list's identifier.","example":"21b01cfb-058d-44b9-838c-282be16c91cd","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_ListType":{"description":"Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:\n\n- `keyword`: Many ECS fields are Elasticsearch keywords\n- `ip`: IP addresses\n- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)\n","enum":["binary","boolean","byte","date","date_nanos","date_range","double","double_range","float","float_range","geo_point","geo_shape","half_float","integer","integer_range","ip","ip_range","keyword","long","long_range","shape","short","text"],"type":"string"},"Security_Endpoint_Exceptions_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters","format":"nonempty","minLength":1,"type":"string"},"Security_Endpoint_Exceptions_API_PlatformErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"integer"}},"required":["statusCode","error","message"]},"Security_Endpoint_Exceptions_API_SiemErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"Security_Endpoint_Management_API_ActionDetailsResponse":{"discriminator":{"mapping":{"cancel":"#\/components\/schemas\/Security_Endpoint_Management_API_Cancel","execute":"#\/components\/schemas\/Security_Endpoint_Management_API_Execute","get-file":"#\/components\/schemas\/Security_Endpoint_Management_API_GetFile","isolate":"#\/components\/schemas\/Security_Endpoint_Management_API_Isolate","kill-process":"#\/components\/schemas\/Security_Endpoint_Management_API_KillProcess","memory-dump":"#\/components\/schemas\/Security_Endpoint_Management_API_MemoryDump","running-processes":"#\/components\/schemas\/Security_Endpoint_Management_API_RunningProcesses","runscript":"#\/components\/schemas\/Security_Endpoint_Management_API_Runscript","scan":"#\/components\/schemas\/Security_Endpoint_Management_API_Scan","suspend-process":"#\/components\/schemas\/Security_Endpoint_Management_API_SuspendProcess","unisolate":"#\/components\/schemas\/Security_Endpoint_Management_API_Unisolate","upload":"#\/components\/schemas\/Security_Endpoint_Management_API_Upload"},"propertyName":"command"},"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_KillProcess"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_GetFile"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Execute"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Runscript"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Upload"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Scan"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Cancel"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Isolate"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Unisolate"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_SuspendProcess"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_RunningProcesses"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_MemoryDump"}]},"Security_Endpoint_Management_API_ActionStateSuccessResponse":{"type":"object","properties":{"body":{"type":"object","properties":{"data":{"type":"object","properties":{"canEncrypt":{"description":"Whether the Kibana instance has encryption enabled for response actions.","type":"boolean"}}}},"required":["data"]}},"required":["body"]},"Security_Endpoint_Management_API_ActionStatusSuccessResponse":{"type":"object","properties":{"body":{"type":"object","properties":{"data":{"type":"object","properties":{"agent_id":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentId"},"pending_actions":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionsSchema"}},"required":["agent_id","pending_actions"]}},"required":["data"]}},"required":["body"]},"Security_Endpoint_Management_API_AgentId":{"description":"Agent ID","type":"string"},"Security_Endpoint_Management_API_AgentIds":{"description":"A list of agent IDs. Max of 250.","example":["agent-id-1","agent-id-2"],"minLength":1,"oneOf":[{"items":{"minLength":1,"type":"string"},"maxItems":250,"minItems":1,"type":"array"},{"minLength":1,"type":"string"}]},"Security_Endpoint_Management_API_AgentTypes":{"description":"List of agent types to retrieve. Defaults to `endpoint`.","enum":["endpoint","sentinel_one","crowdstrike","microsoft_defender_endpoint"],"example":"endpoint","type":"string"},"Security_Endpoint_Management_API_Cancel":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"type":"object","properties":{"code":{"type":"string"}}}}},"type":"object"},"parameters":{"type":"object","properties":{"id":{"format":"uuid","type":"string"}}}}}]},"Security_Endpoint_Management_API_CancelRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"type":"object","properties":{"id":{"description":"ID of the response action to cancel","example":"7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d","minLength":1,"type":"string"}},"required":["id"]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_CloudFileScriptParameters":{"type":"object","properties":{"cloudFile":{"description":"Script name in cloud storage.","minLength":1,"type":"string"},"commandLine":{"description":"Command line arguments.","minLength":1,"type":"string"},"timeout":{"description":"Timeout in seconds.","minimum":1,"type":"integer"}},"required":["cloudFile"]},"Security_Endpoint_Management_API_Command":{"description":"The command for the response action","enum":["isolate","unisolate","kill-process","suspend-process","running-processes","get-file","execute","upload","scan","runscript","cancel","memory-dump"],"minLength":1,"type":"string"},"Security_Endpoint_Management_API_Commands":{"description":"A list of response action command names.","example":["isolate","unisolate"],"items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Command"},"maxItems":50,"type":"array"},"Security_Endpoint_Management_API_Comment":{"description":"Optional comment","example":"This is a comment","type":"string"},"Security_Endpoint_Management_API_DownloadUri":{"type":"object","properties":{"downloadUri":{"description":"The server relative URI to download the file associated with the output of the response action.\nURI does **not** include the space prefix\n","example":"\/api\/endpoint\/action\/497f6eca-6276\/file\/35645-6276-4993\/download","format":"uri-reference","type":"string"}}},"Security_Endpoint_Management_API_EndDate":{"description":"An end date in ISO format or Date Math format.","example":"2023-10-31T23:59:59.999Z","type":"string"},"Security_Endpoint_Management_API_EndpointIds":{"description":"List of endpoint IDs (cannot contain empty strings). Max of 250.","example":["endpoint-id-1","endpoint-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":250,"minItems":1,"type":"array"},"Security_Endpoint_Management_API_EndpointMetadataResponse":{"example":{"host_status":"healthy","last_checkin":"2023-07-04T15:48:57.360Z","metadata":{"@timestamp":"2023-07-04T15:48:57.3609346Z","agent":{"build":{"original":"version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"},"id":"abb8a826-6812-448c-a571-6d8269b51449","type":"endpoint","version":"7.16.0"},"data_stream":{"dataset":"endpoint.metadata","namespace":"default","type":"metrics"},"ecs":{"version":"1.11.0"},"elastic":{"agent":{"id":"abb8a826-6812-448c-a571-6d8269b51449"}},"Endpoint":{"capabilities":["isolation"],"configuration":{"isolation":false},"policy":{"applied":{"endpoint_policy_version":"2","id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","name":"test","status":"success","version":"3"}},"state":{"isolation":false},"status":"enrolled"},"event":{"action":"endpoint_metadata","agent_id_status":"verified","category":["host"],"created":"2023-07-04T15:48:57.3609346Z","dataset":"endpoint.metadata","id":"MNtRc++KoKHXXwlj+++++OhZ","ingested":"2023-07-04T15:48:58Z","kind":"metric","module":"endpoint","sequence":43757,"type":["info"]},"host":{"architecture":"x86_64","hostname":"WinDev2104Eval","id":"17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5","ip":["10.0.2.15","fe80::21a6:63d3:d70e:e3ad","127.0.0.1","::1"],"mac":["08:00:27:b1:1d:5a"],"name":"WinDev2104Eval","os":{"Ext":{"variant":"Windows 10 Enterprise Evaluation"},"family":"windows","full":"Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906)","kernel":"20H2 (10.0.19042.906)","name":"Windows","platform":"windows","type":"windows","version":"20H2 (10.0.19042.906)"}},"message":"Endpoint metadata","policy_info":{"agent":{"applied":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":3},"configured":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":3}},"endpoint":{"id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","revision":2}}}},"type":"object","properties":{}},"Security_Endpoint_Management_API_Execute":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_DownloadUri"},{"type":"object","properties":{"code":{"type":"string"},"cwd":{"type":"string"},"output_file_id":{"type":"string"},"output_file_stderr_truncated":{"type":"boolean"},"output_file_stdout_truncated":{"type":"boolean"},"shell_code":{"type":"number"},"stderr":{"type":"string"},"stderr_truncated":{"type":"boolean"},"stdout":{"type":"string"},"stdout_truncated":{"type":"boolean"}}}]}}},"type":"object"},"parameters":{"type":"object","properties":{"command":{"type":"string"},"timeout":{"type":"number"}}}}}]},"Security_Endpoint_Management_API_ExecuteRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"type":"object","properties":{"command":{"description":"The shell command to execute on the endpoint.","minLength":1,"type":"string"},"timeout":{"description":"The maximum timeout value in seconds before the command is terminated.","minimum":1,"type":"integer"}},"required":["command"]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_GetEndpointActionListResponse":{"example":{"data":[{"agents":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"agentType":"endpoint","command":"running-processes","completedAt":"2022-08-08T09:50:47.672Z","createdBy":"elastic","id":"b3d6de74-36b0-4fa8-be46-c375bf1771bf","isCompleted":true,"isExpired":false,"startedAt":"2022-08-08T15:24:57.402Z","wasSuccessful":true},{"agents":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"agentType":"endpoint","command":"isolate","completedAt":"2022-08-08T10:41:57.352Z","createdBy":"elastic","id":"43b4098b-8752-4fbb-a7a7-6df7c74d0ee3","isCompleted":true,"isExpired":false,"startedAt":"2022-08-08T15:23:37.359Z","wasSuccessful":true},{"agents":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"agentType":"endpoint","command":"kill-process","comment":"bad process - taking up too much cpu","completedAt":"2022-08-08T09:44:50.952Z","createdBy":"elastic","id":"5bc92c86-b8e6-42dd-837f-12ad29e09caa","isCompleted":true,"isExpired":false,"startedAt":"2022-08-08T14:38:44.125Z","wasSuccessful":true},{"agents":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"agentType":"endpoint","command":"unisolate","comment":"Not a threat to the network","completedAt":"2022-08-08T09:40:47.398Z","createdBy":"elastic","id":"790d54e0-3aa3-4e5b-8255-3ce9d851246a","isCompleted":true,"isExpired":false,"startedAt":"2022-08-08T14:38:15.391Z","wasSuccessful":true}],"elasticAgentIds":["afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"],"endDate":"now","page":1,"pageSize":10,"startDate":"now-24h\/h","total":4},"type":"object","properties":{"agentTypes":{"description":"The list of agent types the query was filtered by.","items":{"type":"string"},"type":"array"},"commands":{"description":"The list of commands the query was filtered by.","items":{"type":"string"},"type":"array"},"data":{"description":"The list of response actions.","items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},"type":"array"},"elasticAgentIds":{"description":"The list of elastic agent IDs the query was filtered by.","items":{"type":"string"},"type":"array"},"endDate":{"description":"The end date filter applied to the query.","type":"string"},"page":{"description":"The current page number.","type":"integer"},"pageSize":{"description":"The number of items per page.","type":"integer"},"startDate":{"description":"The start date filter applied to the query.","type":"string"},"statuses":{"description":"The list of statuses the query was filtered by.","items":{"type":"string"},"type":"array"},"total":{"description":"The total number of response actions matching the query.","type":"integer"},"userIds":{"description":"The list of user IDs the query was filtered by.","items":{"type":"string"},"type":"array"}}},"Security_Endpoint_Management_API_GetFile":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_DownloadUri"},{"type":"object","properties":{"code":{"type":"string"},"contents":{"items":{"type":"object","properties":{"file_name":{"type":"string"},"path":{"type":"string"},"sha256":{"type":"string"},"size":{"type":"number"},"type":{"type":"string"}}},"type":"array"},"zip_size":{"type":"number"}}}]}}},"type":"object"},"parameters":{"type":"object","properties":{"path":{"type":"string"}}}}}]},"Security_Endpoint_Management_API_GetFileRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"type":"object","properties":{"path":{"description":"The full file path to retrieve from the endpoint.","type":"string"}},"required":["path"]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_GetProcessesRouteRequestBody":{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},"Security_Endpoint_Management_API_HostPathScriptParameters":{"type":"object","properties":{"commandLine":{"description":"Command line arguments.","minLength":1,"type":"string"},"hostPath":{"description":"Absolute or relative path of script on host machine.","minLength":1,"type":"string"},"timeout":{"description":"Timeout in seconds.","minimum":1,"type":"integer"}},"required":["hostPath"]},"Security_Endpoint_Management_API_HostStatuses":{"description":"A set of agent health statuses to filter by.","example":["healthy","updating"],"items":{"enum":["healthy","offline","updating","inactive","unenrolled"],"type":"string"},"maxItems":20,"type":"array"},"Security_Endpoint_Management_API_Isolate":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"description":"Details of an isolate action response.","type":"object"}]},"Security_Endpoint_Management_API_IsolateRouteResponse":{"type":"object","properties":{"action":{"description":"The action ID (legacy field, same as `data.id`).","type":"string"},"data":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"}}},"Security_Endpoint_Management_API_KillProcess":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"oneOf":[{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"pid":{"type":"number"}}},{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"entity_id":{"type":"string"}}},{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"process_name":{"type":"string"}}}]}}},"type":"object"},"parameters":{"oneOf":[{"type":"object","properties":{"pid":{"description":"The process ID (PID) of the process to terminate.","minimum":1,"type":"number"}}},{"type":"object","properties":{"entity_id":{"description":"The entity ID of the process to terminate.","minLength":1,"type":"string"}}},{"type":"object","properties":{"process_name":{"description":"The name of the process to terminate. Valid for SentinelOne agent type only.","type":"string"}}}]}}}]},"Security_Endpoint_Management_API_KillProcessRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"oneOf":[{"type":"object","properties":{"pid":{"description":"The process ID (PID) of the process to terminate.","example":123,"minimum":1,"type":"integer"}}},{"type":"object","properties":{"entity_id":{"description":"The entity ID of the process to terminate.","example":"abc123","minLength":1,"type":"string"}}},{"type":"object","properties":{"process_name":{"description":"The name of the process to terminate. Valid for SentinelOne agent type only.","example":"Elastic","minLength":1,"type":"string"}}}]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_Kuery":{"description":"A KQL string.","example":"united.endpoint.host.os.name : 'Windows'","type":"string"},"Security_Endpoint_Management_API_MDERunScriptParameters":{"description":"Parameters for Run Script response action against Microsoft Defender Endpoint agent type.","example":{"agent_type":"microsoft_defender_endpoint","endpoint_ids":["endpoint-id-1"],"parameters":{"args":"-param1 value1 -param2 value2","scriptName":"my-script.ps1"}},"properties":{"args":{"description":"Optional command line arguments for the script.","minLength":1,"type":"string"},"scriptName":{"description":"The name of the script to execute from the cloud storage.","minLength":1,"type":"string"}},"required":["scriptName"],"title":"Microsoft Defender Endpoint Run Script Parameters","type":"object"},"Security_Endpoint_Management_API_MemoryDump":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"properties":{"code":{"type":"string"},"disk_free_space":{"description":"The free space on the host machine in bytes after the memory dump is written to disk","type":"number"},"file_size":{"description":"The size of the memory dump compressed file in bytes","type":"string"},"path":{"description":"The path to the memory dump compressed file on the host machine","type":"string"}},"title":"Memory dump output","type":"object"}}},"type":"object"},"parameters":{"oneOf":[{"properties":{"type":{"description":"Kernel-level memory dump","enum":["kernel"],"type":"string"}},"required":["type"],"title":"Kernel memory dump","type":"object"},{"properties":{"pid":{"description":"The process ID (PID)","type":"number"},"type":{"description":"Process-level memory dump using a process ID","enum":["process"],"type":"string"}},"required":["type","pid"],"title":"Process memory dump with PID","type":"object"},{"properties":{"entity_id":{"description":"The process entity ID","type":"string"},"type":{"description":"Process-level memory dump using an entity ID","enum":["process"],"type":"string"}},"required":["type","entity_id"],"title":"Process memory dump with entity ID","type":"object"}]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_MemoryDumpRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"oneOf":[{"description":"Dump the entire kernel memory.","type":"object","properties":{"type":{"enum":["kernel"],"type":"string"}},"required":["type"]},{"description":"Dump the entire memory of a process using the PID.","type":"object","properties":{"pid":{"type":"number"},"type":{"enum":["process"],"type":"string"}},"required":["type","pid"]},{"description":"Dump the entire memory of a process using the entity ID.","type":"object","properties":{"entity_id":{"type":"string"},"type":{"enum":["process"],"type":"string"}},"required":["type","entity_id"]}]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_MetadataListResponse":{"example":{"data":[{"host_status":"healthy","last_checkin":"2023-07-04T15:47:57.432Z","metadata":{"@timestamp":"2023-07-04T15:47:57.432173535Z","agent":{"build":{"original":"version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"},"id":"285297c6-3bff-4b83-9a07-f3e749801123","type":"endpoint","version":"7.16.0"},"data_stream":{"dataset":"endpoint.metadata","namespace":"default","type":"metrics"},"ecs":{"version":"1.11.0"},"elastic":{"agent":{"id":"285297c6-3bff-4b83-9a07-f3e749801123"}},"Endpoint":{"capabilities":["isolation"],"configuration":{"isolation":false},"policy":{"applied":{"endpoint_policy_version":"2","id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","name":"test","status":"success","version":"3"}},"state":{"isolation":false},"status":"enrolled"},"event":{"action":"endpoint_metadata","agent_id_status":"verified","category":["host"],"created":"2023-07-04T15:47:57.432173535Z","dataset":"endpoint.metadata","id":"MNtSXK\/SkhEBnmgt++++++7S","ingested":"2023-07-04T15:47:58Z","kind":"metric","module":"endpoint","sequence":400,"type":["info"]},"host":{"architecture":"x86_64","hostname":"david-Xubuntu","id":"0cfead88e2024bd8a27476352b5ab264","ip":["127.0.0.1","::1","10.0.2.15","fe80::2ac7:8e15:b957:2fa1"],"mac":["08:00:27:e6:78:8b"],"name":"david-Xubuntu","os":{"Ext":{"variant":"Ubuntu"},"family":"ubuntu","full":"Ubuntu 20.04.2","kernel":"5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021","name":"Linux","platform":"ubuntu","type":"linux","version":"20.04.2"}},"message":"Endpoint metadata"},"policy_info":{"agent":{"applied":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":0},"configured":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":3}},"endpoint":{"id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","revision":2}}},{"host_status":"healthy","last_checkin":"2023-07-04T15:44:31.491Z","metadata":{"@timestamp":"2023-07-04T15:44:31.4917849Z","agent":{"build":{"original":"version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab"},"id":"abb8a826-6812-448c-a571-6d8269b51449","type":"endpoint","version":"7.16.0"},"data_stream":{"dataset":"endpoint.metadata","namespace":"default","type":"metrics"},"ecs":{"version":"1.11.0"},"elastic":{"agent":{"id":"abb8a826-6812-448c-a571-6d8269b51449"}},"Endpoint":{"capabilities":["isolation"],"configuration":{"isolation":false},"policy":{"applied":{"endpoint_policy_version":"2","id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","name":"test","status":"success","version":"3"}},"state":{"isolation":false},"status":"enrolled"},"event":{"action":"endpoint_metadata","agent_id_status":"verified","category":["host"],"created":"2023-07-04T15:44:31.4917849Z","dataset":"endpoint.metadata","id":"MNtRc++KoKHXXwlj+++++\/N9","ingested":"2023-07-04T15:44:33Z","kind":"metric","module":"endpoint","sequence":5159,"type":["info"]},"host":{"architecture":"x86_64","hostname":"WinDev2104Eval","id":"17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5","ip":["10.0.2.15","fe80::21a6:63d3:d70e:e3ad","127.0.0.1","::1"],"mac":["08:00:27:b1:1d:5a"],"name":"WinDev2104Eval","os":{"Ext":{"variant":"Windows 10 Enterprise Evaluation"},"family":"windows","full":"Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906)","kernel":"20H2 (10.0.19042.906)","name":"Windows","platform":"windows","type":"windows","version":"20H2 (10.0.19042.906)"}},"message":"Endpoint metadata"},"policy_info":{"agent":{"applied":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":0},"configured":{"id":"ed7e3720-4bad-11ec-a2a8-fb22e62a5753","revision":3}},"endpoint":{"id":"d5371dcd-93b7-4627-af88-4084f7d6aa3e","revision":2}}}],"page":0,"pageSize":10,"sortDirection":"desc","sortField":"enrolled_at","total":2},"type":"object","properties":{}},"Security_Endpoint_Management_API_Page":{"default":1,"description":"Page number","example":1,"minimum":1,"type":"integer"},"Security_Endpoint_Management_API_PageSize":{"default":10,"description":"Number of items per page","example":10,"maximum":100,"minimum":1,"type":"integer"},"Security_Endpoint_Management_API_Parameters":{"description":"Parameters object","type":"object"},"Security_Endpoint_Management_API_PendingActionDataType":{"description":"Number of pending actions of this type.","type":"integer"},"Security_Endpoint_Management_API_PendingActionsSchema":{"oneOf":[{"type":"object","properties":{"execute":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending execute actions."},"get-file":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending get-file actions."},"isolate":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending isolate actions."},"kill-process":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending kill-process actions."},"running-processes":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending running-processes (get processes) actions."},"scan":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending scan actions."},"suspend-process":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending suspend-process actions."},"unisolate":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending unisolate (release) actions."},"upload":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_PendingActionDataType","description":"Number of pending upload actions."}}},{"additionalProperties":true,"type":"object"}]},"Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse":{"type":"object","properties":{"note":{"description":"A note associated with the protection updates for the given package policy.","type":"string"}}},"Security_Endpoint_Management_API_RawScriptParameters":{"type":"object","properties":{"commandLine":{"description":"Command line arguments.","minLength":1,"type":"string"},"raw":{"description":"Raw script content.","minLength":1,"type":"string"},"timeout":{"description":"Timeout in seconds.","minimum":1,"type":"integer"}},"required":["raw"]},"Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse":{"example":{"data":{"agents":["ed518850-681a-4d60-bb98-e22640cae2a8"],"agentState":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"isCompleted":false,"wasSuccessful":false}},"agentType":"__agent__type__here_","command":"__command__name__here__","createdBy":"elastic","hosts":{"ed518850-681a-4d60-bb98-e22640cae2a8":{"name":"gke-node-1235412"}},"id":"233db9ea-6733-4849-9226-5a7039c7161d","isCompleted":false,"isExpired":false,"outputs":{},"parameters":{},"startedAt":"2022-07-29T19:08:49.126Z","status":"pending","wasSuccessful":false}},"type":"object","properties":{"data":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"}}},"Security_Endpoint_Management_API_ResponseActionDetails":{"type":"object","properties":{"agents":{"description":"The agent IDs for the hosts that the response action was sent to","items":{"format":"uuid","type":"string"},"type":"array"},"agentState":{"additionalProperties":{"format":"uuid","type":"object","properties":{"completedAt":{"description":"The date and time the response action was completed for the agent ID","type":"string"},"isCompleted":{"description":"Whether the response action is completed for the agent ID","type":"boolean"},"wasSuccessful":{"description":"Whether the response action was successful for the agent ID","type":"boolean"}}},"description":"The state of the response action for each agent ID that it was sent to","type":"object"},"agentType":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"command":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Command"},"completedAt":{"description":"The response action completion time","format":"date-time","type":"string"},"createdBy":{"description":"The user who created the response action","type":"string"},"hosts":{"additionalProperties":{"format":"uuid","type":"object","properties":{"name":{"description":"The host name","type":"string"}}},"description":"An object containing the host names associated with the agent IDs the response action was sent to","type":"object"},"id":{"description":"The response action ID","format":"uuid","type":"string"},"isComplete":{"description":"Whether the response action is complete","type":"boolean"},"isExpired":{"description":"Whether the response action is expired","type":"boolean"},"outputs":{"additionalProperties":{"description":"The agent id","format":"uuid","properties":{"content":{"description":"The response action output content for the agent ID. Exact format depends on the response action command.","oneOf":[{"type":"object"},{"type":"string"}]},"type":{"enum":["json","text"],"type":"string"}},"required":["type","content"],"title":"Agent ID","type":"object"},"description":"The outputs of the response action for each agent ID that it was sent to. Content different depending on the\nresponse action command and will only be present for agents that have responded to the response action\n","type":"object"},"parameters":{"description":"The parameters of the response action. Content different depending on the response action command","type":"object"},"startedAt":{"description":"The response action start time","format":"date-time","type":"string"},"status":{"description":"The response action status","type":"string"},"wasSuccessful":{"description":"Whether the response action was successful","type":"boolean"}},"required":["command"]},"Security_Endpoint_Management_API_RunningProcesses":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne"}]}}},"type":"object"}}}]},"Security_Endpoint_Management_API_RunningProcessesOutputEndpoint":{"description":"Processes output for `agentType` of `endpoint`","type":"object","properties":{"code":{"type":"string"},"entries":{"items":{"type":"object","properties":{"command":{"type":"string"},"entity_id":{"type":"string"},"pid":{"type":"number"},"user":{"type":"string"}}},"type":"array"}}},"Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_DownloadUri"},{"description":"Processes output for `agentType` of `sentinel_one`","type":"object","properties":{"code":{"type":"string"}}}]},"Security_Endpoint_Management_API_Runscript":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_DownloadUri"},{"type":"object","properties":{"code":{"type":"string"},"stderr":{"type":"string"},"stdout":{"type":"string"}}}]}}},"type":"object"},"parameters":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_RunscriptParamsMicrosoft"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_RunscriptParamsSentinelOne"}]}}}]},"Security_Endpoint_Management_API_RunscriptParamsCrowdStrike":{"type":"object","properties":{"cloudFile":{"type":"string"},"commandLine":{"type":"string"},"hostPath":{"type":"string"},"raw":{"type":"string"},"timeout":{"type":"number"}}},"Security_Endpoint_Management_API_RunscriptParamsMicrosoft":{"type":"object","properties":{"args":{"type":"string"},"scriptName":{"type":"string"}}},"Security_Endpoint_Management_API_RunscriptParamsSentinelOne":{"type":"object","properties":{"scriptId":{"type":"string"},"scriptInput":{"type":"string"}}},"Security_Endpoint_Management_API_RunScriptRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"description":"One of the following set of parameters must be provided\n","oneOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_RawScriptParameters"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_HostPathScriptParameters"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_CloudFileScriptParameters"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_SentinelOneRunScriptParameters"},{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_MDERunScriptParameters"}]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_Scan":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"type":"object","properties":{"code":{"type":"string"}}}}},"type":"object"},"parameters":{"type":"object","properties":{"path":{"type":"string"}}}}}]},"Security_Endpoint_Management_API_ScanRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"type":"object","properties":{"path":{"description":"The folder or file's full path (including the file name).","example":"\/usr\/my-file.txt","type":"string"}},"required":["path"]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_SentinelOneRunScriptParameters":{"description":"Parameters for Run Script response action against SentinelOne agent type.","example":{"agent_type":"sentinel_one","endpoint_ids":["endpoint-id-1"],"parameters":{"scriptId":"1111-2222-3333-4444-5555-6666-7777-8888","scriptInput":"--delete --paths-to-delete \/tmp\/temp_file.txt,\/tmp\/random_file.txt"}},"properties":{"scriptId":{"description":"The script ID from SentinelOne scripts library that will be executed.","minLength":1,"type":"string"},"scriptInput":{"description":"The input parameter arguments for the script that was selected.","minLength":1,"type":"string"}},"required":["scriptId"],"title":"SentinelOne Run Script Parameters","type":"object"},"Security_Endpoint_Management_API_SortDirection":{"description":"Determines the sort order.","enum":["asc","desc"],"example":"desc","type":"string"},"Security_Endpoint_Management_API_SortField":{"description":"Determines which field is used to sort the results.","enum":["enrolled_at","metadata.host.hostname","host_status","metadata.Endpoint.policy.applied.name","metadata.Endpoint.policy.applied.status","metadata.host.os.name","metadata.host.ip","metadata.agent.version","last_checkin"],"example":"enrolled_at","type":"string"},"Security_Endpoint_Management_API_StartDate":{"description":"A start date in ISO 8601 format or Date Math format.","example":"2023-10-31T00:00:00.000Z","type":"string"},"Security_Endpoint_Management_API_SuccessResponse":{"description":"A generic successful response.","type":"object"},"Security_Endpoint_Management_API_SuspendProcess":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"oneOf":[{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"pid":{"type":"number"}}},{"type":"object","properties":{"code":{"type":"string"},"command":{"type":"string"},"entity_id":{"type":"string"}}}]}}},"type":"object"},"parameters":{"oneOf":[{"type":"object","properties":{"pid":{"description":"The process ID (PID) of the process to terminate.","minimum":1,"type":"number"}}},{"type":"object","properties":{"entity_id":{"description":"The entity ID of the process to terminate.","minLength":1,"type":"string"}}}]}}}]},"Security_Endpoint_Management_API_SuspendProcessRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"parameters":{"oneOf":[{"type":"object","properties":{"pid":{"description":"The process ID (PID) of the process to suspend.","example":123,"minimum":1,"type":"integer"}}},{"type":"object","properties":{"entity_id":{"description":"The entity ID of the process to suspend.","example":"abc123","minLength":1,"type":"string"}}}]}},"required":["parameters"]}]},"Security_Endpoint_Management_API_Type":{"description":"Type of response action","enum":["automated","manual"],"type":"string"},"Security_Endpoint_Management_API_Types":{"description":"List of types of response actions","example":["automated","manual"],"items":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Type"},"maxLength":2,"minLength":1,"type":"array"},"Security_Endpoint_Management_API_Unisolate":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"description":"Details of an unisolate action response.","type":"object"}]},"Security_Endpoint_Management_API_UnisolateRouteResponse":{"type":"object","properties":{"action":{"description":"The action ID (legacy field, same as `data.id`).","type":"string"},"data":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"}}},"Security_Endpoint_Management_API_Upload":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_ResponseActionDetails"},{"type":"object","properties":{"outputs":{"additionalProperties":{"type":"object","properties":{"content":{"type":"object","properties":{"code":{"type":"string"},"disk_free_space":{"type":"number"},"path":{"type":"string"}}}}},"type":"object"},"parameters":{"description":"The parameters for upload returned on the details are derived via the API from the file that\nwas uploaded at the time that the response action was submitted\n","type":"object","properties":{"file_id":{"type":"string"},"file_name":{"type":"string"},"file_sha256":{"type":"string"},"file_size":{"type":"number"}}}}}]},"Security_Endpoint_Management_API_UploadRouteRequestBody":{"allOf":[{"type":"object","properties":{"agent_type":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_AgentTypes"},"alert_ids":{"description":"If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.","example":["alert-id-1","alert-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"case_ids":{"description":"The IDs of cases where the action taken will be logged. Max of 50.","example":["case-id-1","case-id-2"],"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},"comment":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Comment"},"endpoint_ids":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_EndpointIds"},"parameters":{"$ref":"#\/components\/schemas\/Security_Endpoint_Management_API_Parameters"}},"required":["endpoint_ids"]},{"type":"object","properties":{"file":{"description":"The binary content of the file.","example":"RWxhc3RpYw==","format":"binary","type":"string"},"parameters":{"type":"object","properties":{"overwrite":{"default":false,"description":"Overwrite the file on the host if it already exists.","example":false,"type":"boolean"}}}},"required":["parameters","file"]}]},"Security_Endpoint_Management_API_UserIds":{"description":"A list of user IDs. Max of 50.","example":["user-id-1","user-id-2"],"oneOf":[{"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},{"minLength":1,"type":"string"}]},"Security_Endpoint_Management_API_WithOutputs":{"description":"A list of action IDs that should include the complete output of the action. Max of 50.","example":["action-id-1","action-id-2"],"oneOf":[{"items":{"minLength":1,"type":"string"},"maxItems":50,"minItems":1,"type":"array"},{"minLength":1,"type":"string"}]},"Security_Entity_Analytics_API_Asset":{"additionalProperties":false,"description":"Asset metadata associated with the entity.","type":"object","properties":{"business_unit":{"description":"Business unit the asset belongs to.","type":"string"},"criticality":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevel","description":"The criticality level assigned to this asset.","nullable":true},"environment":{"description":"Deployment environment (for example, production, staging).","type":"string"},"id":{"description":"Unique identifier for the asset.","type":"string"},"model":{"description":"Model name or number.","type":"string"},"name":{"description":"Human-readable asset name.","type":"string"},"owner":{"description":"The owner of the asset.","type":"string"},"serial_number":{"description":"Serial number of the asset.","type":"string"},"vendor":{"description":"Vendor or manufacturer.","type":"string"}}},"Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem":{"type":"object","properties":{"index":{"type":"integer"},"message":{"type":"string"}},"required":["message","index"]},"Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats":{"type":"object","properties":{"failed":{"type":"integer"},"successful":{"type":"integer"},"total":{"type":"integer"}},"required":["successful","failed","total"]},"Security_Entity_Analytics_API_AssetCriticalityLevel":{"description":"The criticality level of the asset.","enum":["low_impact","medium_impact","high_impact","extreme_impact"],"type":"string"},"Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload":{"description":"The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload.","enum":["low_impact","medium_impact","high_impact","extreme_impact","unassigned"],"type":"string"},"Security_Entity_Analytics_API_AssetCriticalityRecord":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_CreateAssetCriticalityRecord"},{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts"},{"type":"object","properties":{"@timestamp":{"description":"The time the record was created or updated.","example":"2017-07-21T17:32:28Z","format":"date-time","type":"string"}},"required":["@timestamp"]}],"example":{"@timestamp":"2024-08-02T11:15:34.290Z","asset":{"criticality":"high_impact"},"criticality_level":"high_impact","host":{"asset":{"criticality":"high_impact"},"name":"my_host"},"id_field":"host.name","id_value":"my_host"}},"Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["asset"]},"entity":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality"]},"id":{"type":"string"}},"required":["id"]},"host":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality"]},"name":{"type":"string"}},"required":["name"]},"service":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality"]},"name":{"type":"string"}},"required":["name"]},"user":{"type":"object","properties":{"asset":{"type":"object","properties":{"criticality":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality"]},"name":{"type":"string"}},"required":["name"]}},"required":["asset"]},"Security_Entity_Analytics_API_AssetCriticalityRecordIdParts":{"type":"object","properties":{"id_field":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_IdField","description":"The field representing the ID.","example":"host.name"},"id_value":{"description":"The ID value of the asset.","type":"string"}},"required":["id_value","id_field"]},"Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse":{"type":"object","properties":{"cleanup_successful":{"example":false,"type":"boolean"},"errors":{"items":{"type":"object","properties":{"error":{"type":"string"},"seq":{"type":"integer"}},"required":["seq","error"]},"type":"array"}},"required":["cleanup_successful","errors"]},"Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse":{"type":"object","properties":{"errors":{"items":{"type":"object","properties":{"error":{"type":"string"},"seq":{"type":"integer"}},"required":["seq","error"]},"type":"array"},"risk_engine_saved_object_configured":{"example":false,"type":"boolean"}},"required":["risk_engine_saved_object_configured","errors"]},"Security_Entity_Analytics_API_CreateAssetCriticalityRecord":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts"},{"type":"object","properties":{"criticality_level":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevel"}},"required":["criticality_level"]}]},"Security_Entity_Analytics_API_DateRange":{"description":"Defines the lookback period for filtering source data by timestamp.","type":"object","properties":{"end":{"description":"End of the lookback period (date math or ISO string, e.g. \"now\")","type":"string"},"start":{"description":"Start of the lookback period (date math or ISO string, e.g. \"now-10d\")","type":"string"}},"required":["start","end"]},"Security_Entity_Analytics_API_EngineComponentResource":{"description":"The type of Elasticsearch or Kibana resource backing an engine component.","enum":["entity_engine","entity_definition","index","data_stream","component_template","index_template","ingest_pipeline","enrich_policy","task","transform","ilm_policy"],"type":"string"},"Security_Entity_Analytics_API_EngineComponentStatus":{"description":"Status of an individual Elasticsearch or Kibana resource backing an engine.","type":"object","properties":{"errors":{"description":"Errors reported by this component, if any.","items":{"type":"object","properties":{"message":{"description":"Detailed error message.","type":"string"},"title":{"description":"Short error title.","type":"string"}}},"type":"array"},"health":{"description":"The health status of the component.","enum":["green","yellow","red","unavailable","unknown"],"type":"string"},"id":{"description":"Unique identifier for the component.","type":"string"},"installed":{"description":"Whether the component is currently installed.","type":"boolean"},"metadata":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_TransformStatsMetadata"},"resource":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineComponentResource"}},"required":["id","installed","resource"]},"Security_Entity_Analytics_API_EngineDataviewUpdateResult":{"description":"The result of applying data view index changes to a single engine.","type":"object","properties":{"changes":{"description":"The changes applied to the engine.","type":"object","properties":{"indexPatterns":{"description":"The updated list of index patterns now used by the engine.","items":{"type":"string"},"type":"array"}}},"type":{"description":"The entity type of the engine that was updated.","type":"string"}},"required":["type"]},"Security_Entity_Analytics_API_EngineDescriptor":{"description":"Describes a single entity engine, including its configuration and current status.","type":"object","properties":{"delay":{"default":"1m","description":"The delay before the transform processes new data, allowing late-arriving documents to be included.","example":"1m","pattern":"[smdh]$","type":"string"},"docsPerSecond":{"description":"Throttle value for the number of documents processed per second. Use -1 for no throttle.","type":"integer"},"error":{"description":"Present when the engine status is `error`. Describes the failure.","type":"object","properties":{"action":{"description":"The lifecycle action that caused the error.","enum":["init"],"type":"string"},"message":{"description":"A human-readable error message.","type":"string"}},"required":["message","action"]},"fieldHistoryLength":{"description":"The number of historical values retained per field.","example":10,"type":"integer"},"filter":{"description":"An optional Kibana Query Language (KQL) filter applied to source documents before aggregation.","example":"host.name: \"my-host\"","type":"string"},"frequency":{"default":"1m","description":"How often the transform runs.","example":"1m","pattern":"[smdh]$","type":"string"},"indexPattern":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_IndexPattern"},"lookbackPeriod":{"default":"24h","description":"How far back the transform looks when calculating aggregations.","example":"24h","pattern":"[smdh]$","type":"string"},"status":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineStatus"},"timeout":{"default":"180s","description":"The timeout for initializing the aggregating transform.","example":"180s","pattern":"[smdh]$","type":"string"},"timestampField":{"description":"The field used as the timestamp for source documents.","example":"@timestamp","type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType"}},"required":["type","indexPattern","status","fieldHistoryLength"]},"Security_Entity_Analytics_API_EngineMetadata":{"additionalProperties":false,"description":"Internal metadata attached to an entity by the engine that produced it.","type":"object","properties":{"Type":{"description":"The engine type that produced this entity record.","type":"string"}},"required":["Type"]},"Security_Entity_Analytics_API_EngineStatus":{"description":"The current operational status of an entity engine.","enum":["installing","started","stopped","updating","error"],"type":"string"},"Security_Entity_Analytics_API_EntitiesContainer":{"description":"A collection of entities to upsert in bulk.","type":"object","properties":{"entities":{"description":"The entities to create or update.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityContainer"},"type":"array"}},"required":["entities"]},"Security_Entity_Analytics_API_Entity":{"description":"An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`.","oneOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_UserEntity"},{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_HostEntity"},{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_ServiceEntity"},{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_GenericEntity"}]},"Security_Entity_Analytics_API_EntityAnalyticsPrivileges":{"type":"object","properties":{"has_all_required":{"type":"boolean"},"has_read_permissions":{"type":"boolean"},"has_write_permissions":{"type":"boolean"},"privileges":{"type":"object","properties":{"elasticsearch":{"type":"object","properties":{"cluster":{"additionalProperties":{"type":"boolean"},"type":"object"},"index":{"additionalProperties":{"additionalProperties":{"type":"boolean"},"type":"object"},"type":"object"}}},"kibana":{"additionalProperties":{"type":"boolean"},"type":"object"}},"required":["elasticsearch"]}},"required":["has_all_required","privileges"]},"Security_Entity_Analytics_API_EntityContainer":{"description":"A wrapper that pairs an entity type with the entity record to upsert.","type":"object","properties":{"record":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Entity","description":"The entity record to create or update."},"type":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityType","description":"The entity type of the record."}},"required":["type","record"]},"Security_Entity_Analytics_API_EntityField":{"additionalProperties":false,"description":"Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index.","type":"object","properties":{"attributes":{"additionalProperties":false,"description":"Boolean flags describing characteristics of the entity.","type":"object","properties":{"asset":{"description":"Whether the entity is classified as an asset.","type":"boolean"},"managed":{"description":"Whether the entity is managed (for example, via a directory service).","type":"boolean"},"mfa_enabled":{"description":"Whether multi-factor authentication is enabled for the entity.","type":"boolean"},"privileged":{"description":"Whether the entity has elevated privileges.","type":"boolean"}}},"behaviors":{"additionalProperties":false,"description":"Boolean flags indicating observed behavioral signals.","type":"object","properties":{"brute_force_victim":{"description":"Whether the entity has been targeted by brute-force attacks.","type":"boolean"},"new_country_login":{"description":"Whether the entity has logged in from a new country.","type":"boolean"},"used_usb_device":{"description":"Whether the entity has used a USB device.","type":"boolean"}}},"EngineMetadata":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EngineMetadata"},"id":{"description":"Unique identifier for this entity.","example":"arn:aws:iam::123456789012:user\/jane.doe","type":"string"},"lifecycle":{"additionalProperties":false,"description":"Timestamps tracking the entity lifecycle.","type":"object","properties":{"first_seen":{"description":"When the entity was first observed.","format":"date-time","type":"string"},"last_activity":{"description":"When the entity last generated activity.","format":"date-time","type":"string"},"last_seen":{"description":"When the entity was last observed.","format":"date-time","type":"string"}}},"name":{"description":"Human-readable name of the entity.","example":"jane.doe","type":"string"},"relationships":{"additionalProperties":false,"description":"Connections between this entity and other entities.","type":"object","properties":{"accessed_frequently_by":{"description":"Entity IDs that frequently access this entity.","items":{"type":"string"},"type":"array"},"accesses_frequently":{"description":"Entity IDs this entity accesses frequently.","items":{"type":"string"},"type":"array"},"accesses_infrequently":{"description":"Entity IDs this entity accesses infrequently.","items":{"type":"string"},"type":"array"},"communicates_with":{"description":"Entity IDs this entity communicates with.","items":{"type":"string"},"type":"array"},"dependent_of":{"description":"Entity IDs that depend on this entity.","items":{"type":"string"},"type":"array"},"depends_on":{"description":"Entity IDs this entity depends on.","items":{"type":"string"},"type":"array"},"owned_by":{"description":"Entity IDs that own this entity.","items":{"type":"string"},"type":"array"},"owns":{"description":"Entity IDs owned by this entity.","items":{"type":"string"},"type":"array"},"supervised_by":{"description":"Entity IDs that supervise this entity.","items":{"type":"string"},"type":"array"},"supervises":{"description":"Entity IDs supervised by this entity.","items":{"type":"string"},"type":"array"}}},"risk":{"additionalProperties":false,"description":"Risk scoring information for the entity.","type":"object","properties":{"calculated_level":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityRiskLevels","description":"Lexical description of the entity's risk.","example":"Critical"},"calculated_score":{"description":"The raw numeric value of the given entity's risk score.","format":"double","type":"number"},"calculated_score_norm":{"description":"The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.","format":"double","maximum":100,"minimum":0,"type":"number"}}},"source":{"description":"The source that produced this entity record.","type":"string"},"sub_type":{"description":"Optional sub-type classification for the entity.","type":"string"},"type":{"description":"The entity type.","example":"user","type":"string"}},"required":["id"]},"Security_Entity_Analytics_API_EntityRiskLevels":{"enum":["Unknown","Low","Moderate","High","Critical"],"type":"string"},"Security_Entity_Analytics_API_EntityRiskScoreRecord":{"type":"object","properties":{"@timestamp":{"description":"The time at which the risk score was calculated.","example":"2017-07-21T17:32:28Z","format":"date-time","type":"string"},"calculated_level":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityRiskLevels","description":"Lexical description of the entity's risk.","example":"Critical"},"calculated_score":{"description":"The raw numeric value of the given entity's risk score.","format":"double","type":"number"},"calculated_score_norm":{"description":"The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.","format":"double","maximum":100,"minimum":0,"type":"number"},"calculation_run_id":{"description":"Unique identifier for the scoring run that produced this document.","type":"string"},"category_1_count":{"description":"The number of risk input documents that contributed to the Category 1 score (`category_1_score`).","type":"integer"},"category_1_score":{"description":"The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts.","format":"double","type":"number"},"category_2_count":{"type":"integer"},"category_2_score":{"format":"double","type":"number"},"criticality_level":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_AssetCriticalityLevel"},"criticality_modifier":{"format":"double","type":"number"},"id_field":{"description":"The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored.","example":"host.name","type":"string"},"id_value":{"description":"The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored.","example":"example.host","type":"string"},"inputs":{"description":"A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.","items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_RiskScoreInput"},"type":"array"},"modifiers":{"description":"A list of modifiers that were applied to the risk score calculation.","items":{"type":"object","properties":{"contribution":{"format":"double","type":"number"},"metadata":{"additionalProperties":true,"type":"object"},"modifier_value":{"format":"double","type":"number"},"subtype":{"type":"string"},"type":{"type":"string"}},"required":["type","contribution"]},"type":"array"},"notes":{"items":{"type":"string"},"type":"array"},"related_entities":{"items":{"type":"object","properties":{"entity_id":{"type":"string"},"relationship_type":{"type":"string"}}},"type":"array"},"score_type":{"description":"Distinguishes base, propagated, and resolution scores.","enum":["base","propagated","resolution"],"type":"string"}},"required":["@timestamp","id_field","id_value","calculated_level","calculated_score","calculated_score_norm","category_1_score","category_1_count","inputs","notes"]},"Security_Entity_Analytics_API_EntitySourceType":{"enum":["index","entity_analytics_integration","store"],"type":"string"},"Security_Entity_Analytics_API_EntityType":{"description":"The type of entity.","enum":["user","host","service","generic"],"type":"string"},"Security_Entity_Analytics_API_Filter":{"type":"object","properties":{"kuery":{"oneOf":[{"type":"string"},{"type":"object"}]}}},"Security_Entity_Analytics_API_GenericEntity":{"additionalProperties":false,"description":"A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed.","type":"object","properties":{"@timestamp":{"description":"The time the entity record was last updated.","format":"date-time","type":"string"},"asset":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Asset","additionalProperties":false},"entity":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityField"}},"required":["entity"]},"Security_Entity_Analytics_API_HostEntity":{"additionalProperties":false,"description":"An entity record representing a host, stored in the Entity Store latest index.","type":"object","properties":{"@timestamp":{"description":"The time the entity record was last updated.","format":"date-time","type":"string"},"asset":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Asset","additionalProperties":false},"entity":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityField"},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"description":"When the event was ingested into Elasticsearch.","format":"date-time","type":"string"}}},"host":{"additionalProperties":false,"description":"Elastic Common Schema (ECS) host fields collected on the entity.","type":"object","properties":{"architecture":{"description":"Observed CPU architectures.","items":{"type":"string"},"type":"array"},"domain":{"description":"Observed host domains.","items":{"type":"string"},"type":"array"},"entity":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityField"},"hostname":{"description":"Observed hostnames.","items":{"type":"string"},"type":"array"},"id":{"description":"Observed host IDs.","items":{"type":"string"},"type":"array"},"ip":{"description":"Observed IP addresses.","items":{"type":"string"},"type":"array"},"mac":{"description":"Observed MAC addresses.","items":{"type":"string"},"type":"array"},"name":{"description":"Primary host name.","type":"string"},"os":{"additionalProperties":false,"description":"Elastic Common Schema (ECS) host.os fields collected on the entity latest index.","type":"object","properties":{"family":{"type":"string"},"full":{"type":"string"},"kernel":{"type":"string"},"name":{"oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"platform":{"type":"string"},"type":{"oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]},"version":{"type":"string"}}},"risk":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityRiskScoreRecord"},"type":{"description":"Observed host types.","items":{"type":"string"},"type":"array"}},"required":["name"]}},"required":["entity"]},"Security_Entity_Analytics_API_IdField":{"enum":["host.name","user.name","service.name","entity.id"],"type":"string"},"Security_Entity_Analytics_API_IndexPattern":{"description":"An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs.","example":"logs-*","type":"string"},"Security_Entity_Analytics_API_InspectQuery":{"description":"Debug information about the Elasticsearch query executed.","type":"object","properties":{"dsl":{"description":"Elasticsearch query DSL that was executed.","items":{"type":"string"},"type":"array"},"response":{"description":"Raw Elasticsearch responses.","items":{"type":"string"},"type":"array"}},"required":["dsl","response"]},"Security_Entity_Analytics_API_Integrations":{"type":"object","properties":{"syncData":{"description":"integrations latest full sync and update syncData","type":"object","properties":{"lastFullSync":{"description":"Timestamp of the last full sync from integrations","format":"date-time","type":"string"},"lastUpdateProcessed":{"description":"Timestamp of the last update processed from integrations","format":"date-time","type":"string"}}},"syncMarkerIndex":{"description":"Index to read latest sync markers from","type":"string"}}},"Security_Entity_Analytics_API_Interval":{"description":"Interval in which enrich policy runs. For example, `\"1h\"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period,","example":"1h","pattern":"^[1-9]\\d*[smh]$","type":"string"},"Security_Entity_Analytics_API_Matcher":{"type":"object","properties":{"fields":{"items":{"type":"string"},"type":"array"},"values":{"description":"Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability.\n","oneOf":[{"items":{"type":"string"},"type":"array"},{"items":{"type":"boolean"},"type":"array"}]}},"required":["fields","values"]},"Security_Entity_Analytics_API_Metadata":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_TransformStatsMetadata"},"Security_Entity_Analytics_API_MonitoredUserDoc":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoredUserUpdateDoc"},{"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"event":{"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"ingested":{"format":"date-time","type":"string"}}},"user":{"type":"object","properties":{"entity":{"type":"object","properties":{"attributes":{"type":"object","properties":{"Privileged":{"description":"Indicates if the user is privileged.","type":"boolean"}}}}},"is_privileged":{"description":"Indicates if the user is privileged.","type":"boolean"},"name":{"type":"string"}}}}}]},"Security_Entity_Analytics_API_MonitoredUserUpdateDoc":{"type":"object","properties":{"entity_analytics_monitoring":{"type":"object","properties":{"labels":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoringLabel"},"type":"array"}}},"id":{"type":"string"},"labels":{"type":"object","properties":{"source_ids":{"items":{"type":"string"},"type":"array"},"source_integrations":{"items":{"type":"string"},"type":"array"},"sources":{"items":{"enum":["csv","index_sync","api"]},"type":"array"}}},"user":{"type":"object","properties":{"is_privileged":{"description":"Indicates if the user is privileged.","type":"boolean"},"name":{"type":"string"}}}}},"Security_Entity_Analytics_API_MonitoringEngineDescriptor":{"type":"object","properties":{"error":{"type":"object","properties":{"message":{"description":"Error message typically only present if the engine is in error state","type":"string"}}},"status":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus"}},"required":["status"]},"Security_Entity_Analytics_API_MonitoringEntitySource":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_MonitoringEntitySourceProperties"},{"type":"object","properties":{"id":{"type":"string"}},"required":["type","name","id","managed"]}]},"Security_Entity_Analytics_API_MonitoringEntitySourceProperties":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties"},{"type":"object","properties":{"managed":{"type":"boolean"}}}]},"Security_Entity_Analytics_API_MonitoringLabel":{"type":"object","properties":{"field":{"type":"string"},"source":{"type":"string"},"value":{"type":"string"}},"required":["field","value","source"]},"Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus":{"description":"The status of the Privilege Monitoring Engine","enum":["started","error","disabled","not_installed"],"type":"string"},"Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem":{"type":"object","properties":{"index":{"nullable":true,"type":"integer"},"message":{"type":"string"},"username":{"nullable":true,"type":"string"}},"required":["message","index","username"]},"Security_Entity_Analytics_API_PrivmonUserCsvUploadStats":{"type":"object","properties":{"failedOperations":{"type":"integer"},"successfulOperations":{"type":"integer"},"totalOperations":{"type":"integer"},"uploaded":{"type":"integer"}},"required":["successfulOperations","uploaded","failedOperations","totalOperations"]},"Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse":{"type":"object","properties":{"full_error":{"type":"string"},"message":{"type":"string"}},"required":["message","full_error"]},"Security_Entity_Analytics_API_RiskEngineScheduleNowResponse":{"type":"object","properties":{"success":{"type":"boolean"}}},"Security_Entity_Analytics_API_RiskScoreInput":{"description":"A generic representation of a document contributing to a Risk Score.","type":"object","properties":{"category":{"description":"The risk category of the risk input document.","example":"category_1","type":"string"},"contribution_score":{"format":"double","type":"number"},"description":{"description":"A human-readable description of the risk input document.","example":"Generated from Detection Engine Rule: Malware Prevention Alert","type":"string"},"entity_id":{"description":"The EUID of the entity within the graph that generated this alert.","type":"string"},"id":{"description":"The unique identifier (`_id`) of the original source document","example":"91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c","type":"string"},"index":{"description":"The unique index (`_index`) of the original source document","example":".internal.alerts-security.alerts-default-000001","type":"string"},"risk_score":{"description":"The weighted risk score of the risk input document.","format":"double","maximum":100,"minimum":0,"type":"number"},"timestamp":{"description":"The @timestamp of the risk input document.","example":"2017-07-21T17:32:28Z","type":"string"}},"required":["id","index","description","category"]},"Security_Entity_Analytics_API_ServiceEntity":{"additionalProperties":false,"description":"An entity record representing a service, stored in the Entity Store latest index.","type":"object","properties":{"@timestamp":{"description":"The time the entity record was last updated.","format":"date-time","type":"string"},"asset":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Asset","additionalProperties":false},"entity":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityField"},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"description":"When the event was ingested into Elasticsearch.","format":"date-time","type":"string"}}},"service":{"additionalProperties":false,"description":"Elastic Common Schema (ECS) service fields collected on the entity.","type":"object","properties":{"entity":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityField"},"name":{"description":"Primary service name.","type":"string"},"risk":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityRiskScoreRecord"}},"required":["name"]}},"required":["entity"]},"Security_Entity_Analytics_API_StoreStatus":{"description":"The overall operational status of the Entity Store.","enum":["not_installed","installing","running","stopped","error"],"type":"string"},"Security_Entity_Analytics_API_TaskManagerUnavailableResponse":{"description":"Task manager is unavailable","type":"object","properties":{"message":{"type":"string"},"status_code":{"minimum":400,"type":"integer"}},"required":["status_code","message"]},"Security_Entity_Analytics_API_TransformStatsMetadata":{"description":"Statistics from the underlying Elasticsearch transform.","type":"object","properties":{"delete_time_in_ms":{"description":"Total time spent deleting documents, in milliseconds.","type":"integer"},"documents_deleted":{"description":"Total number of documents deleted from the destination index.","type":"integer"},"documents_indexed":{"description":"Total number of documents written to the destination index.","type":"integer"},"documents_processed":{"description":"Total number of source documents processed.","type":"integer"},"exponential_avg_checkpoint_duration_ms":{"description":"Exponential moving average of checkpoint duration, in milliseconds.","type":"integer"},"exponential_avg_documents_indexed":{"description":"Exponential moving average of documents indexed per checkpoint.","type":"integer"},"exponential_avg_documents_processed":{"description":"Exponential moving average of documents processed per checkpoint.","type":"integer"},"index_failures":{"description":"Total number of failed index operations.","type":"integer"},"index_time_in_ms":{"description":"Total time spent indexing documents, in milliseconds.","type":"integer"},"index_total":{"description":"Total number of index operations.","type":"integer"},"pages_processed":{"description":"Number of composite aggregation pages processed.","type":"integer"},"processing_time_in_ms":{"description":"Total time spent processing results, in milliseconds.","type":"integer"},"processing_total":{"description":"Total number of processing operations.","type":"integer"},"search_failures":{"description":"Total number of failed search operations.","type":"integer"},"search_time_in_ms":{"description":"Total time spent on search queries, in milliseconds.","type":"integer"},"search_total":{"description":"Total number of search operations.","type":"integer"},"trigger_count":{"description":"Number of times the transform has been triggered.","type":"integer"}},"required":["pages_processed","documents_processed","documents_indexed","trigger_count","index_time_in_ms","index_total","index_failures","search_time_in_ms","search_total","search_failures","processing_time_in_ms","processing_total","exponential_avg_checkpoint_duration_ms","exponential_avg_documents_indexed","exponential_avg_documents_processed"]},"Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties":{"type":"object","properties":{"enabled":{"type":"boolean"},"filter":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Filter"},"identifierField":{"description":"Field used to query the entity store for index-type sources","type":"string"},"indexPattern":{"type":"string"},"integrationName":{"type":"string"},"integrations":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Integrations"},"matchers":{"items":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Matcher"},"type":"array"},"name":{"type":"string"},"queryRule":{"description":"KQL query used to filter data from the provided index patterns","type":"string"},"range":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_DateRange"},"type":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntitySourceType"}}},"Security_Entity_Analytics_API_UserEntity":{"additionalProperties":false,"description":"An entity record representing a user, stored in the Entity Store latest index.","type":"object","properties":{"@timestamp":{"description":"The time the entity record was last updated.","format":"date-time","type":"string"},"asset":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_Asset","additionalProperties":false},"entity":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityField"},"event":{"additionalProperties":false,"type":"object","properties":{"ingested":{"description":"When the event was ingested into Elasticsearch.","format":"date-time","type":"string"}}},"user":{"additionalProperties":false,"description":"Elastic Common Schema (ECS) user fields collected on the entity.","type":"object","properties":{"domain":{"description":"Observed user domains.","items":{"type":"string"},"type":"array"},"email":{"description":"Observed email addresses.","items":{"type":"string"},"type":"array"},"full_name":{"description":"Observed full names of the user.","items":{"type":"string"},"type":"array"},"hash":{"description":"Observed user hashes.","items":{"type":"string"},"type":"array"},"id":{"description":"Observed user IDs.","items":{"type":"string"},"type":"array"},"name":{"description":"Primary user name.","type":"string"},"risk":{"$ref":"#\/components\/schemas\/Security_Entity_Analytics_API_EntityRiskScoreRecord","additionalProperties":false},"roles":{"description":"Observed roles assigned to the user.","items":{"type":"string"},"type":"array"}},"required":["name"]}},"required":["entity"]},"Security_Entity_Analytics_API_UserName":{"type":"object","properties":{"entity_analytics_monitoring":{"description":"Entity analytics monitoring configuration for the user","type":"object","properties":{"labels":{"description":"Array of labels associated with the user","items":{"type":"object","properties":{"field":{"description":"The field name for the label","type":"string"},"source":{"description":"The source where this label was created (api, csv, or index_sync)","enum":["api","csv","index_sync"],"type":"string"},"value":{"description":"The value of the label","type":"string"}}},"type":"array"}}},"user":{"type":"object","properties":{"name":{"description":"The name of the user.","type":"string"}}}}},"Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem":{"example":{"matchedEntities":1,"status":"success"},"type":"object","properties":{"error":{"description":"Error message if the row failed to process","example":"Invalid entity type","type":"string"},"matchedEntities":{"description":"Number of entities matched for this row","example":1,"type":"integer"},"status":{"enum":["success","failure","unmatched"],"example":"success","type":"string"}},"required":["status","matchedEntities"]},"Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem":{"example":{"euid":"user:john.doe","status":"success"},"type":"object","properties":{"error":{"description":"Error message if the entity failed to process","example":"Invalid entity type","type":"string"},"euid":{"description":"The EUID of the entity","example":"user:john.doe","type":"string"},"status":{"enum":["success","failure","not_found"],"example":"success","type":"string"}},"required":["euid","status"]},"Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem":{"example":{"euid":"user:john.doe","status":"success"},"type":"object","properties":{"error":{"description":"Error message if the entity failed to process","example":"Invalid entity type","type":"string"},"euid":{"description":"The EUID of the entity","example":"user:john.doe","type":"string"},"status":{"enum":["success","failure","not_found"],"example":"success","type":"string"}},"required":["euid","status"]},"Security_Entity_Analytics_API_WatchlistObject":{"example":{"createdAt":"2026-01-28T12:00:00.000Z","description":"High risk vendor watchlist","id":"watchlist-123","managed":false,"name":"High Risk Vendors","riskModifier":1.5,"updatedAt":"2026-02-18T12:00:00.000Z"},"type":"object","properties":{"createdAt":{"description":"Timestamp indicating when the watchlist was created","format":"date-time","type":"string"},"description":{"description":"Description of the watchlist","type":"string"},"entityCount":{"description":"Number of entities in the watchlist","type":"number"},"entitySourceIds":{"description":"List of entity source IDs associated with the watchlist","items":{"type":"string"},"type":"array"},"id":{"description":"The unique ID of the watchlist","type":"string"},"managed":{"description":"Indicates if the watchlist is managed by the system","type":"boolean"},"name":{"description":"The name of the watchlist","type":"string"},"riskModifier":{"description":"Risk score modifier associated with the watchlist","type":"number"},"updatedAt":{"description":"Timestamp indicating when the watchlist was last updated","format":"date-time","type":"string"}},"required":["name","riskModifier","managed"]},"Security_Exceptions_API_BlocklistHashOrPathEntry":{"type":"object","properties":{"field":{"description":"File hash or path field","enum":["file.hash.md5","file.hash.sha1","file.hash.sha256","file.path","file.path.caseless"],"type":"string"},"operator":{"description":"Must be the value \"included\"","enum":["included"],"type":"string"},"type":{"description":"Must be match_any for blocklists","enum":["match_any"],"type":"string"},"value":{"description":"Array of hash values or file paths","items":{"type":"string"},"minItems":1,"type":"array"}},"required":["field","type","value","operator"]},"Security_Exceptions_API_BlocklistLinuxProperties":{"description":"Blocklist list item properties (Linux, code signature not supported).","type":"object","properties":{"entries":{"description":"**Validation rules:**\n* Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)\n* Path entry: only 1 allowed\n","items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistHashOrPathEntry"},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_blocklists"],"example":"endpoint_blocklists","type":"string"},"os_types":{"description":"Linux-only","items":{"enum":["linux"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_BlocklistMacProperties":{"description":"Blocklist list item properties (macOS, code signature not supported).","type":"object","properties":{"entries":{"description":"**Validation rules:**\n* Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)\n* Path entry: only 1 allowed\n","items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistHashOrPathEntry"},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_blocklists"],"example":"endpoint_blocklists","type":"string"},"os_types":{"description":"macOS-only","items":{"enum":["macos"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry":{"type":"object","properties":{"entries":{"description":"Nested subject_name entries","items":{"type":"object","properties":{"field":{"description":"Certificate subject name","enum":["subject_name"],"type":"string"},"operator":{"description":"Must be the value \"included\"","enum":["included"],"type":"string"},"type":{"description":"Match type for subject name","enum":["match","match_any"],"type":"string"},"value":{"oneOf":[{"description":"Single subject name (used with match)","type":"string"},{"description":"Array of subject names (used with match_any)","items":{"type":"string"},"minItems":1,"type":"array"}]}},"required":["field","type","value","operator"]},"minItems":1,"type":"array"},"field":{"description":"Windows code signature field","enum":["file.Ext.code_signature"],"type":"string"},"type":{"description":"Must be nested for Windows code signature","enum":["nested"],"type":"string"}},"required":["field","type","entries"]},"Security_Exceptions_API_BlocklistWindowsProperties":{"description":"Blocklist list item properties (Windows, supports code signature).","type":"object","properties":{"entries":{"description":"**Validation rules:**\n* Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)\n* Path entry: only 1 allowed\n* Code signature entry: only 1 allowed\n","items":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistHashOrPathEntry"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry"}]},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_blocklists"],"example":"endpoint_blocklists","type":"string"},"os_types":{"description":"Windows-only","items":{"enum":["windows"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_CreateExceptionListItemBase":{"type":"object","properties":{"comments":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemCommentArray","default":[]},"description":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemDescription"},"expire_time":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemExpireTime"},"item_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description"]},"Security_Exceptions_API_CreateExceptionListItemBlocklistLinux":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistLinuxProperties"}]},"Security_Exceptions_API_CreateExceptionListItemBlocklistMac":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistMacProperties"}]},"Security_Exceptions_API_CreateExceptionListItemBlocklistWindows":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistWindowsProperties"}]},"Security_Exceptions_API_CreateExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"}},"required":["comment"]},"Security_Exceptions_API_CreateExceptionListItemCommentArray":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemComment"},"type":"array"},"Security_Exceptions_API_CreateExceptionListItemEndpointList":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointListProperties"}]},"Security_Exceptions_API_CreateExceptionListItemEventFilters":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EventFiltersProperties"}]},"Security_Exceptions_API_CreateExceptionListItemGeneric":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"example":{"description":"This is a sample detection type exception item.","entries":[{"field":"actingProcess.file.signer","operator":"excluded","type":"exists"},{"field":"host.name","operator":"included","type":"match_any","value":["saturn","jupiter"]}],"item_id":"simple_list_item","list_id":"simple_list","name":"Sample Exception List Item","namespace_type":"single","os_types":["linux"],"tags":["malware"],"type":"simple"},"type":"object","properties":{"entries":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryArray"},"list_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemTags","default":[]}},"required":["list_id","entries"]}]},"Security_Exceptions_API_CreateExceptionListItemHostIsolation":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_HostIsolationProperties"}]},"Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppsLinuxProperties"}]},"Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppsMacProperties"}]},"Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppsWindowsProperties"}]},"Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedDevicesMacProperties"}]},"Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedDevicesWindowsProperties"}]},"Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedDevicesWindowsMacProperties"}]},"Security_Exceptions_API_CreateRuleExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"}},"required":["comment"]},"Security_Exceptions_API_CreateRuleExceptionListItemCommentArray":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateRuleExceptionListItemComment"},"type":"array"},"Security_Exceptions_API_CreateRuleExceptionListItemProps":{"type":"object","properties":{"comments":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray","default":[]},"description":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryArray"},"expire_time":{"format":"date-time","type":"string"},"item_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemTags","default":[]},"type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description","entries"]},"Security_Exceptions_API_EndpointArtifactTags":{"default":[],"description":"Tags for categorization. Special tags for scope control:\n* `\"policy:all\"` - Global artifact (applies to all Elastic Defend policies)\n* `\"policy:\"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID)\n","items":{"type":"string"},"type":"array"},"Security_Exceptions_API_EndpointListProperties":{"description":"Elastic Endpoint exception list item properties.","type":"object","properties":{"entries":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryArray","description":"Exception entries for endpoint security exceptions (used to prevent detection rule alerts).\n\n**Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced.\n"},"list_id":{"enum":["endpoint_list"],"example":"endpoint_list","type":"string"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_EventFiltersProperties":{"description":"Event filters list item properties.","type":"object","properties":{"entries":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryArray","description":"Exception entries for the event filter.\n\n**Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.)\n\n**Minimum requirement:** At least 1 entry required\n"},"list_id":{"enum":["endpoint_event_filters"],"example":"endpoint_event_filters","type":"string"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_ExceptionList":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListDescription"},"id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListId"},"immutable":{"type":"boolean"},"list_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListOsTypeArray"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListTags"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListType"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","type":"string"},"version":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListVersion"}},"required":["id","list_id","type","name","description","immutable","namespace_type","version","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Exceptions_API_ExceptionListDescription":{"description":"Describes the exception list.","example":"This list tracks allowlisted values.","type":"string"},"Security_Exceptions_API_ExceptionListHumanId":{"description":"The exception list's human-readable string identifier.\n\nFor endpoint artifacts, use one of the following values:\n\n* `endpoint_list`: [Elastic Endpoint exception list](https:\/\/www.elastic.co\/docs\/solutions\/security\/detect-and-alert\/add-manage-exceptions)\n* `endpoint_trusted_apps`: [Trusted applications list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/trusted-applications)\n* `endpoint_trusted_devices`: [Trusted devices list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/trusted-devices)\n* `endpoint_event_filters`: [Event filters list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/event-filters)\n* `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/host-isolation-exceptions)\n* `endpoint_blocklists`: [Blocklists list](https:\/\/www.elastic.co\/docs\/solutions\/security\/manage-elastic-defend\/blocklist)\n","example":"simple_list","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListId":{"description":"Exception list's identifier.","example":"9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListItem":{"type":"object","properties":{"_version":{"description":"The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.","type":"string"},"comments":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemCommentArray"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemDescription"},"entries":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryArray"},"expire_time":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemExpireTime"},"id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemId"},"item_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemHumanId"},"list_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"},"meta":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemOsTypeArray"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemTags"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemType"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","type":"string"}},"required":["id","item_id","list_id","type","name","description","entries","namespace_type","comments","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Exceptions_API_ExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"created_at":{"description":"Autogenerated date of object creation.","format":"date-time","type":"string"},"created_by":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"updated_at":{"description":"Autogenerated date of last object update.","format":"date-time","type":"string"},"updated_by":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"}},"required":["id","comment","created_at","created_by"]},"Security_Exceptions_API_ExceptionListItemCommentArray":{"description":"Array of comment fields:\n\n- comment (string): Comments about the exception item.\n","items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemComment"},"type":"array"},"Security_Exceptions_API_ExceptionListItemDescription":{"description":"Describes the exception list.","type":"string"},"Security_Exceptions_API_ExceptionListItemEntry":{"anyOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryMatch"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryMatchAny"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryList"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryExists"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryNested"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard"}],"discriminator":{"propertyName":"type"}},"Security_Exceptions_API_ExceptionListItemEntryArray":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntry"},"type":"array"},"Security_Exceptions_API_ExceptionListItemEntryExists":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["exists"],"type":"string"}},"required":["type","field","operator"]},"Security_Exceptions_API_ExceptionListItemEntryList":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"list":{"type":"object","properties":{"id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ListId"},"type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ListType"}},"required":["id","type"]},"operator":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["list"],"type":"string"}},"required":["type","field","list","operator"]},"Security_Exceptions_API_ExceptionListItemEntryMatch":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["match"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"}},"required":["type","field","value","operator"]},"Security_Exceptions_API_ExceptionListItemEntryMatchAny":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["match_any"],"type":"string"},"value":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"minItems":1,"type":"array"}},"required":["type","field","value","operator"]},"Security_Exceptions_API_ExceptionListItemEntryMatchWildcard":{"type":"object","properties":{"field":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"operator":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryOperator"},"type":{"enum":["wildcard"],"type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"}},"required":["type","field","value","operator"]},"Security_Exceptions_API_ExceptionListItemEntryNested":{"type":"object","properties":{"entries":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem"},"minItems":1,"type":"array"},"field":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"type":{"enum":["nested"],"type":"string"}},"required":["type","field","entries"]},"Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryMatch"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryMatchAny"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryExists"}]},"Security_Exceptions_API_ExceptionListItemEntryOperator":{"enum":["excluded","included"],"type":"string"},"Security_Exceptions_API_ExceptionListItemExpireTime":{"description":"The exception item\u2019s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.","format":"date-time","type":"string"},"Security_Exceptions_API_ExceptionListItemHumanId":{"description":"Human readable string identifier, e.g. `trusted-linux-processes`","example":"simple_list_item","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListItemId":{"description":"Exception's identifier.","example":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListItemMeta":{"additionalProperties":true,"type":"object"},"Security_Exceptions_API_ExceptionListItemName":{"description":"Exception list name.","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ExceptionListItemOsTypeArray":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListOsType"},"type":"array"},"Security_Exceptions_API_ExceptionListItemTags":{"items":{"description":"String array containing words and phrases to help categorize exception items.","format":"nonempty","minLength":1,"type":"string"},"type":"array"},"Security_Exceptions_API_ExceptionListItemType":{"enum":["simple"],"type":"string"},"Security_Exceptions_API_ExceptionListMeta":{"additionalProperties":true,"description":"Placeholder for metadata about the list container.","type":"object"},"Security_Exceptions_API_ExceptionListName":{"description":"The name of the exception list.","example":"My exception list","type":"string"},"Security_Exceptions_API_ExceptionListOsType":{"description":"Use this field to specify the operating system.","enum":["linux","macos","windows"],"type":"string"},"Security_Exceptions_API_ExceptionListOsTypeArray":{"description":"Use this field to specify the operating system. Only enter one value.","items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListOsType"},"type":"array"},"Security_Exceptions_API_ExceptionListsImportBulkError":{"type":"object","properties":{"error":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListId"},"item_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemHumanId"},"list_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"}},"required":["error"]},"Security_Exceptions_API_ExceptionListsImportBulkErrorArray":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListsImportBulkError"},"type":"array"},"Security_Exceptions_API_ExceptionListTags":{"description":"String array containing words and phrases to help categorize exception containers.","items":{"type":"string"},"type":"array"},"Security_Exceptions_API_ExceptionListType":{"description":"The type of exception list to be created. Different list types may denote where they can be utilized.","enum":["detection","rule_default","endpoint","endpoint_trusted_apps","endpoint_trusted_devices","endpoint_events","endpoint_host_isolation_exceptions","endpoint_blocklists"],"type":"string"},"Security_Exceptions_API_ExceptionListVersion":{"description":"The document version, automatically increasd on updates.","minimum":1,"type":"integer"},"Security_Exceptions_API_ExceptionNamespaceType":{"description":"Determines whether the exception container is available in all Kibana spaces or just the space\nin which it is created, where:\n\n- `single`: Only available in the Kibana space in which it is created.\n- `agnostic`: Available in all Kibana spaces.\n\nFor endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.\n","enum":["agnostic","single"],"type":"string"},"Security_Exceptions_API_FindExceptionListItemsFilter":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"Security_Exceptions_API_FindExceptionListsFilter":{"example":"exception-list.attributes.name:%Detection%20List","type":"string"},"Security_Exceptions_API_HostIsolationProperties":{"description":"Host isolation exceptions list item properties.","type":"object","properties":{"entries":{"description":"Exactly one entry allowed for host isolation exceptions","items":{"type":"object","properties":{"field":{"description":"Must be destination.ip","enum":["destination.ip"],"type":"string"},"operator":{"description":"Must be the value \"included\"","enum":["included"],"type":"string"},"type":{"description":"Must be match","enum":["match"],"type":"string"},"value":{"description":"Valid IPv4 address or CIDR notation (e.g., \"192.168.1.1\" or \"10.0.0.0\/8\")","type":"string"}},"required":["field","type","value","operator"]},"maxItems":1,"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_host_isolation_exceptions"],"example":"endpoint_host_isolation_exceptions","type":"string"},"os_types":{"description":"Must include all three operating systems (windows, linux, macos)","items":{"enum":["windows","linux","macos"],"type":"string"},"maxItems":3,"minItems":3,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_ListId":{"description":"Value list's identifier.","example":"21b01cfb-058d-44b9-838c-282be16c91cd","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_ListType":{"description":"Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:\n\n- `keyword`: Many ECS fields are Elasticsearch keywords\n- `ip`: IP addresses\n- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)\n","enum":["binary","boolean","byte","date","date_nanos","date_range","double","double_range","float","float_range","geo_point","geo_shape","half_float","integer","integer_range","ip","ip_range","keyword","long","long_range","shape","short","text"],"type":"string"},"Security_Exceptions_API_NonEmptyString":{"description":"A string that does not contain only whitespace characters","format":"nonempty","minLength":1,"type":"string"},"Security_Exceptions_API_PlatformErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"integer"}},"required":["statusCode","error","message"]},"Security_Exceptions_API_RuleId":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UUID"},"Security_Exceptions_API_SiemErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"Security_Exceptions_API_TrustedAppHashEntry":{"type":"object","properties":{"field":{"description":"Process hash field","enum":["process.hash.md5","process.hash.sha1","process.hash.sha256"],"type":"string"},"operator":{"enum":["included"],"type":"string"},"type":{"description":"Hash entries only support match type","enum":["match"],"type":"string"},"value":{"description":"Hash value (MD5, SHA1, or SHA256)","type":"string"}},"required":["field","type","value","operator"]},"Security_Exceptions_API_TrustedAppMacCodeSignatureEntry":{"type":"object","properties":{"entries":{"description":"Must include exactly 2 entries - one for subject_name and one for trusted","items":{"oneOf":[{"type":"object","properties":{"field":{"enum":["subject_name"],"type":"string"},"operator":{"enum":["included"],"type":"string"},"type":{"enum":["match"],"type":"string"},"value":{"description":"Certificate subject name","type":"string"}},"required":["field","type","value","operator"]},{"type":"object","properties":{"field":{"enum":["trusted"],"type":"string"},"operator":{"enum":["included"],"type":"string"},"type":{"enum":["match"],"type":"string"},"value":{"description":"Must be the string 'true'","enum":["true"],"type":"string"}},"required":["field","type","value","operator"]}]},"maxItems":2,"minItems":2,"type":"array"},"field":{"description":"macOS code signature field","enum":["process.code_signature"],"type":"string"},"type":{"enum":["nested"],"type":"string"}},"required":["field","type","entries"]},"Security_Exceptions_API_TrustedAppPathEntry":{"type":"object","properties":{"field":{"description":"Process executable path field","enum":["process.executable.caseless"],"type":"string"},"operator":{"enum":["included"],"type":"string"},"type":{"description":"Path supports both match and wildcard types","enum":["match","wildcard"],"type":"string"},"value":{"description":"Executable path","type":"string"}},"required":["field","type","value","operator"]},"Security_Exceptions_API_TrustedAppsLinuxProperties":{"description":"Trusted applications list item properties (Linux).","type":"object","properties":{"entries":{"description":"Process hash or executable path entries (code signature not supported on Linux)","items":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppHashEntry"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppPathEntry"}]},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_trusted_apps"],"example":"endpoint_trusted_apps","type":"string"},"os_types":{"description":"Must be Linux only","items":{"enum":["linux"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_TrustedAppsMacProperties":{"description":"Trusted applications list item properties (macOS).","type":"object","properties":{"entries":{"description":"Process hash, executable path, or code signature entries","items":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppHashEntry"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppPathEntry"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry"}]},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_trusted_apps"],"example":"endpoint_trusted_apps","type":"string"},"os_types":{"description":"Must be macOS only","items":{"enum":["macos"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_TrustedAppsWindowsProperties":{"description":"Trusted applications list item properties (Windows).","type":"object","properties":{"entries":{"description":"Process hash, executable path, or code signature entries","items":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppHashEntry"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppPathEntry"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry"}]},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_trusted_apps"],"example":"endpoint_trusted_apps","type":"string"},"os_types":{"description":"Must be Windows only","items":{"enum":["windows"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry":{"type":"object","properties":{"entries":{"description":"Must include exactly 2 entries - one for subject_name and one for trusted","items":{"oneOf":[{"type":"object","properties":{"field":{"enum":["subject_name"],"type":"string"},"operator":{"enum":["included"],"type":"string"},"type":{"enum":["match"],"type":"string"},"value":{"description":"Certificate subject name","type":"string"}},"required":["field","type","value","operator"]},{"type":"object","properties":{"field":{"enum":["trusted"],"type":"string"},"operator":{"enum":["included"],"type":"string"},"type":{"enum":["match"],"type":"string"},"value":{"description":"Must be the string 'true'","enum":["true"],"type":"string"}},"required":["field","type","value","operator"]}]},"maxItems":2,"minItems":2,"type":"array"},"field":{"description":"Windows code signature field","enum":["process.Ext.code_signature"],"type":"string"},"type":{"enum":["nested"],"type":"string"}},"required":["field","type","entries"]},"Security_Exceptions_API_TrustedDevicesMacProperties":{"description":"Trusted devices list item properties (macOS-only, username not supported).","type":"object","properties":{"entries":{"description":"Exception entries for the trusted device (duplicate field entries are not allowed)","items":{"type":"object","properties":{"field":{"description":"Device field to match against","enum":["device.serial_number","device.type","host.name","device.vendor.name","device.vendor.id","device.product.id","device.product.name"],"type":"string"},"operator":{"description":"Must be the value \"included\"","enum":["included"],"type":"string"},"type":{"description":"Entry match type","enum":["match","wildcard","match_any"],"type":"string"},"value":{"oneOf":[{"description":"Single value (used with match or wildcard)","type":"string"},{"description":"Array of values (used with match_any)","items":{"type":"string"},"minItems":1,"type":"array"}]}},"required":["field","type","value","operator"]},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_trusted_devices"],"example":"endpoint_trusted_devices","type":"string"},"os_types":{"description":"macOS-only","items":{"enum":["macos"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_TrustedDevicesWindowsMacProperties":{"description":"Trusted devices list item properties (Windows + macOS, username not supported).","type":"object","properties":{"entries":{"description":"Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS)","items":{"type":"object","properties":{"field":{"description":"Device field to match against (username not available for multi-OS)","enum":["device.serial_number","device.type","host.name","device.vendor.name","device.vendor.id","device.product.id","device.product.name"],"type":"string"},"operator":{"description":"Must be the value \"included\"","enum":["included"],"type":"string"},"type":{"description":"Entry match type","enum":["match","wildcard","match_any"],"type":"string"},"value":{"oneOf":[{"description":"Single value (used with match or wildcard)","type":"string"},{"description":"Array of values (used with match_any)","items":{"type":"string"},"minItems":1,"type":"array"}]}},"required":["field","type","value","operator"]},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_trusted_devices"],"example":"endpoint_trusted_devices","type":"string"},"os_types":{"description":"Must include both Windows and macOS (username field not allowed)","items":{"enum":["windows","macos"],"type":"string"},"maxItems":2,"minItems":2,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_TrustedDevicesWindowsProperties":{"description":"Trusted devices list item properties (Windows-only, allows username field).","type":"object","properties":{"entries":{"description":"Exception entries for the trusted device (duplicate field entries are not allowed)","items":{"type":"object","properties":{"field":{"description":"Device field to match against (user.name is Windows-only)","enum":["device.serial_number","device.type","host.name","device.vendor.name","device.vendor.id","device.product.id","device.product.name","user.name"],"type":"string"},"operator":{"description":"Must be the value \"included\"","enum":["included"],"type":"string"},"type":{"description":"Entry match type","enum":["match","wildcard","match_any"],"type":"string"},"value":{"oneOf":[{"description":"Single value (used with match or wildcard)","type":"string"},{"description":"Array of values (used with match_any)","items":{"type":"string"},"minItems":1,"type":"array"}]}},"required":["field","type","value","operator"]},"minItems":1,"type":"array"},"list_id":{"enum":["endpoint_trusted_devices"],"example":"endpoint_trusted_devices","type":"string"},"os_types":{"description":"Must be Windows-only to allow username field","items":{"enum":["windows"],"type":"string"},"maxItems":1,"minItems":1,"type":"array"},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointArtifactTags"}},"required":["list_id"]},"Security_Exceptions_API_UpdateExceptionListItemBase":{"type":"object","properties":{"_version":{"description":"The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version.","type":"string"},"comments":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemCommentArray","default":[]},"description":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemDescription"},"expire_time":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemExpireTime"},"id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemId","description":"Either `id` or `item_id` must be specified"},"item_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemHumanId","description":"Either `id` or `item_id` must be specified"},"meta":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemMeta"},"name":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemName"},"namespace_type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionNamespaceType","default":"single"},"type":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemType"}},"required":["type","name","description"]},"Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistLinuxProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemBlocklistMac":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistMacProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_BlocklistWindowsProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemComment":{"type":"object","properties":{"comment":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"},"id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_NonEmptyString"}},"required":["comment"]},"Security_Exceptions_API_UpdateExceptionListItemCommentArray":{"items":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemComment"},"type":"array"},"Security_Exceptions_API_UpdateExceptionListItemEndpointList":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EndpointListProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemEventFilters":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_EventFiltersProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemGeneric":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"example":{"comments":[],"description":"Updated description","entries":[{"field":"host.name","operator":"included","type":"match","value":"rock01"}],"item_id":"simple_list_item","name":"Updated name","namespace_type":"single","tags":[],"type":"simple"},"type":"object","properties":{"entries":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemEntryArray"},"list_id":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListHumanId"},"os_types":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemOsTypeArray","default":[]},"tags":{"$ref":"#\/components\/schemas\/Security_Exceptions_API_ExceptionListItemTags"}},"required":["entries"]}]},"Security_Exceptions_API_UpdateExceptionListItemHostIsolation":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_HostIsolationProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppsLinuxProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppsMacProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedAppsWindowsProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedDevicesMacProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedDevicesWindowsProperties"}]},"Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Exceptions_API_UpdateExceptionListItemBase"},{"$ref":"#\/components\/schemas\/Security_Exceptions_API_TrustedDevicesWindowsMacProperties"}]},"Security_Exceptions_API_UUID":{"description":"A universally unique identifier","format":"uuid","type":"string"},"Security_Lists_API_FindListItemsCursor":{"description":"Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly.","example":"WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_FindListItemsFilter":{"example":"value:127.0.0.1","type":"string"},"Security_Lists_API_FindListsCursor":{"example":"WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_FindListsFilter":{"example":"value:127.0.0.1","type":"string"},"Security_Lists_API_List":{"type":"object","properties":{"_version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersionId"},"@timestamp":{"example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"created_at":{"description":"Autogenerated date of object creation.","example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","example":"elastic","type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListDescription"},"id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"},"immutable":{"type":"boolean"},"meta":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListMetadata"},"name":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListName"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","example":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListType"},"updated_at":{"description":"Autogenerated date of last object update.","example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","example":"elastic","type":"string"},"version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersion"}},"required":["id","type","name","description","immutable","version","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Lists_API_ListDescription":{"description":"Describes the value list.","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListId":{"description":"Value list's identifier.","example":"21b01cfb-058d-44b9-838c-282be16c91cd","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListItem":{"type":"object","properties":{"_version":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListVersionId"},"@timestamp":{"example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"created_at":{"description":"Autogenerated date of object creation.","example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"created_by":{"description":"Autogenerated value - user that created object.","example":"elastic","type":"string"},"id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemId"},"list_id":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListId"},"meta":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemMetadata"},"tie_breaker_id":{"description":"Field used in search to ensure all containers are sorted and returned correctly.","example":"f5508188-b1e9-4e6e-9662-d039a7d89899","type":"string"},"type":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListType"},"updated_at":{"description":"Autogenerated date of last object update.","example":"2025-01-08T04:47:34.273Z","format":"date-time","type":"string"},"updated_by":{"description":"Autogenerated value - user that last updated object.","example":"elastic","type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Lists_API_ListItemValue"}},"required":["id","type","list_id","value","tie_breaker_id","created_at","created_by","updated_at","updated_by"]},"Security_Lists_API_ListItemId":{"description":"Value list item's identifier.","example":"54b01cfb-058d-44b9-838c-282be16c91cd","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListItemMetadata":{"additionalProperties":true,"description":"Placeholder for metadata about the value list item.","type":"object"},"Security_Lists_API_ListItemPrivileges":{"type":"object","properties":{"application":{"additionalProperties":{"type":"boolean"},"type":"object"},"cluster":{"additionalProperties":{"type":"boolean"},"type":"object"},"has_all_requested":{"type":"boolean"},"index":{"additionalProperties":{"additionalProperties":{"type":"boolean"},"type":"object"},"type":"object"},"username":{"type":"string"}},"required":["username","has_all_requested","cluster","index","application"]},"Security_Lists_API_ListItemValue":{"description":"The value used to evaluate exceptions.","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListMetadata":{"additionalProperties":true,"description":"Placeholder for metadata about the value list.","type":"object"},"Security_Lists_API_ListName":{"description":"Value list's name.","example":"List of bad IPs","format":"nonempty","minLength":1,"type":"string"},"Security_Lists_API_ListPrivileges":{"type":"object","properties":{"application":{"additionalProperties":{"type":"boolean"},"type":"object"},"cluster":{"additionalProperties":{"type":"boolean"},"type":"object"},"has_all_requested":{"type":"boolean"},"index":{"additionalProperties":{"additionalProperties":{"type":"boolean"},"type":"object"},"type":"object"},"username":{"type":"string"}},"required":["username","has_all_requested","cluster","index","application"]},"Security_Lists_API_ListType":{"description":"Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:\n\n- `keyword`: Many ECS fields are Elasticsearch keywords\n- `ip`: IP addresses\n- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)\n","enum":["binary","boolean","byte","date","date_nanos","date_range","double","double_range","float","float_range","geo_point","geo_shape","half_float","integer","integer_range","ip","ip_range","keyword","long","long_range","shape","short","text"],"type":"string"},"Security_Lists_API_ListVersion":{"description":"The document version number.","example":1,"minimum":1,"type":"integer"},"Security_Lists_API_ListVersionId":{"description":"The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.\n","example":"WzIsMV0=","type":"string"},"Security_Lists_API_PlatformErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"message":{"type":"string"},"statusCode":{"type":"integer"}},"required":["statusCode","error","message"]},"Security_Lists_API_SiemErrorResponse":{"type":"object","properties":{"message":{"type":"string"},"status_code":{"type":"integer"}},"required":["status_code","message"]},"Security_Osquery_API_ArrayQueries":{"description":"An array of queries to run.","items":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ArrayQueriesItem"},"type":"array"},"Security_Osquery_API_ArrayQueriesItem":{"type":"object","properties":{"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_QueryId"},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"version":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Version"}}},"Security_Osquery_API_CopyPacksResponse":{"description":"The response for copying a pack.","example":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"My pack","enabled":false,"name":"my_pack_copy","policy_ids":[],"queries":[{"ecs_mapping":[{"key":"client.port","value":{"field":"port"}}],"id":"ports","interval":60,"query":"SELECT * FROM listening_ports;","removed":false,"snapshot":true,"timeout":120}],"saved_object_id":"1c266590-381f-428c-878f-c80c1334f856","shards":[],"updated_at":"2025-02-26T13:37:30.452Z","updated_by":"elastic"}},"type":"object","properties":{"data":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Enabled"},"name":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackName"},"policy_ids":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PolicyIds"},"queries":{"description":"Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.","items":{"type":"object","properties":{"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMappingArray"},"id":{"type":"string"},"interval":{"type":"integer"},"platform":{"type":"string"},"query":{"type":"string"},"removed":{"type":"boolean"},"snapshot":{"type":"boolean"},"timeout":{"type":"integer"},"version":{"type":"string"}}},"type":"array"},"saved_object_id":{"description":"The saved object ID of the copied pack.","type":"string"},"shards":{"description":"Shard configuration as an array of key-value pairs.","items":{"type":"object","properties":{"key":{"type":"string"},"value":{"type":"number"}}},"type":"array"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"},"version":{"description":"The pack version number.","type":"integer"}},"required":["saved_object_id","name"]}},"required":["data"]},"Security_Osquery_API_CopySavedQueryResponse":{"description":"The response for copying a saved query.","example":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"my_saved_query_copy","interval":"60","platform":"linux,darwin","query":"select * from uptime;","removed":false,"saved_object_id":"42ba1280-2172-11ee-8523-5765fca79a3c","snapshot":true,"timeout":120,"updated_at":"2025-02-26T13:37:30.452Z","updated_by":"elastic"}},"type":"object","properties":{"data":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"},"interval":{"oneOf":[{"type":"integer"},{"type":"string"}]},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"saved_object_id":{"type":"string"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"timeout":{"type":"integer"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"}},"required":["saved_object_id","id"]}},"required":["data"]},"Security_Osquery_API_CreateLiveQueryRequestBody":{"example":{"agent_all":true,"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"query":"select * from uptime;"},"type":"object","properties":{"agent_all":{"description":"When `true`, the query runs on all agents.","type":"boolean"},"agent_ids":{"description":"A list of agent IDs to run the query on.","items":{"type":"string"},"type":"array"},"agent_platforms":{"description":"A list of agent platforms to run the query on.","items":{"type":"string"},"type":"array"},"agent_policy_ids":{"description":"A list of agent policy IDs to run the query on.","items":{"type":"string"},"type":"array"},"alert_ids":{"description":"A list of alert IDs associated with the live query.","items":{"type":"string"},"type":"array"},"case_ids":{"description":"A list of case IDs associated with the live query.","items":{"type":"string"},"type":"array"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"event_ids":{"description":"A list of event IDs associated with the live query.","items":{"type":"string"},"type":"array"},"metadata":{"description":"Custom metadata object associated with the live query.","nullable":true,"type":"object"},"pack_id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackId"},"queries":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ArrayQueries"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"saved_query_id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"}}},"Security_Osquery_API_CreateLiveQueryResponse":{"description":"The response for creating a live query.","example":{"data":{"@timestamp":"2022-07-26T09:59:32.220Z","action_id":"3c42c847-eb30-4452-80e0-728584042334","agent_all":true,"agent_ids":[],"agent_platforms":[],"agent_policy_ids":[],"agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"expiration":"2022-07-26T10:04:32.220Z","input_type":"osquery","metadata":{"execution_context":{"name":"osquery","url":"\/app\/osquery\/live_queries\/new"}},"queries":[{"action_id":"609c4c66-ba3d-43fa-afdd-53e244577aa0","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"6724a474-cbba-41ef-a1aa-66aebf0879e2","query":"select * from uptime;","timeout":120}],"type":"INPUT_ACTION","user_id":"elastic"}},"type":"object","properties":{"data":{"type":"object","properties":{"@timestamp":{"description":"The timestamp when the action was created.","format":"date-time","type":"string"},"action_id":{"description":"The ID of the action.","type":"string"},"agent_all":{"description":"Whether the query targets all agents.","type":"boolean"},"agent_ids":{"description":"The agent IDs targeted by the action.","items":{"type":"string"},"type":"array"},"agent_platforms":{"description":"The agent platforms targeted.","items":{"type":"string"},"type":"array"},"agent_policy_ids":{"description":"The agent policy IDs targeted.","items":{"type":"string"},"type":"array"},"agents":{"description":"The resolved list of agent IDs.","items":{"type":"string"},"type":"array"},"expiration":{"description":"The expiration date of the action.","format":"date-time","type":"string"},"input_type":{"description":"The input type.","type":"string"},"metadata":{"description":"Custom metadata associated with the action.","type":"object"},"pack_id":{"description":"The pack ID if the query was run from a pack.","type":"string"},"queries":{"description":"The queries in this action.","items":{"type":"object","properties":{"action_id":{"type":"string"},"agents":{"items":{"type":"string"},"type":"array"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"type":"string"},"platform":{"type":"string"},"query":{"type":"string"},"saved_query_id":{"type":"string"},"timeout":{"type":"integer"},"version":{"type":"string"}}},"type":"array"},"type":{"description":"The action type.","type":"string"},"user_id":{"description":"The user who created the action.","type":"string"}},"required":["action_id"]}},"required":["data"]},"Security_Osquery_API_CreatePacksRequestBody":{"example":{"description":"My pack","enabled":true,"name":"my_pack","policy_ids":["my_policy_id","fleet-server-policy"],"queries":{"my_query":{"ecs_mapping":{"client.port":{"field":"port"},"tags":{"value":["tag1","tag2"]}},"interval":60,"query":"SELECT * FROM listening_ports;","timeout":120}},"shards":{"fleet-server-policy":58,"my_policy_id":35}},"type":"object","properties":{"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Enabled"},"name":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackName"},"policy_ids":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PolicyIds"},"queries":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ObjectQueries"},"shards":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Shards"}}},"Security_Osquery_API_CreatePacksResponse":{"description":"The response for creating a pack.","example":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"My pack","enabled":true,"name":"my_pack","policy_ids":["my_policy_id"],"queries":{"ports":{"ecs_mapping":{"client.port":{"field":"port"}},"interval":60,"query":"SELECT * FROM listening_ports;","removed":false,"snapshot":true,"timeout":120}},"saved_object_id":"1c266590-381f-428c-878f-c80c1334f856","shards":{"47638692-7c4c-4053-aa3e-7186f28df349":35,"5e267651-fe50-443e-8d3f-3bbc9171b618":58},"updated_at":"2025-02-26T13:37:30.452Z","updated_by":"elastic","version":1}},"type":"object","properties":{"data":{"type":"object","properties":{"created_at":{"description":"The date and time the pack was created.","format":"date-time","type":"string"},"created_by":{"description":"The user who created the pack.","nullable":true,"type":"string"},"created_by_profile_uid":{"description":"The profile UID of the user who created the pack.","type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Enabled"},"name":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackName"},"policy_ids":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PolicyIds"},"queries":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ObjectQueries"},"saved_object_id":{"description":"The saved object ID of the pack.","type":"string"},"shards":{"description":"Shard configuration as an array of key-value pairs.","items":{"type":"object","properties":{"key":{"type":"string"},"value":{"type":"number"}}},"type":"array"},"updated_at":{"description":"The date and time the pack was last updated.","format":"date-time","type":"string"},"updated_by":{"description":"The user who last updated the pack.","nullable":true,"type":"string"},"updated_by_profile_uid":{"description":"The profile UID of the user who last updated the pack.","type":"string"},"version":{"description":"The pack version number.","type":"integer"}},"required":["saved_object_id","name"]}},"required":["data"]},"Security_Osquery_API_CreateSavedQueryRequestBody":{"example":{"description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"saved_query_id","interval":"60","platform":"linux,darwin","query":"select * from uptime;","timeout":120,"version":"2.8.0"},"type":"object","properties":{"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"},"interval":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Interval"},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"version":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Version"}}},"Security_Osquery_API_CreateSavedQueryResponse":{"description":"The response for creating a saved query.","example":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"saved_query_id","interval":"60","platform":"linux,darwin","prebuilt":false,"query":"select * from uptime;","saved_object_id":"42ba1280-2172-11ee-8523-5765fca79a3c","timeout":120,"updated_at":"2025-02-26T13:37:30.452Z","updated_by":"elastic","version":"2.8.0"}},"type":"object","properties":{"data":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"},"interval":{"description":"An interval, in seconds, on which to run the query. May be returned as number or string.","oneOf":[{"type":"integer"},{"type":"string"}]},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"prebuilt":{"description":"Whether the saved query is prebuilt.","type":"boolean"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"saved_object_id":{"description":"The saved object ID of the saved query.","type":"string"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"timeout":{"description":"The query timeout in seconds.","type":"integer"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"},"version":{"description":"The saved query version.","oneOf":[{"type":"integer"},{"type":"string"}]}},"required":["saved_object_id","id"]}},"required":["data"]},"Security_Osquery_API_DefaultSuccessResponse":{"example":{},"type":"object","properties":{}},"Security_Osquery_API_ECSMapping":{"additionalProperties":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMappingItem"},"description":"Map osquery results columns or static values to Elastic Common Schema (ECS) fields","example":{"host.uptime":{"field":"total_seconds"}},"type":"object"},"Security_Osquery_API_ECSMappingArray":{"description":"ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping).","items":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMappingArrayItem"},"type":"array"},"Security_Osquery_API_ECSMappingArrayItem":{"description":"ECS mapping item in saved-object storage format (key-value pair).","type":"object","properties":{"key":{"description":"The ECS field name.","type":"string"},"value":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMappingItem"}}},"Security_Osquery_API_ECSMappingArrayOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMappingArray","nullable":true},"Security_Osquery_API_ECSMappingItem":{"type":"object","properties":{"field":{"description":"The ECS field to map to.","example":"host.uptime","type":"string"},"value":{"description":"The value to map to the ECS field.","example":"total_seconds","oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}]}}},"Security_Osquery_API_ECSMappingOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping","nullable":true},"Security_Osquery_API_Enabled":{"description":"Enables the pack.","example":true,"type":"boolean"},"Security_Osquery_API_EnabledOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Enabled","nullable":true},"Security_Osquery_API_FindLiveQueryDetailsResponse":{"example":{"data":{"@timestamp":"2022-07-26T09:59:32.220Z","action_id":"3c42c847-eb30-4452-80e0-728584042334","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"expiration":"2022-07-26T10:04:32.220Z","queries":[{"action_id":"609c4c66-ba3d-43fa-afdd-53e244577aa0","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"docs":0,"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"failed":1,"id":"6724a474-cbba-41ef-a1aa-66aebf0879e2","pending":0,"query":"select * from uptime;","responded":1,"saved_query_id":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","status":"completed","successful":0}],"status":"completed","user_id":"elastic"}},"type":"object","properties":{"data":{"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"action_id":{"type":"string"},"agents":{"items":{"type":"string"},"type":"array"},"expiration":{"format":"date-time","type":"string"},"pack_id":{"type":"string"},"pack_name":{"type":"string"},"prebuilt_pack":{"type":"boolean"},"queries":{"description":"The queries with their execution status.","items":{"type":"object","properties":{"action_id":{"type":"string"},"agents":{"items":{"type":"string"},"type":"array"},"docs":{"description":"Number of result documents.","type":"integer"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"failed":{"description":"Number of failed queries.","type":"integer"},"id":{"type":"string"},"pending":{"description":"Number of pending agents.","type":"integer"},"query":{"type":"string"},"responded":{"description":"Total responded agents.","type":"integer"},"saved_query_id":{"type":"string"},"status":{"description":"Status of this individual query.","enum":["completed","running"],"type":"string"},"successful":{"description":"Number of successful agents.","type":"integer"}}},"type":"array"},"status":{"description":"Global status of the live query (completed, running).","enum":["completed","running"],"type":"string"},"tags":{"items":{"type":"string"},"type":"array"},"user_id":{"type":"string"},"user_profile_uid":{"type":"string"}}}}},"Security_Osquery_API_FindLiveQueryResponse":{"example":{"data":{"items":[{"_source":{"@timestamp":"2023-10-31T00:00:00Z","action_id":"3c42c847-eb30-4452-80e0-728584042334","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"expiration":"2023-10-31T00:00:00Z","queries":[{"action_id":"609c4c66-ba3d-43fa-afdd-53e244577aa0","agents":["16d7caf5-efd2-4212-9b62-73dafc91fa13"],"ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"6724a474-cbba-41ef-a1aa-66aebf0879e2","query":"select * from uptime;","saved_query_id":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"}],"result_counts":{"error_agents":0,"responded_agents":1,"successful_agents":1,"total_rows":42},"user_id":"elastic"}}],"total":1}},"type":"object","properties":{"data":{"type":"object","properties":{"items":{"description":"An array of live query action items.","items":{"type":"object","properties":{"_source":{"type":"object","properties":{"@timestamp":{"format":"date-time","type":"string"},"action_id":{"type":"string"},"agents":{"items":{"type":"string"},"type":"array"},"expiration":{"format":"date-time","type":"string"},"pack_id":{"type":"string"},"queries":{"items":{"type":"object","properties":{"action_id":{"type":"string"},"agents":{"items":{"type":"string"},"type":"array"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"type":"string"},"query":{"type":"string"},"saved_query_id":{"type":"string"}}},"type":"array"},"result_counts":{"description":"Result count statistics (present when withResultCounts is true).","type":"object","properties":{"error_agents":{"type":"integer"},"responded_agents":{"type":"integer"},"successful_agents":{"type":"integer"},"total_rows":{"type":"integer"}}},"user_id":{"type":"string"}}}}},"type":"array"},"total":{"description":"The total number of live queries.","type":"integer"}}}}},"Security_Osquery_API_FindPackResponse":{"description":"The details of a single query pack.","example":{"data":{"created_at":"2022-07-25T19:41:10.263Z","created_by":"elastic","description":"","enabled":true,"name":"test_pack","namespaces":["default"],"policy_ids":[],"queries":{"uptime":{"ecs_mapping":{"message":{"field":"days"}},"interval":3600,"query":"select * from uptime"}},"read_only":false,"saved_object_id":"3c42c847-eb30-4452-80e0-728584042334","shards":{},"type":"osquery-pack","updated_at":"2022-07-25T20:12:01.455Z","updated_by":"elastic","version":1}},"type":"object","properties":{"data":{"description":"The pack details.","type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Enabled"},"name":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackName"},"namespaces":{"description":"The namespaces the pack belongs to.","items":{"type":"string"},"type":"array"},"policy_ids":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PolicyIds"},"queries":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ObjectQueries"},"read_only":{"description":"Whether the pack is read-only (true for prebuilt packs).","type":"boolean"},"saved_object_id":{"description":"The saved object ID of the pack.","type":"string"},"shards":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Shards"},"type":{"description":"The saved object type.","type":"string"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"},"version":{"description":"The pack version number.","type":"integer"}},"required":["saved_object_id","name"]}},"required":["data"]},"Security_Osquery_API_FindPacksResponse":{"description":"A paginated list of query packs.","example":{"data":[{"created_at":"2023-10-31T00:00:00Z","created_by":"elastic","created_by_profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","description":"My pack description","enabled":true,"name":"My Pack","policy_ids":[],"queries":[{"ecs_mapping":[{"key":"host.uptime","value":{"field":"total_seconds"}}],"id":"uptime","interval":3600,"query":"select * from uptime;"}],"read_only":false,"saved_object_id":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","updated_at":"2023-10-31T00:00:00Z","updated_by":"elastic","updated_by_profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"page":1,"per_page":10,"total":1},"type":"object","properties":{"data":{"description":"An array of pack objects.","items":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Enabled"},"name":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackName"},"policy_ids":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PolicyIds"},"queries":{"description":"Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.","items":{"type":"object","properties":{"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMappingArray"},"id":{"type":"string"},"interval":{"type":"integer"},"platform":{"type":"string"},"query":{"type":"string"},"removed":{"type":"boolean"},"snapshot":{"type":"boolean"},"timeout":{"type":"integer"},"version":{"type":"string"}}},"type":"array"},"read_only":{"description":"Whether the pack is read-only (true for prebuilt packs).","type":"boolean"},"saved_object_id":{"description":"The saved object ID of the pack.","type":"string"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"},"version":{"description":"The pack version number.","type":"integer"}},"required":["saved_object_id","name"]},"type":"array"},"page":{"description":"The current page number.","type":"integer"},"per_page":{"description":"The number of results per page.","type":"integer"},"total":{"description":"The total number of packs.","type":"integer"}},"required":["page","per_page","total","data"]},"Security_Osquery_API_FindSavedQueryDetailResponse":{"description":"The details of a single saved query.","example":{"data":{"created_at":"2022-07-26T09:28:08.597Z","created_by":"elastic","description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"saved_query_id","interval":"60","platform":"linux,darwin","prebuilt":false,"query":"select * from uptime;","saved_object_id":"3c42c847-eb30-4452-80e0-728584042334","updated_at":"2022-07-26T09:28:08.597Z","updated_by":"elastic","version":"2.8.0"}},"type":"object","properties":{"data":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"},"interval":{"oneOf":[{"type":"integer"},{"type":"string"}]},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"prebuilt":{"type":"boolean"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"saved_object_id":{"type":"string"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"timeout":{"type":"integer"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"},"version":{"oneOf":[{"type":"integer"},{"type":"string"}]}},"required":["saved_object_id","id"]}},"required":["data"]},"Security_Osquery_API_FindSavedQueryResponse":{"description":"A paginated list of saved queries.","example":{"data":[{"created_at":"2022-07-26T09:28:08.597Z","created_by":"elastic","created_by_profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"saved_query_id","interval":"60","platform":"linux,darwin","prebuilt":false,"query":"select * from uptime;","saved_object_id":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","updated_at":"2022-07-26T09:28:08.597Z","updated_by":"elastic","updated_by_profile_uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","version":"2.8.0"}],"page":1,"per_page":100,"total":11},"type":"object","properties":{"data":{"description":"An array of saved query objects.","items":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"},"interval":{"oneOf":[{"type":"integer"},{"type":"string"}]},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"prebuilt":{"type":"boolean"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"saved_object_id":{"type":"string"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"timeout":{"type":"integer"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"},"version":{"oneOf":[{"type":"integer"},{"type":"string"}]}},"required":["saved_object_id","id"]},"type":"array"},"page":{"description":"The current page number.","type":"integer"},"per_page":{"description":"The number of results per page.","type":"integer"},"total":{"description":"The total number of saved queries.","type":"integer"}},"required":["page","per_page","total","data"]},"Security_Osquery_API_GetLiveQueryResultsResponse":{"description":"The response for getting live query results.","example":{"data":{"edges":[{"_id":"doc1","_source":{}},{"_id":"doc2","_source":{}}],"total":2}},"type":"object","properties":{"data":{"type":"object","properties":{"edges":{"description":"The result rows from the query execution.","items":{"type":"object","properties":{"_id":{"type":"string"},"_source":{"description":"The Elasticsearch document source containing query results.","type":"object"}}},"type":"array"},"total":{"description":"The total number of result rows.","type":"integer"}}}}},"Security_Osquery_API_GetScheduledActionResultsResponse":{"example":{"aggregations":{"failed":1,"pending":0,"successful":9,"totalResponded":10,"totalRowCount":42},"currentPage":0,"edges":[{"_id":"result-001","fields":{"agent_id":"16d7caf5-efd2-4212-9b62-73dafc91fa13","rows_count":5,"status":"success"}}],"metadata":{"executionCount":3,"packId":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","packName":"My Pack","queryName":"uptime","queryText":"select * from uptime;","scheduleId":"pack_my_pack_uptime","timestamp":"2024-07-26T09:00:00.000Z"},"pageSize":20,"total":10,"totalPages":1},"type":"object","properties":{"aggregations":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ScheduledActionResultsAggregations"},"currentPage":{"description":"The current page number (zero-based).","type":"integer"},"edges":{"description":"The paginated list of per-agent action results.","items":{"type":"object"},"type":"array"},"inspect":{"description":"Debug\/inspection data for the search query.","type":"object"},"metadata":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ScheduledExecutionMetadata"},"pageSize":{"description":"The number of results per page.","type":"integer"},"total":{"description":"The total number of action results.","type":"integer"},"totalPages":{"description":"The total number of pages.","type":"integer"}}},"Security_Osquery_API_GetScheduledQueryResultsResponse":{"description":"The response for getting scheduled query results.","example":{"data":{"edges":[{"_id":"row-001","fields":{"host.uptime":["12345"]}},{"_id":"row-002","fields":{"host.uptime":["67890"]}}],"total":2}},"type":"object","properties":{"data":{"description":"The query results data wrapper.","type":"object","properties":{"edges":{"description":"The paginated list of query result rows.","items":{"type":"object"},"type":"array"},"inspect":{"description":"Debug\/inspection data for the search query.","type":"object"},"total":{"description":"The total number of result rows.","type":"integer"}}}}},"Security_Osquery_API_GetUnifiedHistoryResponse":{"example":{"data":[{"actionId":"609c4c66-ba3d-43fa-afdd-53e244577aa0","agentCount":5,"errorCount":0,"id":"3c42c847-eb30-4452-80e0-728584042334","queryName":"uptime_query","queryText":"select * from uptime;","source":"Live","sourceType":"live","successCount":5,"timestamp":"2024-07-26T09:59:32.220Z","totalRows":42,"userId":"elastic"},{"agentCount":10,"errorCount":1,"executionCount":3,"id":"pack_my_pack_uptime_3","packId":"42ba9c50-0cc5-11ed-aa1d-2b27890bc90d","packName":"My Pack","plannedTime":"2024-07-26T09:00:00.000Z","queryName":"uptime","queryText":"select * from uptime;","scheduleId":"pack_my_pack_uptime","source":"Scheduled","sourceType":"scheduled","successCount":9,"timestamp":"2024-07-26T09:00:00.000Z","totalRows":100}],"hasMore":true,"nextPage":"eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3..."},"type":"object","properties":{"data":{"description":"The list of unified history rows for the current page.","items":{"$ref":"#\/components\/schemas\/Security_Osquery_API_UnifiedHistoryRow"},"type":"array"},"hasMore":{"description":"Whether there are more results beyond the current page.","type":"boolean"},"nextPage":{"description":"A base64-encoded cursor to fetch the next page. Absent when there are no more results.","type":"string"}},"required":["data","hasMore"]},"Security_Osquery_API_Interval":{"description":"An interval, in seconds, on which to run the query.","example":"60","type":"string"},"Security_Osquery_API_IntervalOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Interval","nullable":true},"Security_Osquery_API_KueryOrUndefined":{"description":"The kuery to filter the results by.","example":"agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13","nullable":true,"type":"string"},"Security_Osquery_API_LiveHistoryRow":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Osquery_API_UnifiedHistoryRowBase"},{"type":"object","properties":{"actionId":{"description":"The Fleet action ID for the live query.","type":"string"},"agentAll":{"description":"Whether the query targeted all agents.","type":"boolean"},"agentIds":{"description":"List of targeted agent IDs.","items":{"type":"string"},"type":"array"},"agentPlatforms":{"description":"List of targeted agent platforms.","items":{"type":"string"},"type":"array"},"agentPolicyIds":{"description":"List of targeted agent policy IDs.","items":{"type":"string"},"type":"array"},"ecsMapping":{"additionalProperties":true,"description":"ECS mapping configuration used for the query.","type":"object"},"queriesTotal":{"description":"The total number of sub-queries in the live action.","type":"integer"},"queriesWithResults":{"description":"The number of sub-queries that returned results.","type":"integer"},"savedQueryId":{"description":"The saved query ID, if the live query was based on a saved query.","type":"string"},"source":{"description":"Whether this was a manually run live query or triggered by a rule.","enum":["Live","Rule"],"type":"string"},"sourceType":{"description":"Identifies this as a live query history row.","enum":["live"],"type":"string"},"timeout":{"description":"The query timeout in seconds.","type":"integer"},"userId":{"description":"The ID of the user who ran the query.","type":"string"},"userProfileUid":{"description":"The user profile UID of the user who ran the query.","type":"string"}},"required":["sourceType","source"]}]},"Security_Osquery_API_ObjectQueries":{"additionalProperties":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ObjectQueriesItem"},"description":"An object of queries.","type":"object"},"Security_Osquery_API_ObjectQueriesItem":{"type":"object","properties":{"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_QueryId"},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"saved_query_id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"version":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Version"}}},"Security_Osquery_API_PackDescription":{"description":"The pack description.","example":"Pack description","type":"string"},"Security_Osquery_API_PackDescriptionOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackDescription","nullable":true},"Security_Osquery_API_PackId":{"description":"The ID of the pack.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"},"Security_Osquery_API_PackIdOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackId","nullable":true},"Security_Osquery_API_PackName":{"description":"The pack name.","example":"my_pack","type":"string"},"Security_Osquery_API_PageOrUndefined":{"description":"The page number to return. The default is 1.","example":1,"nullable":true,"type":"integer"},"Security_Osquery_API_PageSizeOrUndefined":{"description":"The number of results to return per page. The default is 20.","example":20,"nullable":true,"type":"integer"},"Security_Osquery_API_Platform":{"description":"Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.","example":"linux,darwin","type":"string"},"Security_Osquery_API_PlatformOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform","nullable":true},"Security_Osquery_API_PolicyIds":{"description":"A list of agents policy IDs.","example":["policyId1","policyId2"],"items":{"type":"string"},"type":"array"},"Security_Osquery_API_PolicyIdsOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PolicyIds","nullable":true},"Security_Osquery_API_Query":{"description":"The SQL query you want to run.","example":"select * from uptime;","type":"string"},"Security_Osquery_API_QueryId":{"description":"The ID of the query.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"},"Security_Osquery_API_QueryOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query","nullable":true},"Security_Osquery_API_Removed":{"description":"Indicates whether the query is removed.","example":false,"type":"boolean"},"Security_Osquery_API_RemovedOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed","nullable":true},"Security_Osquery_API_SavedQueryDescription":{"description":"The saved query description.","example":"Saved query description","type":"string"},"Security_Osquery_API_SavedQueryDescriptionOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryDescription","nullable":true},"Security_Osquery_API_SavedQueryId":{"description":"The ID of a saved query.","example":"3c42c847-eb30-4452-80e0-728584042334","type":"string"},"Security_Osquery_API_SavedQueryIdOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId","nullable":true},"Security_Osquery_API_ScheduledActionResultsAggregations":{"type":"object","properties":{"failed":{"description":"The number of agents that returned errors.","type":"integer"},"pending":{"description":"The number of agents with pending responses.","type":"integer"},"successful":{"description":"The number of agents that completed successfully.","type":"integer"},"totalResponded":{"description":"The total number of agents that responded.","type":"integer"},"totalRowCount":{"description":"The total number of result rows across all agents.","type":"integer"}}},"Security_Osquery_API_ScheduledExecutionMetadata":{"description":"Execution metadata resolved from the pack saved object.","type":"object","properties":{"executionCount":{"description":"The execution count for this scheduled query run.","type":"integer"},"packId":{"description":"The ID of the pack containing the query.","type":"string"},"packName":{"description":"The name of the pack containing the query.","type":"string"},"queryName":{"description":"The name of the query within the pack.","type":"string"},"queryText":{"description":"The SQL query that was executed.","type":"string"},"scheduleId":{"description":"The schedule ID for the scheduled query.","type":"string"},"timestamp":{"description":"The timestamp of the most recent response for this execution.","type":"string"}}},"Security_Osquery_API_ScheduledHistoryRow":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Osquery_API_UnifiedHistoryRowBase"},{"type":"object","properties":{"executionCount":{"description":"The execution count for this scheduled query run.","type":"integer"},"plannedTime":{"description":"The planned execution time for the scheduled query.","type":"string"},"scheduleId":{"description":"The schedule ID for the scheduled query.","type":"string"},"source":{"description":"Indicates this is a scheduled query execution.","enum":["Scheduled"],"type":"string"},"sourceType":{"description":"Identifies this as a scheduled query history row.","enum":["scheduled"],"type":"string"}},"required":["sourceType","source"]}]},"Security_Osquery_API_Shards":{"additionalProperties":{"type":"number"},"description":"An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1\u2013100) of target hosts.","example":{"policy_id":50},"type":"object"},"Security_Osquery_API_Snapshot":{"description":"Indicates whether the query is a snapshot.","example":true,"type":"boolean"},"Security_Osquery_API_SnapshotOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot","nullable":true},"Security_Osquery_API_SortOrderOrUndefined":{"description":"Specifies the sort order.","enum":["asc","desc"],"example":"desc","type":"string"},"Security_Osquery_API_SortOrUndefined":{"default":"createdAt","description":"The field that is used to sort the results.","example":"createdAt","nullable":true,"type":"string"},"Security_Osquery_API_UnifiedHistoryRow":{"discriminator":{"mapping":{"live":"#\/components\/schemas\/Security_Osquery_API_LiveHistoryRow","scheduled":"#\/components\/schemas\/Security_Osquery_API_ScheduledHistoryRow"},"propertyName":"sourceType"},"oneOf":[{"$ref":"#\/components\/schemas\/Security_Osquery_API_LiveHistoryRow"},{"$ref":"#\/components\/schemas\/Security_Osquery_API_ScheduledHistoryRow"}]},"Security_Osquery_API_UnifiedHistoryRowBase":{"type":"object","properties":{"agentCount":{"description":"The number of agents targeted by the query.","type":"integer"},"errorCount":{"description":"The number of agent responses with errors.","nullable":true,"type":"integer"},"id":{"description":"Unique identifier for the history row.","type":"string"},"packId":{"description":"The ID of the pack containing the query.","type":"string"},"packName":{"description":"The name of the pack containing the query.","type":"string"},"queryName":{"description":"The name of the query, if available.","type":"string"},"queryText":{"description":"The SQL query that was executed.","type":"string"},"spaceId":{"description":"The Kibana space ID where the query was executed.","type":"string"},"successCount":{"description":"The number of successful agent responses.","nullable":true,"type":"integer"},"timestamp":{"description":"The timestamp of the query execution.","type":"string"},"totalRows":{"description":"The total number of result rows returned across all agents.","nullable":true,"type":"integer"}},"required":["id","timestamp","queryText","agentCount"]},"Security_Osquery_API_UpdatePacksRequestBody":{"example":{"name":"updated_my_pack_name"},"type":"object","properties":{"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Enabled"},"name":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackName"},"policy_ids":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PolicyIds"},"queries":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ObjectQueries"},"shards":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Shards"}}},"Security_Osquery_API_UpdatePacksResponse":{"description":"The response for updating a pack.","example":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"My pack","enabled":true,"name":"updated_my_pack_name","policy_ids":["my_policy_id"],"queries":{"ports":{"ecs_mapping":{"client.port":{"field":"port"}},"interval":60,"query":"SELECT * FROM listening_ports;","removed":false,"snapshot":true,"timeout":120}},"saved_object_id":"1c266590-381f-428c-878f-c80c1334f856","shards":{"47638692-7c4c-4053-aa3e-7186f28df349":35,"5e267651-fe50-443e-8d3f-3bbc9171b618":58},"updated_at":"2025-02-26T13:40:16.297Z","updated_by":"elastic","version":1}},"type":"object","properties":{"data":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackDescription"},"enabled":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Enabled"},"name":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PackName"},"policy_ids":{"$ref":"#\/components\/schemas\/Security_Osquery_API_PolicyIds"},"queries":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ObjectQueries"},"saved_object_id":{"description":"The saved object ID of the pack.","type":"string"},"shards":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Shards"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"},"version":{"description":"The pack version number.","type":"integer"}}}}},"Security_Osquery_API_UpdateSavedQueryRequestBody":{"example":{"id":"updated_my_saved_query_name"},"type":"object","properties":{"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"},"interval":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Interval"},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"version":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Version"}}},"Security_Osquery_API_UpdateSavedQueryResponse":{"description":"The response for updating a saved query.","example":{"data":{"created_at":"2025-02-26T13:37:30.452Z","created_by":"elastic","description":"Saved query description","id":"updated_my_saved_query_name","interval":"60","query":"select * from uptime;","saved_object_id":"42ba1280-2172-11ee-8523-5765fca79a3c","updated_at":"2025-02-26T13:40:16.297Z","updated_by":"elastic","version":"WzQzMTcsMV0="}},"type":"object","properties":{"data":{"type":"object","properties":{"created_at":{"format":"date-time","type":"string"},"created_by":{"nullable":true,"type":"string"},"created_by_profile_uid":{"type":"string"},"description":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryDescription"},"ecs_mapping":{"$ref":"#\/components\/schemas\/Security_Osquery_API_ECSMapping"},"id":{"$ref":"#\/components\/schemas\/Security_Osquery_API_SavedQueryId"},"interval":{"oneOf":[{"type":"integer"},{"type":"string"}]},"platform":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Platform"},"prebuilt":{"type":"boolean"},"query":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Query"},"removed":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Removed"},"saved_object_id":{"type":"string"},"snapshot":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Snapshot"},"timeout":{"type":"integer"},"updated_at":{"format":"date-time","type":"string"},"updated_by":{"nullable":true,"type":"string"},"updated_by_profile_uid":{"type":"string"},"version":{"description":"The saved query version.","type":"string"}},"required":["saved_object_id","id"]}},"required":["data"]},"Security_Osquery_API_Version":{"description":"Uses the Osquery versions greater than or equal to the specified version string.","example":"1.0.0","type":"string"},"Security_Osquery_API_VersionOrUndefined":{"$ref":"#\/components\/schemas\/Security_Osquery_API_Version","nullable":true},"Security_Timeline_API_AssociatedFilterType":{"description":"How the note is associated with a Timeline saved object and\/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases).\n","enum":["all","document_only","saved_object_only","document_and_saved_object","orphan"],"type":"string"},"Security_Timeline_API_BareNote":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_NoteCreatedAndUpdatedMetadata"},{"type":"object","properties":{"eventId":{"description":"Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET \/api\/note.\n","example":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","nullable":true,"type":"string"},"note":{"description":"The text of the note","example":"This is an example text","nullable":true,"type":"string"},"timelineId":{"description":"The `savedObjectId` of the Timeline this note belongs to (not the note's own ID).","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","type":"string"}},"required":["timelineId"]}]},"Security_Timeline_API_BarePinnedEvent":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata"},{"type":"object","properties":{"eventId":{"description":"The `_id` of the associated event for this pinned event.","example":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc","type":"string"},"timelineId":{"description":"The `savedObjectId` of the timeline that this pinned event is associated with","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","type":"string"}},"required":["eventId","timelineId"]}]},"Security_Timeline_API_ColumnHeaderResult":{"type":"object","properties":{"aggregatable":{"nullable":true,"type":"boolean"},"category":{"nullable":true,"type":"string"},"columnHeaderType":{"nullable":true,"type":"string"},"description":{"nullable":true,"type":"string"},"example":{"nullable":true,"type":"string"},"id":{"nullable":true,"type":"string"},"indexes":{"items":{"type":"string"},"nullable":true,"type":"array"},"name":{"nullable":true,"type":"string"},"placeholder":{"nullable":true,"type":"string"},"searchable":{"nullable":true,"type":"boolean"},"type":{"nullable":true,"type":"string"}}},"Security_Timeline_API_DataProviderQueryMatch":{"type":"object","properties":{"enabled":{"nullable":true,"type":"boolean"},"excluded":{"nullable":true,"type":"boolean"},"id":{"nullable":true,"type":"string"},"kqlQuery":{"nullable":true,"type":"string"},"name":{"nullable":true,"type":"string"},"queryMatch":{"$ref":"#\/components\/schemas\/Security_Timeline_API_QueryMatchResult","nullable":true},"type":{"$ref":"#\/components\/schemas\/Security_Timeline_API_DataProviderType","nullable":true}}},"Security_Timeline_API_DataProviderResult":{"type":"object","properties":{"and":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_DataProviderQueryMatch"},"nullable":true,"type":"array"},"enabled":{"nullable":true,"type":"boolean"},"excluded":{"nullable":true,"type":"boolean"},"id":{"nullable":true,"type":"string"},"kqlQuery":{"nullable":true,"type":"string"},"name":{"nullable":true,"type":"string"},"queryMatch":{"$ref":"#\/components\/schemas\/Security_Timeline_API_QueryMatchResult","nullable":true},"type":{"$ref":"#\/components\/schemas\/Security_Timeline_API_DataProviderType","nullable":true}}},"Security_Timeline_API_DataProviderType":{"description":"The type of data provider.","enum":["default","template"],"type":"string"},"Security_Timeline_API_DocumentIds":{"description":"One document ID or an array of IDs (Elasticsearch `_id` of the event).","oneOf":[{"items":{"type":"string"},"type":"array"},{"type":"string"}]},"Security_Timeline_API_FavoriteTimelineResponse":{"type":"object","properties":{"favorite":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_FavoriteTimelineResult"},"type":"array"},"savedObjectId":{"type":"string"},"templateTimelineId":{"nullable":true,"type":"string"},"templateTimelineVersion":{"nullable":true,"type":"number"},"timelineType":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineType"},"version":{"type":"string"}},"required":["savedObjectId","version"]},"Security_Timeline_API_FavoriteTimelineResult":{"description":"Indicates when and who marked a Timeline as a favorite.","example":{"favoriteDate":1741337636741,"userName":"elastic"},"type":"object","properties":{"favoriteDate":{"nullable":true,"type":"number"},"fullName":{"nullable":true,"type":"string"},"userName":{"nullable":true,"type":"string"}}},"Security_Timeline_API_FilterTimelineResult":{"example":{"meta":{"alias":"Custom filter name","disabled":false,"index":".alerts-security.alerts-default,logs-*","key":"@timestamp","negate":"false,","type":"exists","value":"exists"},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"},"type":"object","properties":{"exists":{"nullable":true,"type":"string"},"match_all":{"nullable":true,"type":"string"},"meta":{"nullable":true,"type":"object","properties":{"alias":{"nullable":true,"type":"string"},"controlledBy":{"nullable":true,"type":"string"},"disabled":{"nullable":true,"type":"boolean"},"field":{"nullable":true,"type":"string"},"formattedValue":{"nullable":true,"type":"string"},"index":{"nullable":true,"type":"string"},"key":{"nullable":true,"type":"string"},"negate":{"nullable":true,"type":"boolean"},"params":{"nullable":true,"type":"string"},"type":{"nullable":true,"type":"string"},"value":{"nullable":true,"type":"string"}}},"missing":{"nullable":true,"type":"string"},"query":{"nullable":true,"type":"string"},"range":{"nullable":true,"type":"string"},"script":{"nullable":true,"type":"string"}}},"Security_Timeline_API_GetNotesResult":{"type":"object","properties":{"notes":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_Note"},"type":"array"},"totalCount":{"description":"Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering).","type":"number"}},"required":["totalCount","notes"]},"Security_Timeline_API_ImportTimelineResult":{"type":"object","properties":{"errors":{"description":"The list of failed Timeline imports","items":{"type":"object","properties":{"error":{"description":"The error containing the reason why the timeline could not be imported","type":"object","properties":{"message":{"description":"The reason why the timeline could not be imported","example":"Malformed JSON","type":"string"},"status_code":{"description":"The HTTP status code of the error","example":400,"type":"number"}}},"id":{"description":"The ID of the timeline that failed to import","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","type":"string"}}},"type":"array"},"success":{"description":"Indicates whether any of the Timelines were successfully imports","type":"boolean"},"success_count":{"description":"The amount of successfully imported\/updated Timelines","example":99,"type":"number"},"timelines_installed":{"description":"The amount of successfully installed Timelines","example":80,"type":"number"},"timelines_updated":{"description":"The amount of successfully updated Timelines","example":19,"type":"number"}}},"Security_Timeline_API_ImportTimelines":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedTimeline"},{"type":"object","properties":{"eventNotes":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_BareNote"},"nullable":true,"type":"array"},"globalNotes":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_BareNote"},"nullable":true,"type":"array"},"pinnedEventIds":{"items":{"type":"string"},"nullable":true,"type":"array"},"savedObjectId":{"nullable":true,"type":"string"},"version":{"nullable":true,"type":"string"}},"required":["savedObjectId","version","pinnedEventIds","eventNotes","globalNotes"]}]},"Security_Timeline_API_Note":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_BareNote"},{"type":"object","properties":{"noteId":{"description":"The `savedObjectId` of the note","example":"709f99c6-89b6-4953-9160-35945c8e174e","type":"string"},"version":{"description":"The version of the note","example":"WzQ2LDFd","type":"string"}},"required":["noteId","version"]}]},"Security_Timeline_API_NoteCreatedAndUpdatedMetadata":{"type":"object","properties":{"created":{"description":"The time the note was created, using a 13-digit Epoch timestamp.","example":1587468588922,"nullable":true,"type":"number"},"createdBy":{"description":"The user who created the note.","example":"casetester","nullable":true,"type":"string"},"updated":{"description":"The last time the note was updated, using a 13-digit Epoch timestamp","example":1741344876825,"nullable":true,"type":"number"},"updatedBy":{"description":"The user who last updated the note","example":"casetester","nullable":true,"type":"string"}}},"Security_Timeline_API_PersistPinnedEventResponse":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_PinnedEvent"},{"type":"object","properties":{"unpinned":{"description":"Indicates whether the event was successfully unpinned","type":"boolean"}},"required":["unpinned"]}]},"Security_Timeline_API_PersistTimelineResponse":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineResponse"},"Security_Timeline_API_PinnedEvent":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_BarePinnedEvent"},{"type":"object","properties":{"pinnedEventId":{"description":"The `savedObjectId` of this pinned event","example":"10r1929b-0af7-42bd-85a8-56e234f98h2f3","type":"string"},"version":{"description":"The version of this pinned event","example":"WzQ2LDFe","type":"string"}},"required":["pinnedEventId","version"]}]},"Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata":{"type":"object","properties":{"created":{"description":"The time the pinned event was created, using a 13-digit Epoch timestamp.","example":1587468588922,"nullable":true,"type":"number"},"createdBy":{"description":"The user who created the pinned event.","example":"casetester","nullable":true,"type":"string"},"updated":{"description":"The last time the pinned event was updated, using a 13-digit Epoch timestamp","example":1741344876825,"nullable":true,"type":"number"},"updatedBy":{"description":"The user who last updated the pinned event","example":"casetester","nullable":true,"type":"string"}}},"Security_Timeline_API_QueryMatchResult":{"type":"object","properties":{"displayField":{"nullable":true,"type":"string"},"displayValue":{"nullable":true,"type":"string"},"field":{"nullable":true,"type":"string"},"operator":{"nullable":true,"type":"string"},"value":{"oneOf":[{"nullable":true,"type":"string"},{"items":{"type":"string"},"nullable":true,"type":"array"}]}}},"Security_Timeline_API_ResolvedTimeline":{"type":"object","properties":{"alias_purpose":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedObjectResolveAliasPurpose"},"alias_target_id":{"type":"string"},"outcome":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedObjectResolveOutcome"},"timeline":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineSavedToReturnObject"}},"required":["timeline","outcome"]},"Security_Timeline_API_ResponseNote":{"type":"object","properties":{"note":{"$ref":"#\/components\/schemas\/Security_Timeline_API_Note"}},"required":["note"]},"Security_Timeline_API_RowRendererId":{"description":"Identifies the available row renderers","enum":["alert","alerts","auditd","auditd_file","library","netflow","plain","registry","suricata","system","system_dns","system_endgame_process","system_file","system_fim","system_security_event","system_socket","threat_match","zeek"],"type":"string"},"Security_Timeline_API_SavedObjectIds":{"description":"One Timeline saved object ID or an array of IDs.","oneOf":[{"items":{"type":"string"},"type":"array"},{"type":"string"}]},"Security_Timeline_API_SavedObjectResolveAliasPurpose":{"enum":["savedObjectConversion","savedObjectImport"],"type":"string"},"Security_Timeline_API_SavedObjectResolveOutcome":{"enum":["exactMatch","aliasMatch","conflict"],"type":"string"},"Security_Timeline_API_SavedTimeline":{"type":"object","properties":{"columns":{"description":"The Timeline's columns","example":[{"columnHeaderType":"not-filtered","id":"@timestamp"},{"columnHeaderType":"not-filtered","id":"event.category"}],"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_ColumnHeaderResult"},"nullable":true,"type":"array"},"created":{"description":"The time the Timeline was created, using a 13-digit Epoch timestamp.","example":1587468588922,"nullable":true,"type":"number"},"createdBy":{"description":"The user who created the Timeline.","example":"casetester","nullable":true,"type":"string"},"dataProviders":{"description":"Object containing query clauses","example":[{"enabled":true,"excluded":false,"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","queryMatch":{"field":"_id,","operator":":","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,"}}],"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_DataProviderResult"},"nullable":true,"type":"array"},"dataViewId":{"description":"ID of the Timeline's Data View","example":"security-solution-default","nullable":true,"type":"string"},"dateRange":{"description":"The Timeline's search period.","example":{"end":1587456479201,"start":1587370079200},"nullable":true,"type":"object","properties":{"end":{"oneOf":[{"nullable":true,"type":"string"},{"nullable":true,"type":"number"}]},"start":{"oneOf":[{"nullable":true,"type":"string"},{"nullable":true,"type":"number"}]}}},"description":{"description":"The Timeline's description","example":"Investigating exposure of CVE XYZ","nullable":true,"type":"string"},"eqlOptions":{"description":"EQL query that is used in the correlation tab","example":{"eventCategoryField":"event.category","query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","size":100,"timestampField":"@timestamp"},"nullable":true,"type":"object","properties":{"eventCategoryField":{"nullable":true,"type":"string"},"query":{"nullable":true,"type":"string"},"size":{"oneOf":[{"nullable":true,"type":"string"},{"nullable":true,"type":"number"}]},"tiebreakerField":{"nullable":true,"type":"string"},"timestampField":{"nullable":true,"type":"string"}}},"eventType":{"deprecated":true,"description":"Event types displayed in the Timeline","example":"all","nullable":true,"type":"string"},"excludedRowRendererIds":{"description":"A list of row renderers that should not be used when in `Event renderers` mode","items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_RowRendererId"},"nullable":true,"type":"array"},"favorite":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_FavoriteTimelineResult"},"nullable":true,"type":"array"},"filters":{"description":"A list of filters that should be applied to the query","items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_FilterTimelineResult"},"nullable":true,"type":"array"},"indexNames":{"description":"A list of index names to use in the query (e.g. when the default data view has been modified)","example":[".logs*"],"items":{"type":"string"},"nullable":true,"type":"array"},"kqlMode":{"description":"Indicates whether the KQL bar filters the query results or searches for additional results, where:\n * `filter`: filters query results\n * `search`: displays additional search results","example":"search","nullable":true,"type":"string"},"kqlQuery":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SerializedFilterQueryResult","nullable":true},"savedQueryId":{"description":"The ID of the saved query that might be used in the Query tab","example":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","nullable":true,"type":"string"},"savedSearchId":{"description":"The ID of the saved search that is used in the ES|QL tab","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","nullable":true,"type":"string"},"sort":{"$ref":"#\/components\/schemas\/Security_Timeline_API_Sort","nullable":true},"status":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineStatus","nullable":true},"templateTimelineId":{"description":"A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.","example":"6ce1b592-84e3-4b4a-9552-f189d4b82075","nullable":true,"type":"string"},"templateTimelineVersion":{"description":"Timeline template version number. For Timelines, the value is `null`.","example":12,"nullable":true,"type":"number"},"timelineType":{"$ref":"#\/components\/schemas\/Security_Timeline_API_TimelineType","nullable":true},"title":{"description":"The Timeline's title.","example":"CVE XYZ investigation","nullable":true,"type":"string"},"updated":{"description":"The last time the Timeline was updated, using a 13-digit Epoch timestamp","example":1741344876825,"nullable":true,"type":"number"},"updatedBy":{"description":"The user who last updated the Timeline","example":"casetester","nullable":true,"type":"string"}}},"Security_Timeline_API_SavedTimelineWithSavedObjectId":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedTimeline"},{"type":"object","properties":{"savedObjectId":{"description":"The `savedObjectId` of the Timeline or Timeline template","example":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","type":"string"},"version":{"description":"The version of the Timeline or Timeline template","example":"WzE0LDFd","type":"string"}},"required":["savedObjectId","version"]}]},"Security_Timeline_API_SerializedFilterQueryResult":{"description":"KQL bar query.","example":{"filterQuery":null,"kuery":{"expression":"_id : *","kind":"kuery"},"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"type":"object","properties":{"filterQuery":{"nullable":true,"type":"object","properties":{"kuery":{"nullable":true,"type":"object","properties":{"expression":{"nullable":true,"type":"string"},"kind":{"nullable":true,"type":"string"}}},"serializedQuery":{"nullable":true,"type":"string"}}}}},"Security_Timeline_API_Sort":{"oneOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_SortObject"},{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_SortObject"},"type":"array"}]},"Security_Timeline_API_SortFieldTimeline":{"description":"The field to sort the timelines by.","enum":["title","description","updated","created"],"type":"string"},"Security_Timeline_API_SortObject":{"description":"Object indicating how rows are sorted in the Timeline's grid","example":{"columnId":"@timestamp","sortDirection":"desc"},"type":"object","properties":{"columnId":{"nullable":true,"type":"string"},"columnType":{"nullable":true,"type":"string"},"sortDirection":{"nullable":true,"type":"string"}}},"Security_Timeline_API_TimelineResponse":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedTimeline"},{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedTimelineWithSavedObjectId"},{"type":"object","properties":{"eventIdToNoteIds":{"description":"A list of all the notes that are associated to this Timeline.","items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_Note"},"nullable":true,"type":"array"},"noteIds":{"description":"A list of all the ids of notes that are associated to this Timeline.","example":["709f99c6-89b6-4953-9160-35945c8e174e"],"items":{"type":"string"},"nullable":true,"type":"array"},"notes":{"description":"A list of all the notes that are associated to this Timeline.","items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_Note"},"nullable":true,"type":"array"},"pinnedEventIds":{"description":"A list of all the ids of pinned events that are associated to this Timeline.","example":["983f99c6-89b6-4953-9160-35945c8a194f"],"items":{"type":"string"},"nullable":true,"type":"array"},"pinnedEventsSaveObject":{"description":"A list of all the pinned events that are associated to this Timeline.","items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_PinnedEvent"},"nullable":true,"type":"array"}}}]},"Security_Timeline_API_TimelineSavedToReturnObject":{"allOf":[{"$ref":"#\/components\/schemas\/Security_Timeline_API_SavedTimeline"},{"type":"object","properties":{"eventIdToNoteIds":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_Note"},"nullable":true,"type":"array"},"noteIds":{"items":{"type":"string"},"nullable":true,"type":"array"},"notes":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_Note"},"nullable":true,"type":"array"},"pinnedEventIds":{"items":{"type":"string"},"nullable":true,"type":"array"},"pinnedEventsSaveObject":{"items":{"$ref":"#\/components\/schemas\/Security_Timeline_API_PinnedEvent"},"nullable":true,"type":"array"},"savedObjectId":{"type":"string"},"version":{"type":"string"}},"required":["savedObjectId","version"]}]},"Security_Timeline_API_TimelineStatus":{"description":"The status of the Timeline.","enum":["active","draft","immutable"],"type":"string"},"Security_Timeline_API_TimelineType":{"description":"The type of Timeline.","enum":["default","template"],"type":"string"},"SLOs_400_response":{"title":"Bad request","type":"object","properties":{"error":{"example":"Bad Request","type":"string"},"message":{"example":"Invalid value 'foo' supplied to: [...]","type":"string"},"statusCode":{"example":400,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_401_response":{"title":"Unauthorized","type":"object","properties":{"error":{"example":"Unauthorized","type":"string"},"message":{"example":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [\/_security\/_authenticate]]: unable to authenticate user [elastics] for REST request [\/_security\/_authenticate]","type":"string"},"statusCode":{"example":401,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_403_response":{"title":"Forbidden","type":"object","properties":{"error":{"example":"Forbidden","type":"string"},"message":{"example":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [\/api\/observability\/slos]]: action [slo_write] is unauthorized for user [limited_user]","type":"string"},"statusCode":{"example":403,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_404_response":{"title":"Not found","type":"object","properties":{"error":{"example":"Not Found","type":"string"},"message":{"example":"SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found","type":"string"},"statusCode":{"example":404,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_409_response":{"title":"Conflict","type":"object","properties":{"error":{"example":"Conflict","type":"string"},"message":{"example":"SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists","type":"string"},"statusCode":{"example":409,"type":"number"}},"required":["statusCode","error","message"]},"SLOs_artifacts":{"description":"Links to related assets for the SLO","properties":{"dashboards":{"description":"Array of dashboard references","items":{"type":"object","properties":{"id":{"description":"Dashboard saved-object id","type":"string"}},"required":["id"]},"type":"array"}},"title":"Artifacts","type":"object"},"SLOs_budgeting_method":{"description":"The budgeting method to use when computing the rollup data.","enum":["occurrences","timeslices"],"example":"occurrences","title":"Budgeting method","type":"string"},"SLOs_bulk_delete_request":{"description":"The bulk delete SLO request takes a list of SLOs Definition id to delete.\n","properties":{"list":{"description":"An array of SLO Definition id","items":{"description":"The SLO Definition id","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"type":"array"}},"required":["list"],"title":"Bulk delete SLO request","type":"object"},"SLOs_bulk_delete_response":{"description":"The bulk delete SLO response returns a taskId that can be used to poll for its status\n","properties":{"taskId":{"description":"The taskId of the bulk delete operation","example":"d08506b7-f0e8-4f8b-a06a-a83940f4db91","type":"string"}},"title":"Bulk delete SLO response","type":"object"},"SLOs_bulk_delete_status_response":{"description":"Indicates if the bulk deletion is completed, with the detailed results of the operation.","properties":{"error":{"description":"The error message if the bulk deletion operation failed","example":"Task not found","type":"string"},"isDone":{"description":"Indicates if the bulk deletion operation is completed","example":true,"type":"boolean"},"results":{"description":"The results of the bulk deletion operation, including the success status and any errors for each SLO","items":{"type":"object","properties":{"error":{"description":"The error message if the deletion operation failed for this SLO","example":"SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found","type":"string"},"id":{"description":"The ID of the SLO that was deleted","example":"d08506b7-f0e8-4f8b-a06a-a83940f4db91","type":"string"},"success":{"description":"The result of the deletion operation for this SLO","example":true,"type":"boolean"}}},"type":"array"}},"title":"The status of the bulk deletion","type":"object"},"SLOs_bulk_purge_rollup_request":{"description":"The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated.\n","properties":{"list":{"description":"An array of slo ids","items":{"description":"The SLO Definition id","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"type":"array"},"purgePolicy":{"description":"Policy that dictates which SLI documents to purge based on age","oneOf":[{"type":"object","properties":{"age":{"description":"The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided.","example":"7d","type":"string"},"purgeType":{"description":"Specifies whether documents will be purged based on a specific age or on a timestamp","enum":["fixed-age"],"type":"string"}}},{"type":"object","properties":{"purgeType":{"description":"Specifies whether documents will be purged based on a specific age or on a timestamp","enum":["fixed-time"],"type":"string"},"timestamp":{"description":"The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided.","example":"2024-12-31T00:00:00.000Z","type":"string"}}}],"type":"object"}},"required":["list","purgePolicy"],"title":"Bulk Purge Rollup data request","type":"object"},"SLOs_bulk_purge_rollup_response":{"description":"The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response.\n","properties":{"taskId":{"description":"The task id of the purge operation","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"}},"title":"Bulk Purge Rollup data response","type":"object"},"SLOs_create_slo_request":{"description":"The create SLO API request body varies depending on the type of indicator, time window and budgeting method.\n","properties":{"artifacts":{"$ref":"#\/components\/schemas\/SLOs_artifacts"},"budgetingMethod":{"$ref":"#\/components\/schemas\/SLOs_budgeting_method"},"description":{"description":"A description for the SLO.","type":"string"},"groupBy":{"$ref":"#\/components\/schemas\/SLOs_group_by"},"id":{"description":"A optional and unique identifier for the SLO. Must be between 8 and 36 chars","example":"my-super-slo-id","type":"string"},"indicator":{"oneOf":[{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_custom_kql"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_apm_availability"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_apm_latency"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_custom_metric"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_histogram"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_timeslice_metric"}]},"name":{"description":"A name for the SLO.","type":"string"},"objective":{"$ref":"#\/components\/schemas\/SLOs_objective"},"settings":{"$ref":"#\/components\/schemas\/SLOs_settings"},"tags":{"description":"List of tags","items":{"type":"string"},"type":"array"},"timeWindow":{"$ref":"#\/components\/schemas\/SLOs_time_window"}},"required":["name","description","indicator","timeWindow","budgetingMethod","objective"],"title":"Create SLO request","type":"object"},"SLOs_create_slo_response":{"title":"Create SLO response","type":"object","properties":{"id":{"example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"}},"required":["id"]},"SLOs_delete_slo_instances_request":{"description":"The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated.\n","properties":{"list":{"description":"An array of slo id and instance id","items":{"type":"object","properties":{"instanceId":{"description":"The SLO instance identifier","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"sloId":{"description":"The SLO unique identifier","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"}},"required":["sloId","instanceId"]},"type":"array"}},"required":["list"],"title":"Delete SLO instances request","type":"object"},"SLOs_error_budget":{"title":"Error budget","type":"object","properties":{"consumed":{"description":"The error budget consummed, as a percentage of the initial value.","example":0.8,"type":"number"},"initial":{"description":"The initial error budget, as 1 - objective","example":0.02,"type":"number"},"isEstimated":{"description":"Only for SLO defined with occurrences budgeting method and calendar aligned time window.","example":true,"type":"boolean"},"remaining":{"description":"The error budget remaining, as a percentage of the initial value.","example":0.2,"type":"number"}},"required":["initial","consumed","remaining","isEstimated"]},"SLOs_filter":{"description":"Defines properties for a filter","properties":{"meta":{"$ref":"#\/components\/schemas\/SLOs_filter_meta"},"query":{"type":"object"}},"title":"Filter","type":"object"},"SLOs_filter_meta":{"description":"Defines properties for a filter","properties":{"alias":{"nullable":true,"type":"string"},"controlledBy":{"type":"string"},"disabled":{"type":"boolean"},"field":{"type":"string"},"group":{"type":"string"},"index":{"type":"string"},"isMultiIndex":{"type":"boolean"},"key":{"type":"string"},"negate":{"type":"boolean"},"params":{"type":"object"},"type":{"type":"string"},"value":{"type":"string"}},"title":"FilterMeta","type":"object"},"SLOs_find_slo_definitions_response":{"description":"A paginated response of SLO definitions matching the query.\n","oneOf":[{"type":"object","properties":{"page":{"example":1,"type":"number"},"perPage":{"example":25,"type":"number"},"results":{"items":{"$ref":"#\/components\/schemas\/SLOs_slo_with_summary_response"},"type":"array"},"total":{"example":34,"type":"number"}}},{"type":"object","properties":{"page":{"default":1,"description":"for backward compability","type":"number"},"perPage":{"description":"for backward compability","example":25,"type":"number"},"results":{"items":{"$ref":"#\/components\/schemas\/SLOs_slo_with_summary_response"},"type":"array"},"searchAfter":{"description":"the cursor to provide to get the next paged results","example":["some-slo-id","other-cursor-id"],"items":{"type":"string"},"type":"array"},"size":{"example":25,"type":"number"},"total":{"example":34,"type":"number"}}}],"title":"Find SLO definitions response","type":"object"},"SLOs_find_slo_response":{"description":"A paginated response of SLOs matching the query.\n","properties":{"page":{"example":1,"type":"number"},"perPage":{"example":25,"type":"number"},"results":{"items":{"$ref":"#\/components\/schemas\/SLOs_slo_with_summary_response"},"type":"array"},"searchAfter":{"type":"string"},"size":{"description":"Size provided for cursor based pagination","example":25,"type":"number"},"total":{"example":34,"type":"number"}},"title":"Find SLO response","type":"object"},"SLOs_group_by":{"description":"optional group by field or fields to use to generate an SLO per distinct value","example":[["service.name"],"service.name",["service.name","service.environment"]],"oneOf":[{"type":"string"},{"items":{"type":"string"},"type":"array"}],"title":"Group by"},"SLOs_indicator_properties_apm_availability":{"description":"Defines properties for the APM availability indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"environment":{"description":"The APM service environment or \"*\"","example":"production","type":"string"},"filter":{"description":"KQL query used for filtering the data","example":"service.foo : \"bar\"","type":"string"},"index":{"description":"The index used by APM metrics","example":"metrics-apm*,apm*","type":"string"},"service":{"description":"The APM service name","example":"o11y-app","type":"string"},"transactionName":{"description":"The APM transaction name or \"*\"","example":"GET \/my\/api","type":"string"},"transactionType":{"description":"The APM transaction type or \"*\"","example":"request","type":"string"}},"required":["service","environment","transactionType","transactionName","index"]},"type":{"description":"The type of indicator.","example":"sli.apm.transactionDuration","type":"string"}},"required":["type","params"],"title":"APM availability"},"SLOs_indicator_properties_apm_latency":{"description":"Defines properties for the APM latency indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"environment":{"description":"The APM service environment or \"*\"","example":"production","type":"string"},"filter":{"description":"KQL query used for filtering the data","example":"service.foo : \"bar\"","type":"string"},"index":{"description":"The index used by APM metrics","example":"metrics-apm*,apm*","type":"string"},"service":{"description":"The APM service name","example":"o11y-app","type":"string"},"threshold":{"description":"The latency threshold in milliseconds","example":250,"type":"number"},"transactionName":{"description":"The APM transaction name or \"*\"","example":"GET \/my\/api","type":"string"},"transactionType":{"description":"The APM transaction type or \"*\"","example":"request","type":"string"}},"required":["service","environment","transactionType","transactionName","index","threshold"]},"type":{"description":"The type of indicator.","example":"sli.apm.transactionDuration","type":"string"}},"required":["type","params"],"title":"APM latency"},"SLOs_indicator_properties_custom_kql":{"description":"Defines properties for a custom query indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"dataViewId":{"description":"The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add\/update run time fields to the data view and if those fields are being used in slo queries.","example":"03b80ab3-003d-498b-881c-3beedbaf1162","type":"string"},"filter":{"$ref":"#\/components\/schemas\/SLOs_kql_with_filters"},"good":{"$ref":"#\/components\/schemas\/SLOs_kql_with_filters_good"},"index":{"description":"The index or index pattern to use","example":"my-service-*","type":"string"},"timestampField":{"description":"The timestamp field used in the source indice.\n","example":"timestamp","type":"string"},"total":{"$ref":"#\/components\/schemas\/SLOs_kql_with_filters_total"}},"required":["index","timestampField","good","total"]},"type":{"description":"The type of indicator.","example":"sli.kql.custom","type":"string"}},"required":["type","params"],"title":"Custom Query"},"SLOs_indicator_properties_custom_metric":{"description":"Defines properties for a custom metric indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"dataViewId":{"description":"The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add\/update run time fields to the data view and if those fields are being used in slo queries.","example":"03b80ab3-003d-498b-881c-3beedbaf1162","type":"string"},"filter":{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},"good":{"description":"An object defining the \"good\" metrics and equation\n","type":"object","properties":{"equation":{"description":"The equation to calculate the \"good\" metric.","example":"A","type":"string"},"metrics":{"description":"List of metrics with their name, aggregation type, and field.","items":{"oneOf":[{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["sum"],"example":"sum","type":"string"},"field":{"description":"The field of the metric.","example":"processor.processed","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: *","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation","field"]},{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["doc_count"],"example":"doc_count","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: *","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation"]}]},"type":"array"}},"required":["metrics","equation"]},"index":{"description":"The index or index pattern to use","example":"my-service-*","type":"string"},"timestampField":{"description":"The timestamp field used in the source indice.\n","example":"timestamp","type":"string"},"total":{"description":"An object defining the \"total\" metrics and equation\n","type":"object","properties":{"equation":{"description":"The equation to calculate the \"total\" metric.","example":"A","type":"string"},"metrics":{"description":"List of metrics with their name, aggregation type, and field.","items":{"oneOf":[{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["sum"],"example":"sum","type":"string"},"field":{"description":"The field of the metric.","example":"processor.processed","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: *","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation","field"]},{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["doc_count"],"example":"doc_count","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: *","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation"]}]},"type":"array"}},"required":["metrics","equation"]}},"required":["index","timestampField","good","total"]},"type":{"description":"The type of indicator.","example":"sli.metric.custom","type":"string"}},"required":["type","params"],"title":"Custom metric"},"SLOs_indicator_properties_histogram":{"description":"Defines properties for a histogram indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"dataViewId":{"description":"The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add\/update run time fields to the data view and if those fields are being used in slo queries.","example":"03b80ab3-003d-498b-881c-3beedbaf1162","type":"string"},"filter":{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},"good":{"description":"An object defining the \"good\" events\n","type":"object","properties":{"aggregation":{"description":"The type of aggregation to use.","enum":["value_count","range"],"example":"value_count","type":"string"},"field":{"description":"The field use to aggregate the good events.","example":"processor.latency","type":"string"},"filter":{"description":"The filter for good events.","example":"processor.outcome: \"success\"","type":"string"},"from":{"description":"The starting value of the range. Only required for \"range\" aggregations.","example":0,"type":"number"},"to":{"description":"The ending value of the range. Only required for \"range\" aggregations.","example":100,"type":"number"}},"required":["aggregation","field"]},"index":{"description":"The index or index pattern to use","example":"my-service-*","type":"string"},"timestampField":{"description":"The timestamp field used in the source indice.\n","example":"timestamp","type":"string"},"total":{"description":"An object defining the \"total\" events\n","type":"object","properties":{"aggregation":{"description":"The type of aggregation to use.","enum":["value_count","range"],"example":"value_count","type":"string"},"field":{"description":"The field use to aggregate the good events.","example":"processor.latency","type":"string"},"filter":{"description":"The filter for total events.","example":"processor.outcome : *","type":"string"},"from":{"description":"The starting value of the range. Only required for \"range\" aggregations.","example":0,"type":"number"},"to":{"description":"The ending value of the range. Only required for \"range\" aggregations.","example":100,"type":"number"}},"required":["aggregation","field"]}},"required":["index","timestampField","good","total"]},"type":{"description":"The type of indicator.","example":"sli.histogram.custom","type":"string"}},"required":["type","params"],"title":"Histogram indicator"},"SLOs_indicator_properties_timeslice_metric":{"description":"Defines properties for a timeslice metric indicator type","type":"object","properties":{"params":{"description":"An object containing the indicator parameters.","nullable":false,"type":"object","properties":{"dataViewId":{"description":"The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add\/update run time fields to the data view and if those fields are being used in slo queries.","example":"03b80ab3-003d-498b-881c-3beedbaf1162","type":"string"},"filter":{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},"index":{"description":"The index or index pattern to use","example":"my-service-*","type":"string"},"metric":{"description":"An object defining the metrics, equation, and threshold to determine if it's a good slice or not\n","type":"object","properties":{"comparator":{"description":"The comparator to use to compare the equation to the threshold.","enum":["GT","GTE","LT","LTE"],"example":"GT","type":"string"},"equation":{"description":"The equation to calculate the metric.","example":"A","type":"string"},"metrics":{"description":"List of metrics with their name, aggregation type, and field.","items":{"anyOf":[{"$ref":"#\/components\/schemas\/SLOs_timeslice_metric_basic_metric_with_field"},{"$ref":"#\/components\/schemas\/SLOs_timeslice_metric_percentile_metric"},{"$ref":"#\/components\/schemas\/SLOs_timeslice_metric_doc_count_metric"}],"discriminator":{"mapping":{"avg":"#\/components\/schemas\/SLOs_timeslice_metric_basic_metric_with_field","cardinality":"#\/components\/schemas\/SLOs_timeslice_metric_basic_metric_with_field","doc_count":"#\/components\/schemas\/SLOs_timeslice_metric_doc_count_metric","last_value":"#\/components\/schemas\/SLOs_timeslice_metric_basic_metric_with_field","max":"#\/components\/schemas\/SLOs_timeslice_metric_basic_metric_with_field","min":"#\/components\/schemas\/SLOs_timeslice_metric_basic_metric_with_field","percentile":"#\/components\/schemas\/SLOs_timeslice_metric_percentile_metric","std_deviation":"#\/components\/schemas\/SLOs_timeslice_metric_basic_metric_with_field","sum":"#\/components\/schemas\/SLOs_timeslice_metric_basic_metric_with_field"},"propertyName":"aggregation"}},"type":"array"},"threshold":{"description":"The threshold used to determine if the metric is a good slice or not.","example":100,"type":"number"}},"required":["metrics","equation","comparator","threshold"]},"timestampField":{"description":"The timestamp field used in the source indice.\n","example":"timestamp","type":"string"}},"required":["index","timestampField","metric"]},"type":{"description":"The type of indicator.","example":"sli.metric.timeslice","type":"string"}},"required":["type","params"],"title":"Timeslice metric"},"SLOs_kql_with_filters":{"description":"Defines properties for a filter","oneOf":[{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},{"type":"object","properties":{"filters":{"items":{"$ref":"#\/components\/schemas\/SLOs_filter"},"type":"array"},"kqlQuery":{"type":"string"}}}],"title":"KQL with filters"},"SLOs_kql_with_filters_good":{"description":"The KQL query used to define the good events.","oneOf":[{"description":"the KQL query to filter the documents with.","example":"request.latency <= 150 and request.status_code : \"2xx\"","type":"string"},{"type":"object","properties":{"filters":{"items":{"$ref":"#\/components\/schemas\/SLOs_filter"},"type":"array"},"kqlQuery":{"type":"string"}}}],"title":"KQL query for good events"},"SLOs_kql_with_filters_total":{"description":"The KQL query used to define all events.","oneOf":[{"description":"the KQL query to filter the documents with.","example":"field.environment : \"production\" and service.name : \"my-service\"","type":"string"},{"type":"object","properties":{"filters":{"items":{"$ref":"#\/components\/schemas\/SLOs_filter"},"type":"array"},"kqlQuery":{"type":"string"}}}],"title":"KQL query for all events"},"SLOs_objective":{"description":"Defines properties for the SLO objective","type":"object","properties":{"target":{"description":"the target objective between 0 and 1 excluded","example":0.99,"exclusiveMaximum":true,"exclusiveMinimum":true,"maximum":100,"minimum":0,"type":"number"},"timesliceTarget":{"description":"the target objective for each slice when using a timeslices budgeting method","example":0.995,"maximum":100,"minimum":0,"type":"number"},"timesliceWindow":{"description":"the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}","example":"5m","type":"string"}},"required":["target"],"title":"Objective"},"SLOs_settings":{"description":"Defines properties for SLO settings.","properties":{"frequency":{"default":"1m","description":"The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.","example":"5m","type":"string"},"preventInitialBackfill":{"default":false,"description":"Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.","example":true,"type":"boolean"},"syncDelay":{"default":"1m","description":"The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.","example":"5m","type":"string"},"syncField":{"description":"The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.","example":"event.ingested","type":"string"}},"title":"Settings","type":"object"},"SLOs_slo_definition_response":{"title":"SLO definition response","type":"object","properties":{"artifacts":{"$ref":"#\/components\/schemas\/SLOs_artifacts"},"budgetingMethod":{"$ref":"#\/components\/schemas\/SLOs_budgeting_method"},"createdAt":{"description":"The creation date","example":"2023-01-12T10:03:19.000Z","type":"string"},"description":{"description":"The description of the SLO.","example":"My SLO description","type":"string"},"enabled":{"description":"Indicate if the SLO is enabled","example":true,"type":"boolean"},"groupBy":{"$ref":"#\/components\/schemas\/SLOs_group_by"},"id":{"description":"The identifier of the SLO.","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"indicator":{"discriminator":{"mapping":{"sli.apm.transactionDuration":"#\/components\/schemas\/SLOs_indicator_properties_apm_latency","sli.apm.transactionErrorRate":"#\/components\/schemas\/SLOs_indicator_properties_apm_availability","sli.histogram.custom":"#\/components\/schemas\/SLOs_indicator_properties_histogram","sli.kql.custom":"#\/components\/schemas\/SLOs_indicator_properties_custom_kql","sli.metric.custom":"#\/components\/schemas\/SLOs_indicator_properties_custom_metric","sli.metric.timeslice":"#\/components\/schemas\/SLOs_indicator_properties_timeslice_metric"},"propertyName":"type"},"oneOf":[{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_custom_kql"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_apm_availability"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_apm_latency"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_custom_metric"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_histogram"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_timeslice_metric"}]},"name":{"description":"The name of the SLO.","example":"My Service SLO","type":"string"},"objective":{"$ref":"#\/components\/schemas\/SLOs_objective"},"revision":{"description":"The SLO revision","example":2,"type":"number"},"settings":{"$ref":"#\/components\/schemas\/SLOs_settings"},"tags":{"description":"List of tags","items":{"type":"string"},"type":"array"},"timeWindow":{"$ref":"#\/components\/schemas\/SLOs_time_window"},"updatedAt":{"description":"The last update date","example":"2023-01-12T10:03:19.000Z","type":"string"},"version":{"description":"The internal SLO version","example":2,"type":"number"}},"required":["id","name","description","indicator","timeWindow","budgetingMethod","objective","settings","revision","enabled","groupBy","tags","createdAt","updatedAt","version"]},"SLOs_slo_with_summary_response":{"title":"SLO response","type":"object","properties":{"budgetingMethod":{"$ref":"#\/components\/schemas\/SLOs_budgeting_method"},"createdAt":{"description":"The creation date","example":"2023-01-12T10:03:19.000Z","type":"string"},"description":{"description":"The description of the SLO.","example":"My SLO description","type":"string"},"enabled":{"description":"Indicate if the SLO is enabled","example":true,"type":"boolean"},"groupBy":{"$ref":"#\/components\/schemas\/SLOs_group_by"},"id":{"description":"The identifier of the SLO.","example":"8853df00-ae2e-11ed-90af-09bb6422b258","type":"string"},"indicator":{"discriminator":{"mapping":{"sli.apm.transactionDuration":"#\/components\/schemas\/SLOs_indicator_properties_apm_latency","sli.apm.transactionErrorRate":"#\/components\/schemas\/SLOs_indicator_properties_apm_availability","sli.histogram.custom":"#\/components\/schemas\/SLOs_indicator_properties_histogram","sli.kql.custom":"#\/components\/schemas\/SLOs_indicator_properties_custom_kql","sli.metric.custom":"#\/components\/schemas\/SLOs_indicator_properties_custom_metric","sli.metric.timeslice":"#\/components\/schemas\/SLOs_indicator_properties_timeslice_metric"},"propertyName":"type"},"oneOf":[{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_custom_kql"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_apm_availability"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_apm_latency"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_custom_metric"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_histogram"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_timeslice_metric"}]},"instanceId":{"description":"the value derived from the groupBy field, if present, otherwise '*'","example":"host-abcde","type":"string"},"name":{"description":"The name of the SLO.","example":"My Service SLO","type":"string"},"objective":{"$ref":"#\/components\/schemas\/SLOs_objective"},"revision":{"description":"The SLO revision","example":2,"type":"number"},"settings":{"$ref":"#\/components\/schemas\/SLOs_settings"},"summary":{"$ref":"#\/components\/schemas\/SLOs_summary"},"tags":{"description":"List of tags","items":{"type":"string"},"type":"array"},"timeWindow":{"$ref":"#\/components\/schemas\/SLOs_time_window"},"updatedAt":{"description":"The last update date","example":"2023-01-12T10:03:19.000Z","type":"string"},"version":{"description":"The internal SLO version","example":2,"type":"number"}},"required":["id","name","description","indicator","timeWindow","budgetingMethod","objective","settings","revision","summary","enabled","groupBy","instanceId","tags","createdAt","updatedAt","version"]},"SLOs_summary":{"description":"The SLO computed data","properties":{"errorBudget":{"$ref":"#\/components\/schemas\/SLOs_error_budget"},"sliValue":{"example":0.9836,"type":"number"},"status":{"$ref":"#\/components\/schemas\/SLOs_summary_status"}},"required":["status","sliValue","errorBudget"],"title":"Summary","type":"object"},"SLOs_summary_status":{"enum":["NO_DATA","HEALTHY","DEGRADING","VIOLATED"],"example":"HEALTHY","title":"summary status","type":"string"},"SLOs_time_window":{"description":"Defines properties for the SLO time window","type":"object","properties":{"duration":{"description":"the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)","example":"30d","type":"string"},"type":{"description":"Indicates weither the time window is a rolling or a calendar aligned time window.","enum":["rolling","calendarAligned"],"example":"rolling","type":"string"}},"required":["duration","type"],"title":"Time window"},"SLOs_timeslice_metric_basic_metric_with_field":{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric.","enum":["sum","avg","min","max","std_deviation","last_value","cardinality"],"example":"sum","type":"string"},"field":{"description":"The field of the metric.","example":"processor.processed","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: \"success\"","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation","field"],"title":"Timeslice Metric Basic Metric with Field"},"SLOs_timeslice_metric_doc_count_metric":{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric. Only valid option is \"doc_count\"","enum":["doc_count"],"example":"doc_count","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: \"success\"","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"}},"required":["name","aggregation"],"title":"Timeslice Metric Doc Count Metric"},"SLOs_timeslice_metric_percentile_metric":{"type":"object","properties":{"aggregation":{"description":"The aggregation type of the metric. Only valid option is \"percentile\"","enum":["percentile"],"example":"percentile","type":"string"},"field":{"description":"The field of the metric.","example":"processor.processed","type":"string"},"filter":{"description":"The filter to apply to the metric.","example":"processor.outcome: \"success\"","type":"string"},"name":{"description":"The name of the metric. Only valid options are A-Z","example":"A","pattern":"^[A-Z]$","type":"string"},"percentile":{"description":"The percentile value.","example":95,"type":"number"}},"required":["name","aggregation","field","percentile"],"title":"Timeslice Metric Percentile Metric"},"SLOs_update_slo_request":{"description":"The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled.\n","properties":{"artifacts":{"$ref":"#\/components\/schemas\/SLOs_artifacts"},"budgetingMethod":{"$ref":"#\/components\/schemas\/SLOs_budgeting_method"},"description":{"description":"A description for the SLO.","type":"string"},"groupBy":{"$ref":"#\/components\/schemas\/SLOs_group_by"},"indicator":{"oneOf":[{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_custom_kql"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_apm_availability"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_apm_latency"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_custom_metric"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_histogram"},{"$ref":"#\/components\/schemas\/SLOs_indicator_properties_timeslice_metric"}]},"name":{"description":"A name for the SLO.","type":"string"},"objective":{"$ref":"#\/components\/schemas\/SLOs_objective"},"settings":{"$ref":"#\/components\/schemas\/SLOs_settings"},"tags":{"description":"List of tags","items":{"type":"string"},"type":"array"},"timeWindow":{"$ref":"#\/components\/schemas\/SLOs_time_window"}},"title":"Update SLO request","type":"object"},"Task_manager_health_Serverless_APIs_configuration":{"description":"This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system.\n","type":"object"},"Task_manager_health_Serverless_APIs_health_response_serverless":{"title":"Task health response properties","type":"object","properties":{"id":{"type":"string"},"last_update":{"type":"string"},"stats":{"type":"object","properties":{"configuration":{"$ref":"#\/components\/schemas\/Task_manager_health_Serverless_APIs_configuration"},"workload":{"$ref":"#\/components\/schemas\/Task_manager_health_Serverless_APIs_workload"}}},"status":{"type":"string"},"timestamp":{"type":"string"}}},"Task_manager_health_Serverless_APIs_workload":{"description":"This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status.\n","type":"object"},"bedrock_config":{"title":"Connector request properties for an Amazon Bedrock connector","description":"Defines properties for connectors when type is `.bedrock`.","type":"object","required":["apiUrl"],"properties":{"apiUrl":{"type":"string","description":"The Amazon Bedrock request URL."},"region":{"type":"string","description":"Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`).\n"},"defaultModel":{"type":"string","description":"The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.\n","default":"us.anthropic.claude-sonnet-4-5-20250929-v1:0"}}},"crowdstrike_config":{"title":"Connector request config properties for a Crowdstrike connector","required":["url"],"description":"Defines config properties for connectors when type is `.crowdstrike`.","type":"object","properties":{"url":{"description":"The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n","type":"string"}}},"d3security_config":{"title":"Connector request properties for a D3 Security connector","description":"Defines properties for connectors when type is `.d3security`.","type":"object","required":["url"],"properties":{"url":{"type":"string","description":"The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"}}},"email_config":{"title":"Connector request properties for an email connector","description":"Defines properties for connectors when type is `.email`.","required":["from"],"type":"object","properties":{"clientId":{"description":"The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required.\n","type":"string","nullable":true},"from":{"description":"The from address for all emails sent by the connector. It must be specified in `user@host-name` format.\n","type":"string"},"hasAuth":{"description":"Specifies whether a user and password are required inside the secrets configuration.\n","default":true,"type":"boolean"},"host":{"description":"The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined.\n","type":"string"},"oauthTokenUrl":{"type":"string","nullable":true},"port":{"description":"The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined.\n","type":"integer"},"secure":{"description":"Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored.\n","type":"boolean"},"service":{"description":"The name of the email service.\n","type":"string","enum":["elastic_cloud","exchange_server","gmail","other","outlook365","ses"]},"tenantId":{"description":"The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required.\n","type":"string","nullable":true}}},"gemini_config":{"title":"Connector request properties for an Google Gemini connector","description":"Defines properties for connectors when type is `.gemini`.","type":"object","required":["apiUrl","gcpRegion","gcpProjectID"],"properties":{"apiUrl":{"type":"string","description":"The Google Gemini request URL."},"defaultModel":{"type":"string","description":"The generative artificial intelligence model for Google Gemini to use.","default":"gemini-2.5-pro"},"gcpRegion":{"type":"string","description":"The GCP region where the Vertex AI endpoint enabled."},"gcpProjectID":{"type":"string","description":"The Google ProjectID that has Vertex AI endpoint enabled."}}},"resilient_config":{"title":"Connector request properties for a IBM Resilient connector","required":["apiUrl","orgId"],"description":"Defines properties for connectors when type is `.resilient`.","type":"object","properties":{"apiUrl":{"description":"The IBM Resilient instance URL.","type":"string"},"orgId":{"description":"The IBM Resilient organization ID.","type":"string"}}},"index_config":{"title":"Connector request properties for an index connector","required":["index"],"description":"Defines properties for connectors when type is `.index`.","type":"object","properties":{"executionTimeField":{"description":"A field that indicates when the document was indexed.","default":null,"type":"string","nullable":true},"index":{"description":"The Elasticsearch index to be written to.","type":"string"},"refresh":{"description":"The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs.\n","default":false,"type":"boolean"}}},"jira_config":{"title":"Connector request properties for a Jira connector","required":["apiUrl","projectKey"],"description":"Defines properties for connectors when type is `.jira`.","type":"object","properties":{"apiUrl":{"description":"The Jira instance URL.","type":"string"},"projectKey":{"description":"The Jira project key.","type":"string"}}},"defender_config":{"title":"Connector request properties for a Microsoft Defender for Endpoint connector","required":["apiUrl","projectKey"],"description":"Defines properties for connectors when type is `.microsoft_defender_endpoint`.","type":"object","properties":{"apiUrl":{"type":"string","description":"The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts.\n"},"clientId":{"type":"string","description":"The application (client) identifier for your app in the Azure portal."},"oAuthScope":{"type":"string","description":"The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API."},"oAuthServerUrl":{"type":"string","description":"The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API."},"tenantId":{"description":"The tenant identifier for your app in the Azure portal.","type":"string"}}},"genai_azure_config":{"title":"Connector request properties for an OpenAI connector that uses Azure OpenAI","description":"Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`.\n","type":"object","required":["apiProvider","apiUrl"],"properties":{"apiProvider":{"type":"string","description":"The OpenAI API provider.","enum":["Azure OpenAI"]},"apiUrl":{"type":"string","description":"The OpenAI API endpoint."}}},"genai_openai_config":{"title":"Connector request properties for an OpenAI connector","description":"Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`.\n","type":"object","required":["apiProvider","apiUrl"],"properties":{"apiProvider":{"type":"string","description":"The OpenAI API provider.","enum":["OpenAI"]},"apiUrl":{"type":"string","description":"The OpenAI API endpoint."},"defaultModel":{"type":"string","description":"The default model to use for requests."}}},"opsgenie_config":{"title":"Connector request properties for an Opsgenie connector","required":["apiUrl"],"description":"Defines properties for connectors when type is `.opsgenie`.","type":"object","properties":{"apiUrl":{"description":"The Opsgenie URL. For example, `https:\/\/api.opsgenie.com` or `https:\/\/api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n","type":"string"}}},"pagerduty_config":{"title":"Connector request properties for a PagerDuty connector","description":"Defines properties for connectors when type is `.pagerduty`.","type":"object","properties":{"apiUrl":{"description":"The PagerDuty event URL.","type":"string","nullable":true,"example":"https:\/\/events.pagerduty.com\/v2\/enqueue"}}},"sentinelone_config":{"title":"Connector request properties for a SentinelOne connector","required":["url"],"description":"Defines properties for connectors when type is `.sentinelone`.","type":"object","properties":{"url":{"description":"The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n","type":"string"}}},"servicenow_config":{"title":"Connector request properties for a ServiceNow ITSM connector","required":["apiUrl"],"description":"Defines properties for connectors when type is `.servicenow`.","type":"object","properties":{"apiUrl":{"type":"string","description":"The ServiceNow instance URL."},"clientId":{"description":"The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`.\n","type":"string"},"isOAuth":{"description":"The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).\n","default":false,"type":"boolean"},"jwtKeyId":{"description":"The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`.\n","type":"string"},"userIdentifierValue":{"description":"The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`.\n","type":"string"},"usesTableApi":{"description":"Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow.\n","default":true,"type":"boolean"}}},"servicenow_itom_config":{"title":"Connector request properties for a ServiceNow ITOM connector","required":["apiUrl"],"description":"Defines properties for connectors when type is `.servicenow-itom`.","type":"object","properties":{"apiUrl":{"type":"string","description":"The ServiceNow instance URL."},"clientId":{"description":"The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`.\n","type":"string"},"isOAuth":{"description":"The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).\n","default":false,"type":"boolean"},"jwtKeyId":{"description":"The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`.\n","type":"string"},"userIdentifierValue":{"description":"The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`.\n","type":"string"}}},"slack_api_config":{"title":"Connector request properties for a Slack connector","description":"Defines properties for connectors when type is `.slack_api`.","type":"object","properties":{"allowedChannels":{"type":"array","description":"A list of valid Slack channels.","items":{"type":"object","required":["id","name"],"maxItems":25,"properties":{"id":{"type":"string","description":"The Slack channel ID.","example":"C123ABC456","minLength":1},"name":{"type":"string","description":"The Slack channel name.","minLength":1}}}}}},"swimlane_config":{"title":"Connector request properties for a Swimlane connector","required":["apiUrl","appId","connectorType"],"description":"Defines properties for connectors when type is `.swimlane`.","type":"object","properties":{"apiUrl":{"description":"The Swimlane instance URL.","type":"string"},"appId":{"description":"The Swimlane application ID.","type":"string"},"connectorType":{"description":"The type of connector. Valid values are `all`, `alerts`, and `cases`.","type":"string","enum":["all","alerts","cases"]},"mappings":{"title":"Connector mappings properties for a Swimlane connector","description":"The field mapping.","type":"object","properties":{"alertIdConfig":{"title":"Alert identifier mapping","description":"Mapping for the alert ID.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"caseIdConfig":{"title":"Case identifier mapping","description":"Mapping for the case ID.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"caseNameConfig":{"title":"Case name mapping","description":"Mapping for the case name.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"commentsConfig":{"title":"Case comment mapping","description":"Mapping for the case comments.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"descriptionConfig":{"title":"Case description mapping","description":"Mapping for the case description.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"ruleNameConfig":{"title":"Rule name mapping","description":"Mapping for the name of the alert's rule.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}},"severityConfig":{"title":"Severity mapping","description":"Mapping for the severity.","type":"object","required":["fieldType","id","key","name"],"properties":{"fieldType":{"type":"string","description":"The type of field in Swimlane."},"id":{"type":"string","description":"The identifier for the field in Swimlane."},"key":{"type":"string","description":"The key for the field in Swimlane."},"name":{"type":"string","description":"The name of the field in Swimlane."}}}}}}},"thehive_config":{"title":"Connector request properties for a TheHive connector","description":"Defines configuration properties for connectors when type is `.thehive`.","type":"object","required":["url"],"properties":{"organisation":{"type":"string","description":"The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key.\n"},"url":{"type":"string","description":"The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"}}},"tines_config":{"title":"Connector request properties for a Tines connector","description":"Defines properties for connectors when type is `.tines`.","type":"object","required":["url"],"properties":{"url":{"description":"The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts.\n","type":"string"}}},"torq_config":{"title":"Connector request properties for a Torq connector","description":"Defines properties for connectors when type is `.torq`.","type":"object","required":["webhookIntegrationUrl"],"properties":{"webhookIntegrationUrl":{"description":"The endpoint URL of the Elastic Security integration in Torq.","type":"string"}}},"auth_type":{"title":"Authentication type","type":"string","nullable":true,"enum":["webhook-authentication-basic","webhook-authentication-ssl"],"description":"The type of authentication to use: basic, SSL, or none.\n"},"ca":{"title":"Certificate authority","type":"string","description":"A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.\n"},"cert_type":{"title":"Certificate type","type":"string","description":"If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.\n","enum":["ssl-crt-key","ssl-pfx"]},"has_auth":{"title":"Has authentication","type":"boolean","description":"If true, a username and password for login type authentication must be provided.","default":true},"verification_mode":{"title":"Verification mode","type":"string","enum":["certificate","full","none"],"default":"full","description":"Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation.\n"},"webhook_config":{"title":"Connector request properties for a Webhook connector","description":"Defines properties for connectors when type is `.webhook`.","type":"object","properties":{"authType":{"$ref":"#\/components\/schemas\/auth_type"},"ca":{"$ref":"#\/components\/schemas\/ca"},"certType":{"$ref":"#\/components\/schemas\/cert_type"},"hasAuth":{"$ref":"#\/components\/schemas\/has_auth"},"headers":{"type":"object","nullable":true,"description":"A set of key-value pairs sent as headers with the request."},"method":{"type":"string","default":"post","enum":["post","put"],"description":"The HTTP request method, either `post` or `put`.\n"},"url":{"type":"string","description":"The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"},"verificationMode":{"$ref":"#\/components\/schemas\/verification_mode"}}},"cases_webhook_config":{"title":"Connector request properties for Webhook - Case Management connector","required":["createIncidentJson","createIncidentResponseKey","createIncidentUrl","getIncidentResponseExternalTitleKey","getIncidentUrl","updateIncidentJson","updateIncidentUrl","viewIncidentUrl"],"description":"Defines properties for connectors when type is `.cases-webhook`.","type":"object","properties":{"authType":{"$ref":"#\/components\/schemas\/auth_type"},"ca":{"$ref":"#\/components\/schemas\/ca"},"certType":{"$ref":"#\/components\/schemas\/cert_type"},"createCommentJson":{"type":"string","description":"A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.\n","example":"{\"body\": {{{case.comment}}}}"},"createCommentMethod":{"type":"string","description":"The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`.\n","default":"put","enum":["patch","post","put"]},"createCommentUrl":{"type":"string","description":"The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts.\n","example":"https:\/\/example.com\/issue\/{{{external.system.id}}}\/comment"},"createIncidentJson":{"type":"string","description":"A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.\n","example":"{\"fields\": {\"summary\": {{{case.title}}},\"description\": {{{case.description}}},\"labels\": {{{case.tags}}}}}"},"createIncidentMethod":{"type":"string","description":"The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`.\n","enum":["patch","post","put"],"default":"post"},"createIncidentResponseKey":{"type":"string","description":"The JSON key in the create external case response that contains the case ID."},"createIncidentUrl":{"type":"string","description":"The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"},"getIncidentResponseExternalTitleKey":{"type":"string","description":"The JSON key in get external case response that contains the case title."},"getIncidentUrl":{"type":"string","description":"The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.\n","example":"https:\/\/example.com\/issue\/{{{external.system.id}}}"},"hasAuth":{"$ref":"#\/components\/schemas\/has_auth"},"headers":{"type":"string","description":"A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods.\n"},"updateIncidentJson":{"type":"string","description":"The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.\n","example":"{\"fields\": {\"summary\": {{{case.title}}},\"description\": {{{case.description}}},\"labels\": {{{case.tags}}}}}"},"updateIncidentMethod":{"type":"string","description":"The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`.\n","default":"put","enum":["patch","post","put"]},"updateIncidentUrl":{"type":"string","description":"The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n","example":"https:\/\/example.com\/issue\/{{{external.system.ID}}}"},"verificationMode":{"$ref":"#\/components\/schemas\/verification_mode"},"viewIncidentUrl":{"type":"string","description":"The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL.\n","example":"https:\/\/testing-jira.atlassian.net\/browse\/{{{external.system.title}}}"}}},"xmatters_config":{"title":"Connector request properties for an xMatters connector","description":"Defines properties for connectors when type is `.xmatters`.","type":"object","properties":{"configUrl":{"description":"The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`.\n","type":"string","nullable":true},"usesBasic":{"description":"Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`).","type":"boolean","default":true}}},"bedrock_secrets":{"title":"Connector secrets properties for an Amazon Bedrock connector","description":"Defines secrets for connectors when type is `.bedrock`.","type":"object","required":["accessKey","secret"],"properties":{"accessKey":{"type":"string","description":"The AWS access key for authentication."},"secret":{"type":"string","description":"The AWS secret for authentication."}}},"crowdstrike_secrets":{"title":"Connector secrets properties for a Crowdstrike connector","description":"Defines secrets for connectors when type is `.crowdstrike`.","type":"object","required":["clientId","clientSecret"],"properties":{"clientId":{"description":"The CrowdStrike API client identifier.","type":"string"},"clientSecret":{"description":"The CrowdStrike API client secret to authenticate the `clientId`.","type":"string"}}},"d3security_secrets":{"title":"Connector secrets properties for a D3 Security connector","description":"Defines secrets for connectors when type is `.d3security`.","required":["token"],"type":"object","properties":{"token":{"type":"string","description":"The D3 Security token."}}},"email_secrets":{"title":"Connector secrets properties for an email connector","description":"Defines secrets for connectors when type is `.email`.","type":"object","properties":{"clientSecret":{"type":"string","description":"The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required.\n"},"password":{"type":"string","description":"The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required.\n"},"user":{"type":"string","description":"The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required.\n"}}},"gemini_secrets":{"title":"Connector secrets properties for a Google Gemini connector","description":"Defines secrets for connectors when type is `.gemini`.","type":"object","required":["credentialsJson"],"properties":{"credentialsJson":{"type":"string","description":"The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it."}}},"resilient_secrets":{"title":"Connector secrets properties for IBM Resilient connector","required":["apiKeyId","apiKeySecret"],"description":"Defines secrets for connectors when type is `.resilient`.","type":"object","properties":{"apiKeyId":{"type":"string","description":"The authentication key ID for HTTP Basic authentication."},"apiKeySecret":{"type":"string","description":"The authentication key secret for HTTP Basic authentication."}}},"jira_secrets":{"title":"Connector secrets properties for a Jira connector","required":["apiToken","email"],"description":"Defines secrets for connectors when type is `.jira`.","type":"object","properties":{"apiToken":{"description":"The Jira API authentication token for HTTP basic authentication.","type":"string"},"email":{"description":"The account email for HTTP Basic authentication.","type":"string"}}},"teams_secrets":{"title":"Connector secrets properties for a Microsoft Teams connector","description":"Defines secrets for connectors when type is `.teams`.","type":"object","required":["webhookUrl"],"properties":{"webhookUrl":{"type":"string","description":"The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.\n"}}},"genai_secrets":{"title":"Connector secrets properties for an OpenAI connector","description":"Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content.\n","type":"object","properties":{"apiKey":{"type":"string","description":"The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one.\n"},"certificateData":{"type":"string","description":"Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI.\n","minLength":1},"privateKeyData":{"type":"string","description":"Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI.\n","minLength":1},"caData":{"type":"string","description":"Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional.\n","minLength":1}}},"opsgenie_secrets":{"title":"Connector secrets properties for an Opsgenie connector","required":["apiKey"],"description":"Defines secrets for connectors when type is `.opsgenie`.","type":"object","properties":{"apiKey":{"description":"The Opsgenie API authentication key for HTTP Basic authentication.","type":"string"}}},"pagerduty_secrets":{"title":"Connector secrets properties for a PagerDuty connector","description":"Defines secrets for connectors when type is `.pagerduty`.","type":"object","required":["routingKey"],"properties":{"routingKey":{"description":"A 32 character PagerDuty Integration Key for an integration on a service.\n","type":"string"}}},"sentinelone_secrets":{"title":"Connector secrets properties for a SentinelOne connector","description":"Defines secrets for connectors when type is `.sentinelone`.","type":"object","required":["token"],"properties":{"token":{"description":"The A SentinelOne API token.","type":"string"}}},"servicenow_secrets":{"title":"Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors","description":"Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`.","type":"object","properties":{"clientSecret":{"type":"string","description":"The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`."},"password":{"type":"string","description":"The password for HTTP basic authentication. This property is required when `isOAuth` is `false`."},"privateKey":{"type":"string","description":"The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`."},"privateKeyPassword":{"type":"string","description":"The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key."},"username":{"type":"string","description":"The username for HTTP basic authentication. This property is required when `isOAuth` is `false`."}}},"slack_api_secrets":{"title":"Connector secrets properties for a Web API Slack connector","description":"Defines secrets for connectors when type is `.slack`.","required":["token"],"type":"object","properties":{"token":{"type":"string","description":"Slack bot user OAuth token."}}},"swimlane_secrets":{"title":"Connector secrets properties for a Swimlane connector","description":"Defines secrets for connectors when type is `.swimlane`.","type":"object","properties":{"apiToken":{"description":"Swimlane API authentication token.","type":"string"}}},"thehive_secrets":{"title":"Connector secrets properties for a TheHive connector","description":"Defines secrets for connectors when type is `.thehive`.","required":["apiKey"],"type":"object","properties":{"apiKey":{"type":"string","description":"The API key for authentication in TheHive."}}},"tines_secrets":{"title":"Connector secrets properties for a Tines connector","description":"Defines secrets for connectors when type is `.tines`.","type":"object","required":["email","token"],"properties":{"email":{"description":"The email used to sign in to Tines.","type":"string"},"token":{"description":"The Tines API token.","type":"string"}}},"torq_secrets":{"title":"Connector secrets properties for a Torq connector","description":"Defines secrets for connectors when type is `.torq`.","type":"object","required":["token"],"properties":{"token":{"description":"The secret of the webhook authentication header.","type":"string"}}},"crt":{"title":"Certificate","type":"string","description":"If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file."},"key":{"title":"Certificate key","type":"string","description":"If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file."},"pfx":{"title":"Personal information exchange","type":"string","description":"If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file."},"webhook_secrets":{"title":"Connector secrets properties for a Webhook connector","description":"Defines secrets for connectors when type is `.webhook`.","type":"object","properties":{"crt":{"$ref":"#\/components\/schemas\/crt"},"key":{"$ref":"#\/components\/schemas\/key"},"pfx":{"$ref":"#\/components\/schemas\/pfx"},"password":{"type":"string","description":"The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.\n"},"user":{"type":"string","description":"The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.\n"}}},"cases_webhook_secrets":{"title":"Connector secrets properties for Webhook - Case Management connector","type":"object","properties":{"crt":{"$ref":"#\/components\/schemas\/crt"},"key":{"$ref":"#\/components\/schemas\/key"},"pfx":{"$ref":"#\/components\/schemas\/pfx"},"password":{"type":"string","description":"The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required.\n"},"user":{"type":"string","description":"The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.\n"}}},"xmatters_secrets":{"title":"Connector secrets properties for an xMatters connector","description":"Defines secrets for connectors when type is `.xmatters`.","type":"object","properties":{"password":{"description":"A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`.\n","type":"string"},"secretsUrl":{"description":"The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`.\n","type":"string"},"user":{"description":"A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`.\n","type":"string"}}},"genai_openai_other_config":{"title":"Connector request properties for an OpenAI connector with Other provider","description":"Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication.\n","type":"object","required":["apiProvider","apiUrl","defaultModel"],"properties":{"apiProvider":{"type":"string","description":"The OpenAI API provider.","enum":["Other"]},"apiUrl":{"type":"string","description":"The OpenAI-compatible API endpoint."},"defaultModel":{"type":"string","description":"The default model to use for requests."},"certificateData":{"type":"string","description":"PEM-encoded certificate content.","minLength":1},"privateKeyData":{"type":"string","description":"PEM-encoded private key content.","minLength":1},"caData":{"type":"string","description":"PEM-encoded CA certificate content.","minLength":1},"verificationMode":{"type":"string","description":"SSL verification mode for PKI authentication.","enum":["full","certificate","none"],"default":"full"},"headers":{"type":"object","description":"Custom headers to include in requests.","additionalProperties":{"type":"string"}}}},"defender_secrets":{"title":"Connector secrets properties for a Microsoft Defender for Endpoint connector","required":["clientSecret"],"description":"Defines secrets for connectors when type is `..microsoft_defender_endpoint`.","type":"object","properties":{"clientSecret":{"description":"The client secret for your app in the Azure portal.","type":"string"}}},"run_acknowledge_resolve_pagerduty":{"title":"PagerDuty connector parameters","description":"Test an action that acknowledges or resolves a PagerDuty alert.","type":"object","required":["dedupKey","eventAction"],"properties":{"dedupKey":{"description":"The deduplication key for the PagerDuty alert.","type":"string","maxLength":255},"eventAction":{"description":"The type of event.","type":"string","enum":["acknowledge","resolve"]}}},"run_documents":{"title":"Index connector parameters","description":"Test an action that indexes a document into Elasticsearch.","type":"object","required":["documents"],"properties":{"documents":{"type":"array","description":"The documents in JSON format for index connectors.","items":{"type":"object","additionalProperties":true}}}},"run_message_email":{"title":"Email connector parameters","description":"Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`.\n","type":"object","required":["message","subject"],"properties":{"bcc":{"type":"array","items":{"type":"string"},"description":"A list of \"blind carbon copy\" email addresses. Addresses can be specified in `user@host-name` format or in name `` format\n"},"cc":{"type":"array","items":{"type":"string"},"description":"A list of \"carbon copy\" email addresses. Addresses can be specified in `user@host-name` format or in name `` format \n"},"message":{"type":"string","description":"The email message text. Markdown format is supported."},"subject":{"type":"string","description":"The subject line of the email."},"to":{"type":"array","description":"A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format.\n","items":{"type":"string"}}}},"run_message_serverlog":{"title":"Server log connector parameters","description":"Test an action that writes an entry to the Kibana server log.","type":"object","required":["message"],"properties":{"level":{"type":"string","description":"The log level of the message for server log connectors.","enum":["debug","error","fatal","info","trace","warn"],"default":"info"},"message":{"type":"string","description":"The message for server log connectors."}}},"run_message_slack":{"title":"Slack connector parameters","description":"Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`.\n","type":"object","required":["message"],"properties":{"message":{"type":"string","description":"The Slack message text, which cannot contain Markdown, images, or other advanced formatting."}}},"run_trigger_pagerduty":{"title":"PagerDuty connector parameters","description":"Test an action that triggers a PagerDuty alert.","type":"object","required":["eventAction"],"properties":{"class":{"description":"The class or type of the event.","type":"string","example":"cpu load"},"component":{"description":"The component of the source machine that is responsible for the event.","type":"string","example":"eth0"},"customDetails":{"description":"Additional details to add to the event.","type":"object"},"dedupKey":{"description":"All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution.\n","type":"string","maxLength":255},"eventAction":{"description":"The type of event.","type":"string","enum":["trigger"]},"group":{"description":"The logical grouping of components of a service.","type":"string","example":"app-stack"},"links":{"description":"A list of links to add to the event.","type":"array","items":{"type":"object","properties":{"href":{"description":"The URL for the link.","type":"string"},"text":{"description":"A plain text description of the purpose of the link.","type":"string"}}}},"severity":{"description":"The severity of the event on the affected system.","type":"string","enum":["critical","error","info","warning"],"default":"info"},"source":{"description":"The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action.\n","type":"string"},"summary":{"description":"A summery of the event.","type":"string","maxLength":1024},"timestamp":{"description":"An ISO-8601 timestamp that indicates when the event was detected or generated.","type":"string","format":"date-time"}}},"run_addevent":{"title":"The addEvent subaction","type":"object","required":["subAction"],"description":"The `addEvent` subaction for ServiceNow ITOM connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["addEvent"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","properties":{"additional_info":{"type":"string","description":"Additional information about the event."},"description":{"type":"string","description":"The details about the event."},"event_class":{"type":"string","description":"A specific instance of the source."},"message_key":{"type":"string","description":"All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`."},"metric_name":{"type":"string","description":"The name of the metric."},"node":{"type":"string","description":"The host that the event was triggered for."},"resource":{"type":"string","description":"The name of the resource."},"severity":{"type":"string","description":"The severity of the event."},"source":{"type":"string","description":"The name of the event source type."},"time_of_event":{"type":"string","description":"The time of the event."},"type":{"type":"string","description":"The type of event."}}}}},"run_closealert":{"title":"The closeAlert subaction","type":"object","required":["subAction","subActionParams"],"description":"The `closeAlert` subaction for Opsgenie connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["closeAlert"]},"subActionParams":{"type":"object","required":["alias"],"properties":{"alias":{"type":"string","description":"The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert."},"note":{"type":"string","description":"Additional information for the alert."},"source":{"type":"string","description":"The display name for the source of the alert."},"user":{"type":"string","description":"The display name for the owner."}}}}},"run_closeincident":{"title":"The closeIncident subaction","type":"object","required":["subAction","subActionParams"],"description":"The `closeIncident` subaction for ServiceNow ITSM connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["closeIncident"]},"subActionParams":{"type":"object","required":["incident"],"properties":{"incident":{"type":"object","anyOf":[{"required":["correlation_id"]},{"required":["externalId"]}],"properties":{"correlation_id":{"type":"string","nullable":true,"description":"An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID.\n","maxLength":100,"default":"{{rule.id}}:{{alert.id}}"},"externalId":{"type":"string","nullable":true,"description":"The unique identifier (`incidentId`) for the incident in ServiceNow."}}}}}}},"run_createalert":{"title":"The createAlert subaction","type":"object","required":["subAction","subActionParams"],"description":"The `createAlert` subaction for Opsgenie and TheHive connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["createAlert"]},"subActionParams":{"type":"object","properties":{"actions":{"type":"array","description":"The custom actions available to the alert in Opsgenie connectors.","items":{"type":"string"}},"alias":{"type":"string","description":"The unique identifier used for alert deduplication in Opsgenie."},"description":{"type":"string","description":"A description that provides detailed information about the alert."},"details":{"type":"object","description":"The custom properties of the alert in Opsgenie connectors.","additionalProperties":true,"example":{"key1":"value1","key2":"value2"}},"entity":{"type":"string","description":"The domain of the alert in Opsgenie connectors. For example, the application or server name."},"message":{"type":"string","description":"The alert message in Opsgenie connectors."},"note":{"type":"string","description":"Additional information for the alert in Opsgenie connectors."},"priority":{"type":"string","description":"The priority level for the alert in Opsgenie connectors.","enum":["P1","P2","P3","P4","P5"]},"responders":{"type":"array","description":"The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required.\n","items":{"type":"object","properties":{"id":{"type":"string","description":"The identifier for the entity."},"name":{"type":"string","description":"The name of the entity."},"type":{"type":"string","description":"The type of responders, in this case `escalation`.","enum":["escalation","schedule","team","user"]},"username":{"type":"string","description":"A valid email address for the user."}}}},"severity":{"type":"integer","minimum":1,"maximum":4,"description":"The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).\n"},"source":{"type":"string","description":"The display name for the source of the alert in Opsgenie and TheHive connectors."},"sourceRef":{"type":"string","description":"A source reference for the alert in TheHive connectors."},"tags":{"type":"array","description":"The tags for the alert in Opsgenie and TheHive connectors.","items":{"type":"string"}},"title":{"type":"string","description":"A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base.\n"},"tlp":{"type":"integer","minimum":0,"maximum":4,"default":2,"description":"The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).\n"},"type":{"type":"string","description":"The type of alert in TheHive connectors."},"user":{"type":"string","description":"The display name for the owner."},"visibleTo":{"type":"array","description":"The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required.","items":{"type":"object","required":["type"],"properties":{"id":{"type":"string","description":"The identifier for the entity."},"name":{"type":"string","description":"The name of the entity."},"type":{"type":"string","description":"Valid values are `team` and `user`.","enum":["team","user"]},"username":{"type":"string","description":"The user name. This property is required only when the `type` is `user`."}}}}}}}},"run_fieldsbyissuetype":{"title":"The fieldsByIssueType subaction","type":"object","required":["subAction","subActionParams"],"description":"The `fieldsByIssueType` subaction for Jira connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["fieldsByIssueType"]},"subActionParams":{"type":"object","required":["id"],"properties":{"id":{"type":"string","description":"The Jira issue type identifier.","example":10024}}}}},"run_getagentdetails":{"title":"The getAgentDetails subaction","type":"object","required":["subAction","subActionParams"],"description":"The `getAgentDetails` subaction for CrowdStrike connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getAgentDetails"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","required":["ids"],"properties":{"ids":{"type":"array","description":"An array of CrowdStrike agent identifiers.","items":{"type":"string"}}}}}},"run_getagents":{"title":"The getAgents subaction","type":"object","required":["subAction"],"description":"The `getAgents` subaction for SentinelOne connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getAgents"]}}},"run_getchoices":{"title":"The getChoices subaction","type":"object","required":["subAction","subActionParams"],"description":"The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getChoices"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","required":["fields"],"properties":{"fields":{"type":"array","description":"An array of fields.","items":{"type":"string"}}}}}},"run_getfields":{"title":"The getFields subaction","type":"object","required":["subAction"],"description":"The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getFields"]}}},"run_getincident":{"title":"The getIncident subaction","type":"object","description":"The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.","required":["subAction","subActionParams"],"properties":{"subAction":{"type":"string","description":"The action to test.","enum":["getIncident"]},"subActionParams":{"type":"object","required":["externalId"],"properties":{"externalId":{"type":"string","description":"The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier.","example":71778}}}}},"run_issue":{"title":"The issue subaction","type":"object","required":["subAction"],"description":"The `issue` subaction for Jira connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["issue"]},"subActionParams":{"type":"object","required":["id"],"properties":{"id":{"type":"string","description":"The Jira issue identifier.","example":71778}}}}},"run_issues":{"title":"The issues subaction","type":"object","required":["subAction","subActionParams"],"description":"The `issues` subaction for Jira connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["issues"]},"subActionParams":{"type":"object","required":["title"],"properties":{"title":{"type":"string","description":"The title of the Jira issue."}}}}},"run_issuetypes":{"title":"The issueTypes subaction","type":"object","required":["subAction"],"description":"The `issueTypes` subaction for Jira connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["issueTypes"]}}},"run_postmessage":{"title":"The postMessage subaction","type":"object","description":"Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`.\n","required":["subAction","subActionParams"],"properties":{"subAction":{"type":"string","description":"The action to test.","enum":["postMessage"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","properties":{"channelIds":{"type":"array","maxItems":1,"description":"The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration.\n","items":{"type":"string"}},"channels":{"type":"array","deprecated":true,"description":"The name of a channel that your Slack app has access to.\n","maxItems":1,"items":{"type":"string"}},"text":{"type":"string","description":"The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages.\n","minLength":1}}}}},"run_pushtoservice":{"title":"The pushToService subaction","type":"object","required":["subAction","subActionParams"],"description":"The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors.","properties":{"subAction":{"type":"string","description":"The action to test.","enum":["pushToService"]},"subActionParams":{"type":"object","description":"The set of configuration properties for the action.","properties":{"comments":{"type":"array","description":"Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive.","items":{"type":"object","properties":{"comment":{"type":"string","description":"A comment related to the incident. For example, describe how to troubleshoot the issue."},"commentId":{"type":"integer","description":"A unique identifier for the comment."}}}},"incident":{"type":"object","description":"Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident.","properties":{"additional_fields":{"type":"string","nullable":true,"maxLength":20,"description":"Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format.\n"},"alertId":{"type":"string","description":"The alert identifier for Swimlane connectors."},"caseId":{"type":"string","description":"The case identifier for the incident for Swimlane connectors."},"caseName":{"type":"string","description":"The case name for the incident for Swimlane connectors."},"category":{"type":"string","description":"The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors."},"correlation_display":{"type":"string","description":"A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors."},"correlation_id":{"type":"string","description":"The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.\n"},"description":{"type":"string","description":"The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors."},"dest_ip":{"description":"A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.\n","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"externalId":{"type":"string","description":"The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.\n"},"id":{"type":"string","description":"The external case identifier for Webhook - Case Management connectors."},"impact":{"type":"string","description":"The impact of the incident for ServiceNow ITSM connectors."},"issueType":{"type":"integer","description":"The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`."},"labels":{"type":"array","items":{"type":"string"},"description":"The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces.\n"},"malware_hash":{"description":"A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident.","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"malware_url":{"type":"string","description":"A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident.","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"otherFields":{"type":"object","additionalProperties":true,"maxProperties":20,"description":"Custom field identifiers and their values for Jira connectors.\n"},"parent":{"type":"string","description":"The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues."},"priority":{"type":"string","description":"The priority of the incident in Jira and ServiceNow SecOps connectors."},"ruleName":{"type":"string","description":"The rule name for Swimlane connectors."},"severity":{"type":"integer","description":"The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).\n"},"short_description":{"type":"string","description":"A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base.\n"},"source_ip":{"description":"A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.","oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]},"status":{"type":"string","description":"The status of the incident for Webhook - Case Management connectors."},"subcategory":{"type":"string","description":"The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors."},"summary":{"type":"string","description":"A summary of the incident for Jira connectors."},"tags":{"type":"array","items":{"type":"string"},"description":"A list of tags for TheHive and Webhook - Case Management connectors."},"title":{"type":"string","description":"A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base.\n"},"tlp":{"type":"integer","minimum":0,"maximum":4,"default":2,"description":"The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).\n"},"urgency":{"type":"string","description":"The urgency of the incident for ServiceNow ITSM connectors."}}}}}}},"run_validchannelid":{"title":"The validChannelId subaction","type":"object","description":"Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`.\n","required":["subAction","subActionParams"],"properties":{"subAction":{"type":"string","description":"The action to test.","enum":["validChannelId"]},"subActionParams":{"type":"object","required":["channelId"],"properties":{"channelId":{"type":"string","description":"The Slack channel identifier.","example":"C123ABC456"}}}}}},"securitySchemes":{"apiKeyAuth":{"description":"You must create an API key and use the encoded value in the request header. To learn about creating keys, go to [API keys](https:\/\/www.elastic.co\/docs\/current\/serverless\/api-keys).","in":"header","name":"Authorization","type":"apiKey"}}},"x-topics":[{"title":"Kibana spaces","content":"Spaces enable you to organize your dashboards and other saved objects into meaningful categories.\nYou can use the default space or create your own spaces.\n\nTo run APIs in non-default spaces, you must add `s\/{space_id}\/` to the path.\nFor example:\n\n```bash\ncurl -X GET \"http:\/\/${KIBANA_URL}\/s\/marketing\/api\/data_views\" \\\n -H \"Authorization: ApiKey ${API_KEY}\"\n```\n\nIf you use the Kibana console to send API requests, it automatically adds the appropriate space identifier.\n\nTo learn more, check out [Spaces](https:\/\/www.elastic.co\/docs\/deploy-manage\/manage-spaces).\n"}]}