From 102297ca151d56c8a7da36c14c72386b4cd225ca Mon Sep 17 00:00:00 2001 From: Maxim Palenov Date: Fri, 4 Oct 2024 22:34:25 +0300 Subject: [PATCH] [HTTP/OAS] Include Security Solution domain OAS to production docs (#194132) *Epic:** https://github.com/elastic/security-team/issues/9401 (internal) ## Summary This PR includes Security Solution OpenAPI domain bundles into the production OpenAPI Kibana bundle. The result Kibana bundler is expected to be published to Bump.sh manually by @lcawl. --- .../output/kibana.serverless.staging.yaml | 9 + oas_docs/output/kibana.serverless.yaml | 32542 +++++++++--- oas_docs/output/kibana.staging.yaml | 9 + oas_docs/output/kibana.yaml | 40938 +++++++++++----- .../overlays/kibana.overlays.serverless.yaml | 8 +- oas_docs/overlays/kibana.overlays.yaml | 6 +- oas_docs/scripts/merge_ess_oas.js | 6 + oas_docs/scripts/merge_serverless_oas.js | 6 + ...eptions_api_2023_10_31.bundled.schema.yaml | 1 + ...eptions_api_2023_10_31.bundled.schema.yaml | 1 + .../scripts/openapi_bundle.js | 2 + ...eptions_api_2023_10_31.bundled.schema.yaml | 1 + ...eptions_api_2023_10_31.bundled.schema.yaml | 1 + .../scripts/openapi_bundle.js | 2 + ...n_lists_api_2023_10_31.bundled.schema.yaml | 1 + ...n_lists_api_2023_10_31.bundled.schema.yaml | 1 + .../scripts/openapi_bundle.js | 2 + ...sistant_api_2023_10_31.bundled.schema.yaml | 1 + ...sistant_api_2023_10_31.bundled.schema.yaml | 1 + .../scripts/openapi/bundle.js | 2 + ...osquery_api_2023_10_31.bundled.schema.yaml | 1 + ...osquery_api_2023_10_31.bundled.schema.yaml | 1 + .../plugins/osquery/scripts/openapi/bundle.js | 2 + .../risk_engine/engine_cleanup_route.gen.ts | 2 +- .../engine_cleanup_route.schema.yaml | 3 +- .../common/api/quickstart_client.gen.ts | 2 +- ...ections_api_2023_10_31.bundled.schema.yaml | 1 + ...agement_api_2023_10_31.bundled.schema.yaml | 1 + ...entity_analytics_api_1.bundled.schema.yaml | 88 - ...alytics_api_2023_10_31.bundled.schema.yaml | 53 + ...imeline_api_2023_10_31.bundled.schema.yaml | 1 + ...ections_api_2023_10_31.bundled.schema.yaml | 1 + ...agement_api_2023_10_31.bundled.schema.yaml | 1 + ...entity_analytics_api_1.bundled.schema.yaml | 88 - ...alytics_api_2023_10_31.bundled.schema.yaml | 53 + ...imeline_api_2023_10_31.bundled.schema.yaml | 1 + .../scripts/openapi/bundle_detections.js | 2 + .../openapi/bundle_endpoint_management.js | 2 + .../openapi/bundle_entity_analytics.js | 2 + .../scripts/openapi/bundle_timeline.js | 2 + .../services/security_solution_api.gen.ts | 2 +- 41 files changed, 54283 insertions(+), 19566 deletions(-) delete mode 100644 x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_1.bundled.schema.yaml delete mode 100644 x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_1.bundled.schema.yaml diff --git a/oas_docs/output/kibana.serverless.staging.yaml b/oas_docs/output/kibana.serverless.staging.yaml index 39819e8307e75..5a185579f4988 100644 --- a/oas_docs/output/kibana.serverless.staging.yaml +++ b/oas_docs/output/kibana.serverless.staging.yaml @@ -33502,33 +33502,42 @@ tags: x-displayName: Saved objects - description: Manage and interact with Security Assistant resources. name: Security AI Assistant API + x-displayName: Security AI assistant - description: >- You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page. name: Security Detections API + x-displayName: Security detections - description: >- Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Endpoint Exceptions API + x-displayName: Security endpoint exceptions - description: Interact with and manage endpoints running the Elastic Defend integration. name: Security Endpoint Management API + x-displayName: Security endpoint management - description: '' name: Security Entity Analytics API + x-displayName: Security entity analytics - description: >- Exceptions API allows you to manage detection rule exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Exceptions API + x-displayName: Security exceptions - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items. name: Security Lists API + x-displayName: Security lists - description: Run live queries, manage packs and saved queries. name: Security Osquery API + x-displayName: Security Osquery - description: >- You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. name: Security Timeline API + x-displayName: Security timeline - description: SLO APIs enable you to define, manage and track service-level objectives name: slo - name: spaces diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index c30f683b3bf97..5a185579f4988 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -5402,6 +5402,270 @@ paths: summary: Search for annotations tags: - APM annotations + /api/asset_criticality: + delete: + description: Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + deleted: + description: >- + True if the record was deleted or false if the record did + not exist. + type: boolean + record: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record + tags: + - Security Entity Analytics API + get: + description: Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record + tags: + - Security Entity Analytics API + post: + description: > + Create or update an asset criticality record for a specific entity. + + + If a record already exists for the specified entity, that record is + overwritten with the specified value. If a record doesn't exist for the + specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + refresh: + description: >- + If 'wait_for' the request will wait for the index + refresh. + enum: + - wait_for + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record + tags: + - Security Entity Analytics API + /api/asset_criticality/bulk: + post: + description: > + Bulk upsert up to 1000 asset criticality records. + + + If asset criticality records already exist for the specified entities, + those records are overwritten with the specified values. If asset + criticality records don't exist for the specified entities, new records + are created. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records + tags: + - Security Entity Analytics API + /api/asset_criticality/list: + get: + description: List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - \@timestamp + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Bulk upload successful + summary: List asset criticality records + tags: + - Security Entity Analytics API /api/data_views: get: operationId: getAllDataViewsDefault @@ -5926,9 +6190,18 @@ paths: summary: Preview a saved object reference swap tags: - data views - /api/fleet/agent_download_sources: + /api/detection_engine/privileges: get: - operationId: get-download-sources + description: > + Retrieves whether or not the user is authenticated, and the user's + Kibana + + space and index privileges, which determine if the user can create an + + index for the Elastic Security alerts generated by + + detection engine rules. + operationId: ReadPrivileges responses: '200': content: @@ -5936,399 +6209,311 @@ paths: schema: type: object properties: - items: - items: - $ref: '#/components/schemas/Fleet_download_sources' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent binary download sources - tags: - - Elastic Agent binary download sources - post: - operationId: post-download-sources - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - type: string - id: - type: string - is_default: - type: boolean - name: - type: string - required: - - name - - host - - is_default - responses: - '200': + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent binary download source + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space tags: - - Elastic Agent binary download sources - /api/fleet/agent_download_sources/{sourceId}: + - Security Detections API + - Privileges API + /api/detection_engine/rules: delete: - operationId: delete-download-source + description: Delete a detection rule using the `rule_id` or `id` field. + operationId: DeleteRule parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent binary download source by ID + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule tags: - - Elastic Agent binary download sources + - Security Detections API + - Rules API get: - operationId: get-one-download-source + description: Retrieve a detection rule using the `rule_id` or `id` field. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent binary download source by ID + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Retrieve a detection rule tags: - - Elastic Agent binary download sources - parameters: - - in: path - name: sourceId - required: true - schema: - type: string - put: - operationId: update-download-source - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Detections API + - Rules API + patch: + description: >- + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + operationId: PatchRule requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - host: - type: string - is_default: - type: boolean - name: - type: string - required: - - name - - is_default - - host - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent binary download source by ID - tags: - - Elastic Agent binary download sources - /api/fleet/agent_policies: - get: - description: '' - operationId: agent-policy-list - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_format' - - description: >- - When set to true, retrieve the related package policies for each - agent policy. - in: query - name: full - schema: - type: boolean - - description: >- - When set to true, do not count how many agents are in the agent - policy, this can improve performance if you are searching over a - large number of agent policies. The "agents" property will always be - 0 if set to true. - in: query - name: noAgentCount - schema: - type: boolean + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent_policy' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent policies + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule tags: - - Elastic Agent policies + - Security Detections API + - Rules API post: - operationId: create-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: Create a new detection rule. + operationId: CreateRule requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_agent_policy_create_request' + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent policy + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule tags: - - Elastic Agent policies - /api/fleet/agent_policies/_bulk_get: - post: - operationId: bulk-get-agent-policies - parameters: - - $ref: '#/components/parameters/Fleet_format' + - Security Detections API + - Rules API + put: + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: UpdateRule requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of agent policy ids - items: - type: string - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent_policy' - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get agent policies - tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}: - get: - description: Get one agent policy - operationId: agent-policy-info - parameters: [] + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent policy by ID + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - $ref: '#/components/parameters/Fleet_format' - put: - operationId: update-agent-policy + - Security Detections API + - Rules API + /api/detection_engine/rules/_bulk_action: + post: + description: >- + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + operationId: PerformRulesBulkAction parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: Enables dry run mode for the request call. + in: query + name: dry_run + required: false + schema: + type: boolean requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_agent_policy_update_request' + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDisableRules + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Detections_API_BulkManualRuleRun + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResponse + - $ref: >- + #/components/schemas/Security_Detections_API_BulkExportActionResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent policy by ID + summary: Apply a bulk action to detection rules tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/copy: - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - $ref: '#/components/parameters/Fleet_format' + - Security Detections API + - Bulk API + /api/detection_engine/rules/_export: post: - operationId: agent-policy-copy + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > You cannot export prebuilt rules. + operationId: ExportRules parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: File name for saving the exported rules. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: + nullable: true type: object properties: - description: - type: string - name: - type: string + objects: + description: >- + Array of `rule_id` fields. Exports all rules when + unspecified. + items: + type: object + properties: + rule_id: + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId + required: + - rule_id + type: array required: - - name - description: '' + - objects + required: false responses: '200': content: - application/json; Elastic-Api-Version=2023-10-31: + application/ndjson; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Copy agent policy by ID + description: An `.ndjson` file containing the returned rules. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/download: + - Security Detections API + - Import/Export API + /api/detection_engine/rules/_find: get: - operationId: agent-policy-download - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Download agent policy by ID - tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: download - required: false - schema: - type: string - - in: query - name: standalone - required: false - schema: - type: string - - in: query - name: kubernetes - required: false - schema: - type: string - /api/fleet/agent_policies/{agentPolicyId}/full: - get: - operationId: agent-policy-full + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. + operationId: FindRules + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer responses: '200': content: @@ -6336,93 +6521,275 @@ paths: schema: type: object properties: - item: - oneOf: - - type: string - - $ref: '#/components/schemas/Fleet_agent_policy_full' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get full agent policy by ID + data: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RuleResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + summary: List all detection rules tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: download - required: false - schema: - type: string - - in: query - name: standalone - required: false - schema: - type: string - - in: query - name: kubernetes - required: false - schema: - type: string - /api/fleet/agent_policies/delete: - parameters: [] + - Security Detections API + - Rules API + /api/detection_engine/rules/_import: post: - operationId: delete-agent-policy + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. + operationId: ImportRules parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean requestBody: content: - application/json; Elastic-Api-Version=2023-10-31: + multipart/form-data; Elastic-Api-Version=2023-10-31: schema: type: object properties: - agentPolicyId: + file: + description: The `.ndjson` file containing the rules. + format: binary type: string - force: - description: >- - bypass validation checks that can prevent agent policy - deletion - type: boolean - required: - - agentPolicyId + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: false type: object properties: - id: - type: string + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: >- + #/components/schemas/Security_Detections_API_WarningSchema + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer success: type: boolean + success_count: + minimum: 0 + type: integer required: - - id + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count - success - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent policy by ID + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules tags: - - Elastic Agent policies - /api/fleet/agent_status: - get: - operationId: get-agent-status + - Security Detections API + - Import/Export API + /api/detection_engine/rules/{id}/exceptions: + post: + description: Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems parameters: - - in: query - name: policyId - required: false + - description: Detection rule's identifier + in: path + name: id + required: true schema: - type: string - - deprecated: true + $ref: '#/components/schemas/Security_Exceptions_API_RuleId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps + type: array + required: + - items + description: Rule exception list items + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception list items + tags: + - Security Exceptions API + /api/detection_engine/rules/preview: + post: + operationId: RulePreview + parameters: + - description: >- + Enables logging and returning in response ES queries, performed + during rule execution in: query - name: kuery + name: enable_logged_requests required: false schema: - type: string + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + discriminator: + propertyName: type + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true responses: '200': content: @@ -6430,785 +6797,717 @@ paths: schema: type: object properties: - active: - type: integer - all: - type: integer - error: - type: integer - events: - type: integer - inactive: - type: integer - offline: - type: integer - online: - type: integer - other: - type: integer - total: - deprecated: true - type: integer - unenrolled: - type: integer - updating: - type: integer + isAborted: + type: boolean + logs: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLogs + type: array + previewId: + $ref: >- + #/components/schemas/Security_Detections_API_NonEmptyString required: - - active - - all - - error - - events - - inactive - - offline - - online - - other - - total - - updating - description: OK + - logs + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent status summary - tags: - - Elastic Agent status - /api/fleet/agent_status/data: - get: - operationId: get-agent-data - parameters: - - in: query - name: agentsIds - required: true - schema: - items: - type: string - type: array - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - additionalProperties: - type: object - properties: - data: - type: boolean - type: object - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get incoming agent data - tags: - - Elastic Agent status - /api/fleet/agent-status: - get: - deprecated: true - operationId: get-agent-status-deprecated - parameters: - - in: query - name: policyId - required: false - schema: - type: string - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - error: - type: integer - events: - type: integer - inactive: - type: integer - offline: - type: integer - online: - type: integer - other: - type: integer - total: - type: integer - updating: - type: integer - required: - - error - - events - - inactive - - offline - - online - - other - - total - - updating - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent status summary - tags: - - Elastic Agent status - /api/fleet/agents: - get: - operationId: get-agents - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_show_inactive' - - $ref: '#/components/parameters/Fleet_show_upgradeable' - - $ref: '#/components/parameters/Fleet_sort_field' - - $ref: '#/components/parameters/Fleet_sort_order' - - $ref: '#/components/parameters/Fleet_with_metrics' - - in: query - name: getStatusSummary - required: false - schema: - type: boolean - responses: - '200': + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_agents_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agents + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range tags: - - Elastic Agents + - Security Detections API + - Rule preview API + /api/detection_engine/signals/assignees: post: - operationId: get-agents-by-actions - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - actionIds: - items: - type: string - type: array + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + description: List of alerts ids to assign and unassign passed assignees. required: - - policy_id + - assignees + - ids required: true responses: '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_agent_get_by_actions' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agents by action ids - tags: - - Elastic Agents - /api/fleet/agents/{agentId}: - delete: - operationId: delete-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent by ID - tags: - - Elastic Agents - get: - operationId: get-agent - parameters: - - $ref: '#/components/parameters/Fleet_with_metrics' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent' - required: - - item - description: OK + description: Indicates a successful call. '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent by ID + description: Invalid request. + summary: Assign and unassign users from detection alerts tags: - - Elastic Agents - parameters: - - in: path - name: agentId - required: true - schema: - type: string - put: - operationId: update-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Detections API + /api/detection_engine/signals/search: + post: + description: Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: + description: Elasticsearch query and aggregation request type: object properties: - tags: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object + fields: items: type: string type: array - user_provided_metadata: + query: + additionalProperties: true + type: object + runtime_mappings: + additionalProperties: true type: object + size: + minimum: 0 + type: integer + sort: + $ref: '#/components/schemas/Security_Detections_API_AlertsSort' + track_total_hits: + type: boolean + description: Search and/or aggregation query required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: true + description: Elasticsearch search response type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent' - required: - - item - description: OK + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent by ID + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts tags: - - Elastic Agents - /api/fleet/agents/{agentId}/actions: - parameters: - - in: path - name: agentId - required: true - schema: - type: string + - Security Detections API + - Alerts API + /api/detection_engine/signals/status: post: - operationId: new-agent-action - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: Set the status of one or more detection alerts. + operationId: SetAlertsStatus requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - $ref: '#/components/schemas/Fleet_agent_action' + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: true + description: Elasticsearch update by query response type: object - properties: - body: - items: - type: number - type: array - headers: - type: string - statusCode: - type: number - description: OK + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent action + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/reassign: - parameters: - - in: path - name: agentId - required: true - schema: - type: string + - Security Detections API + - Alerts API + /api/detection_engine/signals/tags: post: - operationId: reassign-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - policy_id: - type: string + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' required: - - policy_id + - ids + - tags + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: true + description: Elasticsearch update by query response type: object - description: OK + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Reassign agent - tags: - - Elastic Agents - put: - deprecated: true - operationId: reassign-agent-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - policy_id: - type: string - required: - - policy_id - required: true - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Reassign agent + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags tags: - - Elastic Agents - /api/fleet/agents/{agentId}/request_diagnostics: - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: request-diagnostics-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - additional_metrics: - items: - oneOf: - - enum: - - CPU - type: string - type: array + - Security Detections API + - Alerts API + /api/detection_engine/tags: + get: + description: List all unique tags from all detection rules. + operationId: ReadTags responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Request agent diagnostics + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags tags: - - Elastic Agents - /api/fleet/agents/{agentId}/unenroll: - parameters: - - in: path - name: agentId - required: true - schema: - type: string + - Security Detections API + - Tags API + /api/endpoint_list: post: - operationId: unenroll-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - revoke: - type: boolean + description: >- + Create an endpoint exception list, which groups endpoint exception list + items. If an endpoint exception list already exists, an empty response + is returned. + operationId: CreateEndpointList responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: OK + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList + description: Successful response '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - enum: - - 400 - type: number - description: BAD REQUEST - summary: Unenroll agent - tags: - - Elastic Agents - /api/fleet/agents/{agentId}/upgrade: - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: upgrade-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_upgrade_agent' - required: true - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_upgrade_agent' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Upgrade agent - tags: - - Elastic Agents - /api/fleet/agents/{agentId}/uploads: - get: - operationId: list-agent-uploads - responses: - '200': + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - body: - type: object - properties: - item: - items: - $ref: '#/components/schemas/Fleet_agent_diagnostics' - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent uploads + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an endpoint exception list tags: - - Elastic Agents - parameters: - - in: path - name: agentId - required: true - schema: - type: string - /api/fleet/agents/action_status: - get: - operationId: agents-action-status + - Security Endpoint Exceptions API + /api/endpoint_list/items: + delete: + description: >- + Delete an endpoint exception list item using the `id` or `item_id` + field. + operationId: DeleteEndpointListItem parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - in: query - name: errorSize + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false schema: - default: 5 - type: integer + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - latestErrors: - description: >- - latest errors that happened when the agents executed - the action - items: - type: object - properties: - agentId: - type: string - error: - type: string - timestamp: - type: string - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: string - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - POLICY_REASSIGN - - UPGRADE - - UNENROLL - - FORCE_UNENROLL - - UPDATE_TAGS - - CANCEL - - REQUEST_DIAGNOSTICS - - SETTINGS - - POLICY_CHANGE - - INPUT_ACTION - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - complete - - nbAgentsActioned - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - status - - creationTime - - type - type: array - required: - - items - description: OK + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent action status + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Delete an endpoint exception list item tags: - - Elastic Agent actions - /api/fleet/agents/actions/{actionId}/cancel: - parameters: - - in: path - name: actionId - required: true - schema: - type: string - post: - operationId: agent-action-cancel + - Security Endpoint Exceptions API + get: + description: >- + Get the details of an endpoint exception list item using the `id` or + `item_id` field. + operationId: ReadEndpointListItem parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_action' - description: OK + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + type: array + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Cancel agent action + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get an endpoint exception list item tags: - - Elastic Agent actions - /api/fleet/agents/bulk_reassign: + - Security Endpoint Exceptions API post: - operationId: bulk-reassign-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: >- + Create an endpoint exception list item, and associate it with the + endpoint exception list. + operationId: CreateEndpointListItem requestBody: content: application/json; Elastic-Api-Version=2023-10-31: - example: - agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' - policy_id: policy_id schema: type: object properties: - agents: - oneOf: - - description: KQL query string, leave empty to action all agents - type: string - - description: list of agent IDs - items: - type: string - type: array - policy_id: - description: new agent policy id - type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType required: - - policy_id - - agents + - type + - name + - description + - entries + description: Exception list item's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string - description: OK + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk reassign agents + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item already exists + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an endpoint exception list item tags: - - Elastic Agents - /api/fleet/agents/bulk_request_diagnostics: - post: - operationId: bulk-request-diagnostics - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Endpoint Exceptions API + put: + description: >- + Update an endpoint exception list item using the `id` or `item_id` + field. + operationId: UpdateEndpointListItem requestBody: content: application/json; Elastic-Api-Version=2023-10-31: - example: - agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' schema: type: object properties: - additional_metrics: - items: - oneOf: - - enum: - - CPU - type: string - type: array - agents: - oneOf: - - description: KQL query string, leave empty to action all agents - type: string - - description: list of agent IDs - items: - type: string - type: array - batchSize: - type: number + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType required: - - agents + - type + - name + - description + - entries + description: Exception list item's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string - description: OK + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk request diagnostics from agents + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Update an endpoint exception list item tags: - - Elastic Agents - /api/fleet/agents/bulk_unenroll: - post: - operationId: bulk-unenroll-agents + - Security Endpoint Exceptions API + /api/endpoint_list/items/_find: + get: + description: Get a list of all endpoint exception list items. + operationId: FindEndpointListItems parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - force: false - revoke: true - schema: - type: object - properties: - agents: - oneOf: - - description: KQL query string, leave empty to action all agents - type: string - - description: list of agent IDs - items: - type: string - type: array - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: >- - When passing agents by KQL query, unenrolls inactive agents - too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string responses: '200': content: @@ -7216,731 +7515,596 @@ paths: schema: type: object properties: - actionId: + data: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + pit: type: string - description: OK + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk unenroll agents + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get endpoint exception list items tags: - - Elastic Agents - /api/fleet/agents/bulk_update_agent_tags: - post: - operationId: bulk-update-agent-tags + - Security Endpoint Exceptions API + /api/endpoint/action: + get: + description: Get a list of all response actions. + operationId: EndpointGetActionsList parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - tagsToAdd: - - newTag - tagsToRemove: - - existingTag - schema: - type: object - properties: - agents: - oneOf: - - description: KQL query string, leave empty to action all agents - type: string - - description: list of agent IDs - items: - type: string - type: array - batchSize: - type: number - tagsToAdd: - items: - type: string - type: array - tagsToRemove: - items: - type: string - type: array - required: - - agents + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk update agent tags + summary: Get response actions tags: - - Elastic Agents - /api/fleet/agents/bulk_upgrade: - post: - operationId: bulk-upgrade-agents + - Security Endpoint Management API + /api/endpoint/action_log/{agent_id}: + get: + deprecated: true + description: Get an action request log for the specified agent ID. + operationId: EndpointGetActionLog parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - rollout_duration_seconds: 3600 - source_uri: https://artifacts.elastic.co/downloads/beats/elastic-agent - start_time: '2022-08-03T14:00:00.000Z' - version: 8.4.0 - schema: - $ref: '#/components/schemas/Fleet_bulk_upgrade_agents' - required: true + - in: path + name: agent_id + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionLogRequestQuery responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk upgrade agents + summary: Get an action request log tags: - - Elastic Agents - /api/fleet/agents/files/{fileId}: - delete: - operationId: delete-agent-upload-file + - Security Endpoint Management API + /api/endpoint/action_status: + get: + description: Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agent_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - body: - type: object - properties: - deleted: - type: boolean - id: - type: string + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete file uploaded by agent + summary: Get response actions status tags: - - Elastic Agents - parameters: - - in: path - name: fileId - required: true - schema: - type: string - /api/fleet/agents/files/{fileId}/{fileName}: + - Security Endpoint Management API + /api/endpoint/action/{action_id}: get: - operationId: get-agent-upload-file + description: Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - body: - type: object - properties: - items: - type: object - properties: - body: {} - headers: {} + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get file uploaded by agent + summary: Get action details tags: - - Elastic Agents - parameters: - - in: path - name: fileId - required: true - schema: - type: string - - in: path - name: fileName - required: true - schema: - type: string - /api/fleet/agents/setup: + - Security Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}: get: - operationId: get-agents-setup-status + description: Get information for the specified file using the file ID. + operationId: EndpointFileInfo + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_status_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent setup info + summary: Get file information tags: - - Elastic Agents - post: - operationId: setup-agents + - Security Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: Download a file from an endpoint. + operationId: EndpointFileDownload parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - admin_password: - type: string - admin_username: - type: string - required: - - admin_username - - admin_password + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_setup_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Initiate agent setup + summary: Download a file tags: - - Elastic Agents - /api/fleet/agents/tags: - get: - operationId: get-agent-tags + - Security Endpoint Management API + /api/endpoint/action/execute: + post: + description: Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_agent_tags_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent tags + summary: Run a command tags: - - Elastic Agents - /api/fleet/data_streams: - get: - operationId: data-streams-list + - Security Endpoint Management API + /api/endpoint/action/get_file: + post: + description: Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - data_streams: - items: - $ref: '#/components/schemas/Fleet_data_stream' - type: array + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List data streams + summary: Get a file tags: - - Data streams - parameters: [] - /api/fleet/enrollment_api_keys: - get: - operationId: get-enrollment-api-keys - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' + - Security Endpoint Management API + /api/endpoint/action/isolate: + post: + description: >- + Isolate an endpoint from the network. The endpoint remains isolated + until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - page - - perPage - - total + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List enrollment API keys + summary: Isolate an endpoint tags: - - Fleet enrollment API keys + - Security Endpoint Management API + /api/endpoint/action/kill_process: post: - operationId: create-enrollment-api-keys - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - name: - description: The name of the enrollment API key. Must be unique. - type: string - policy_id: - description: >- - The ID of the agent policy the Elastic Agent will be - enrolled in. - type: string - required: - - policy_id + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create enrollment API key + summary: Terminate a process tags: - - Fleet enrollment API keys - /api/fleet/enrollment_api_keys/{keyId}: - delete: - operationId: delete-enrollment-api-key - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Endpoint Management API + /api/endpoint/action/running_procs: + post: + description: Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Revoke enrollment API key by ID by marking it as inactive + summary: Get running processes tags: - - Fleet enrollment API keys + - Security Endpoint Management API + /api/endpoint/action/scan: + post: + description: Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse + description: OK + summary: Scan a file or directory + tags: + - Security Endpoint Management API + /api/endpoint/action/state: get: - operationId: get-enrollment-api-key + description: >- + Get a response actions state, which reports whether encryption is + enabled. + operationId: EndpointGetActionsState responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - required: - - item + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get enrollment API key by ID + summary: Get actions state tags: - - Fleet enrollment API keys - parameters: - - in: path - name: keyId + - Security Endpoint Management API + /api/endpoint/action/suspend_process: + post: + description: Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody required: true - schema: - type: string - /api/fleet/enrollment-api-keys: - get: - deprecated: true - operationId: get-enrollment-api-keys-deprecated - parameters: [] responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - page - - perPage - - total + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List enrollment API keys + summary: Suspend a process tags: - - Fleet enrollment API keys + - Security Endpoint Management API + /api/endpoint/action/unisolate: post: - deprecated: true - operationId: create-enrollment-api-keys-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create enrollment API key + summary: Release an isolated endpoint tags: - - Fleet enrollment API keys - /api/fleet/enrollment-api-keys/{keyId}: - delete: - deprecated: true - operationId: delete-enrollment-api-key-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Endpoint Management API + /api/endpoint/action/upload: + post: + description: Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete enrollment API key by ID + summary: Upload a file tags: - - Fleet enrollment API keys + - Security Endpoint Management API + /api/endpoint/metadata: get: - deprecated: true - operationId: get-enrollment-api-key-deprecated + operationId: GetEndpointMetadataList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ListRequestQuery responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - required: - - item + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get enrollment API key by ID + summary: Get a metadata list tags: - - Fleet enrollment API keys - parameters: - - in: path - name: keyId - required: true - schema: - type: string - /api/fleet/epm/bulk_assets: - post: - operationId: bulk-get-assets - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - assetIds: - description: list of items necessary to fetch assets - items: - type: object - properties: - id: - type: string - type: - type: string - type: array - required: - - assetIds + - Security Endpoint Management API + /api/endpoint/metadata/{id}: + get: + operationId: GetEndpointMetadata + parameters: + - in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_bulk_assets_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get assets + summary: Get metadata tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/categories: + - Security Endpoint Management API + /api/endpoint/metadata/transforms: get: - operationId: get-package-categories + operationId: GetEndpointMetadataTransform responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_categories_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List package categories + summary: Get metadata transforms tags: - - Elastic Package Manager (EPM) - parameters: - - description: >- - Whether to include prerelease packages in categories count (e.g. beta, - rc, preview) - in: query - name: prerelease - schema: - default: false - type: boolean - - deprecated: true - in: query - name: experimental - schema: - default: false - type: boolean - - in: query - name: include_policy_templates - schema: - default: false - type: boolean - /api/fleet/epm/packages: + - Security Endpoint Management API + /api/endpoint/policy_response: get: - operationId: list-all-packages + operationId: GetPolicyResponse parameters: - - description: >- - Whether to exclude the install status of each package. Enabling this - option will opt in to caching for the response via `cache-control` - headers. If you don't need up-to-date installation info for a - package, and are querying for a list of available packages, - providing this flag can improve performance substantially. - in: query - name: excludeInstallStatus - schema: - default: false - type: boolean - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - - deprecated: true - in: query - name: experimental - schema: - default: false - type: boolean - in: query - name: category + name: query + required: true schema: - type: string + type: object + properties: + agentId: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_packages_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List packages + summary: Get a policy response tags: - - Elastic Package Manager (EPM) - post: - description: '' - operationId: install-package-by-upload + - Security Endpoint Management API + /api/endpoint/policy/summaries: + get: + deprecated: true + operationId: GetAgentPolicySummary parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors + - in: query + name: query + required: true schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover + type: object + properties: + package_name: + type: string + policy_id: + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get an agent policy summary + tags: + - Security Endpoint Management API + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + operationId: GetProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true schema: - default: false - type: boolean - requestBody: - content: - application/gzip; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string - application/zip; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - _meta: - type: object - properties: - install_source: - enum: - - upload - - registry - - bundled - type: string - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '429': - $ref: '#/components/responses/Fleet_error' - summary: Install by package by direct upload + summary: Get a protection updates note tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk: + - Security Endpoint Management API post: - operationId: bulk-install-packages + operationId: CreateUpdateProtectionUpdatesNote parameters: - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease + - in: path + name: package_policy_id + required: true schema: - default: false - type: boolean + type: string requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - force: - description: force install to ignore package verification errors - type: boolean - packages: - description: list of packages to install - items: - oneOf: - - description: package name - type: string - - type: object - properties: - name: - description: package name - type: string - version: - description: package version - type: string - type: array - required: - - packages + note: + type: string + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_bulk_install_packages_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk install packages + summary: Create or update a protection updates note tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgkey}: - delete: - deprecated: true - operationId: delete-package-deprecated + - Security Endpoint Management API + /api/endpoint/suggestions/{suggestion_type}: + post: + operationId: GetEndpointSuggestions parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - in: path - name: pkgkey + name: suggestion_type required: true schema: + enum: + - eventFilters type: string requestBody: content: @@ -7948,8 +8112,29 @@ paths: schema: type: object properties: - force: - type: boolean + field: + type: string + fieldMeta: {} + filters: {} + query: + type: string + required: + - parameters + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get suggestions + tags: + - Security Endpoint Management API + /api/entity_store/engines: + get: + operationId: ListEntityEngines responses: '200': content: @@ -7957,109 +8142,110 @@ paths: schema: type: object properties: - response: + count: + type: integer + engines: items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor type: array - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete ackage + description: Successful response + summary: List the Entity Engines tags: - - Elastic Package Manager (EPM) - get: - deprecated: true - operationId: get-package-deprecated + - Security Entity Analytics API + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine parameters: - - in: path - name: pkgkey + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType required: true schema: - type: string - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. in: query - name: prerelease + name: data + required: false schema: - default: false type: boolean responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - allOf: - - properties: - response: - $ref: '#/components/schemas/Fleet_package_info' - - properties: - savedObject: - type: string - status: - enum: - - installed - - installing - - install_failed - - not_installed - type: string - required: - - status - - savedObject type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package + properties: + deleted: + type: boolean + description: Successful response + summary: Delete the Entity Engine tags: - - Elastic Package Manager (EPM) - post: - deprecated: true - description: '' - operationId: install-package-deprecated + - Security Entity Analytics API + get: + operationId: GetEntityEngine parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgkey + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType required: true schema: - type: string - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/init: + post: + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - force: - type: boolean + filter: + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern + description: Schema for the engine initialization + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/start: + post: + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: @@ -8067,49 +8253,22 @@ paths: schema: type: object properties: - response: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Install package + started: + type: boolean + description: Successful response + summary: Start an Entity Engine tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: - operationId: delete-package + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/stats: + post: + operationId: GetEntityEngineStats parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: delete package even if policies used by agents - in: query - name: force + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - deprecated: true - type: object - properties: - force: - type: boolean + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: @@ -8117,130 +8276,94 @@ paths: schema: type: object properties: - items: + indexPattern: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern + indices: items: type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package + status: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineStatus + transforms: + items: + type: object + type: array + type: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType + description: Successful response + summary: Get Entity Engine stats tags: - - Elastic Package Manager (EPM) - get: - operationId: get-package + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/stop: + post: + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - allOf: - - properties: - item: - $ref: '#/components/schemas/Fleet_package_info' - - properties: - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - licensePath: - type: string - notice: - type: string - savedObject: - deprecated: true - type: object - status: - enum: - - installed - - installing - - install_failed - - not_installed - type: string - required: - - status - - savedObject type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package + properties: + stopped: + type: boolean + description: Successful response + summary: Stop an Entity Engine tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: Ignore if the package is fails signature verification - in: query - name: ignoreUnverified - schema: - type: boolean - - description: >- - Return all fields from the package manifest, not just those supported - by the Elastic Package Registry - in: query - name: full - schema: - type: boolean - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - post: - description: '' - operationId: install-package + - Security Entity Analytics API + /api/entity_store/entities/list: + get: + description: List entities records, paging, sorting and filtering as needed. + operationId: ListEntities parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors + - in: query + name: sort_field + required: false schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update + type: string + - in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. in: query - name: skipDataStreamRollover + name: filterQuery + required: false schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - ignore_constraints: - type: boolean + type: string + - in: query + name: entities_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array responses: '200': content: @@ -8248,559 +8371,597 @@ paths: schema: type: object properties: - _meta: - type: object - properties: - install_source: - enum: - - registry - - upload - - bundled - type: string - items: + inspect: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_InspectQuery + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Entity type: array + total: + minimum: 0 + type: integer required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Install package + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities tags: - - Elastic Package Manager (EPM) - put: - description: '' - operationId: update-package - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - keepPoliciesUpToDate: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: - get: - operationId: packages-get-file + - Security Entity Analytics API + /api/exception_lists: + delete: + description: Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - body: - type: object - headers: - type: object - statusCode: - type: number - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package file + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: path - name: filePath - required: true - schema: - type: string - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: - post: - description: '' - operationId: reauthorize-transforms + - Security Exceptions API + get: + description: Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false schema: - type: string - - description: >- - Whether to include prerelease packages in categories count (e.g. - beta, rc, preview) + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Either `id` or `list_id` must be specified in: query - name: prerelease + name: list_id + required: false schema: - default: false - type: boolean + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details + tags: + - Security Exceptions API + post: + description: > + An exception list groups exception items and can be associated with + detection rules. You can assign detection rules with multiple exception + lists. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - transforms: - items: - type: object - properties: - transformId: - type: string - type: array + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - type: object - properties: - error: - type: string - success: - type: boolean - transformId: - type: string - required: - - transformId - - error - type: array - required: - - items - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Authorize transforms - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/stats: - get: - operationId: get-package-stats - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - response: - $ref: '#/components/schemas/Fleet_package_usage_stats' - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package stats - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - /api/fleet/epm/packages/limited: - get: - operationId: list-limited-packages - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - type: string - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get limited package list - tags: - - Elastic Package Manager (EPM) - parameters: [] - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: - get: - operationId: get-inputs-template - responses: - '200': - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get inputs template - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: Format of response - json or yaml - in: query - name: format - schema: - enum: - - json - - yaml - - yml - type: string - - description: Specify if version is prerelease - in: query - name: prerelease - schema: - type: boolean - - description: Ignore if the package is fails signature verification - in: query - name: ignoreUnverified - schema: - type: boolean - /api/fleet/epm/verification_key_id: - get: - operationId: packages-get-verification-key-id - responses: - '200': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - body: - type: object - properties: - id: - description: >- - the key ID of the GPG key used to verify package - signatures - nullable: true - type: string - headers: - type: object - statusCode: - type: number - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package signature verification key ID - tags: - - Elastic Package Manager (EPM) - parameters: [] - /api/fleet/fleet_server_hosts: - get: - operationId: get-fleet-server-hosts - responses: - '200': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_fleet_server_host' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List Fleet Server hosts + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list tags: - - Fleet Server hosts - post: - operationId: post-fleet-server-hosts + - Security Exceptions API + put: + description: Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - host_urls: - items: - type: string - type: array - id: + _version: type: string - is_default: - type: boolean - is_internal: - type: boolean + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this fleet server host. See - the proxies API for more information. - type: string + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion required: - name - - host_urls + - description + - type + description: Exception list's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Create Fleet Server host - tags: - - Fleet Server hosts - /api/fleet/fleet_server_hosts/{itemId}: - delete: - operationId: delete-fleet-server-hosts - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete Fleet Server host by ID - tags: - - Fleet Server hosts - get: - operationId: get-one-fleet-server-hosts - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get Fleet Server host by ID + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list tags: - - Fleet Server hosts - parameters: - - in: path - name: itemId - required: true - schema: - type: string - put: - operationId: update-fleet-server-hosts + - Security Exceptions API + /api/exception_lists/_duplicate: + post: + description: Duplicate an existing exception list. + operationId: DuplicateExceptionList parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host_urls: - items: - type: string - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this fleet server host. See - the proxies API for more information. - nullable: true - type: string + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - required: - - item - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Update Fleet Server host by ID - tags: - - Fleet Server hosts - /api/fleet/health_check: - post: - operationId: fleet-server-health-check - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - deprecated: true - type: string - id: - type: string - required: - - id - required: true - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - host: - deprecated: true - type: string - id: - description: Fleet Server host id - type: string - status: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Fleet Server health check + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list tags: - - Fleet internals - /api/fleet/kubernetes: - get: - operationId: get-full-k8s-manifest + - Security Exceptions API + /api/exception_lists/_export: + post: + description: Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList parameters: - - in: query - name: download - required: false + - description: Exception list's identifier + in: query + name: id + required: true schema: - type: boolean - - in: query - name: fleetServer - required: false + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human identifier + in: query + name: list_id + required: true schema: - type: string + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - in: query - name: enrolToken - required: false + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true schema: + default: 'true' + enum: + - 'true' + - 'false' type: string responses: '200': content: - application/json; Elastic-Api-Version=2023-10-31: + application/ndjson; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - type: string - description: OK + description: >- + A `.ndjson` file containing specified exception list and its + items + format: binary + type: string + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Get full K8s agent manifest - tags: - - Fleet Kubernetes - /api/fleet/logstash_api_keys: - post: - operationId: generate-logstash-api-key - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - api_key: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Generate Logstash API key + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list tags: - - Fleet outputs - /api/fleet/outputs: + - Security Exceptions API + /api/exception_lists/_find: get: - operationId: get-outputs + description: Get a list of all exception lists. + operationId: FindExceptionLists + parameters: + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: + + + - `exception-list`: Specify a space-aware exception list. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + minimum: 1 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string responses: '200': content: @@ -8808,29 +8969,112 @@ paths: schema: type: object properties: - items: + data: items: - $ref: '#/components/schemas/Fleet_output_create_request' + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionList type: array page: + minimum: 1 type: integer - perPage: + per_page: + minimum: 1 type: integer total: + minimum: 0 type: integer - description: OK + required: + - data + - page + - per_page + - total + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: List outputs + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists tags: - - Fleet outputs + - Security Exceptions API + /api/exception_lists/_import: post: - operationId: post-outputs + description: Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean requestBody: content: - application/json; Elastic-Api-Version=2023-10-31: + multipart/form-data; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_output_create_request' + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + format: binary + type: string required: true responses: '200': @@ -8839,473 +9083,784 @@ paths: schema: type: object properties: - item: - $ref: '#/components/schemas/Fleet_output_create_request' - description: OK + errors: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Create output - tags: - - Fleet outputs - /api/fleet/outputs/{outputId}: - delete: - operationId: delete-output - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete output by ID - tags: - - Fleet outputs - get: - operationId: get-output - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_create_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get output by ID + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Import an exception list tags: - - Fleet outputs - parameters: - - in: path - name: outputId - required: true - schema: - type: string - put: - operationId: update-output + - Security Exceptions API + /api/exception_lists/items: + delete: + description: Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_output_update_request' + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_update_request' - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Update output by ID - tags: - - Fleet outputs - /api/fleet/outputs/{outputId}/health: - get: - operationId: get-output-health - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get latest output health + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item tags: - - Fleet outputs - parameters: - - in: path - name: outputId - required: true - schema: - type: string - /api/fleet/package_policies: + - Security Exceptions API get: - operationId: get-package-policies + description: >- + Get the details of an exception list item using the `id` or `item_id` + field. + operationId: ReadExceptionListItem parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_format' + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: List package policies - tags: - - Fleet package policies - parameters: [] - post: - operationId: create-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_package_policy_request' - description: >- - You should use inputs as an object and not use the deprecated inputs - array. - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '409': - $ref: '#/components/responses/Fleet_error' - summary: Create package policy + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item tags: - - Fleet package policies - /api/fleet/package_policies/_bulk_get: + - Security Exceptions API post: - operationId: bulk-get-package-policies - parameters: - - $ref: '#/components/parameters/Fleet_format' + description: > + Create an exception item and associate it with the specified exception + list. + + > info + + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - ids: - description: list of package policy ids - items: - type: string - type: array - ignoreMissing: - type: boolean + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemType required: - - ids + - list_id + - type + - name + - description + - entries + description: Exception list item's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - required: - - items - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get package policies - tags: - - Fleet package policies - /api/fleet/package_policies/{packagePolicyId}: - delete: - operationId: delete-package-policy - parameters: - - in: query - name: force - schema: - type: boolean - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package policy by ID - tags: - - Fleet package policies - get: - operationId: get-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_format' - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package policy by ID - tags: - - Fleet package policies - parameters: - - in: path - name: packagePolicyId - required: true - schema: - type: string - put: - operationId: update-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_package_policy_request' - responses: - '200': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update package policy by ID - tags: - - Fleet package policies - /api/fleet/package_policies/delete: - post: - operationId: post-delete-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - type: array - required: - - packagePolicyIds - responses: - '200': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': content: application/json; Elastic-Api-Version=2023-10-31: schema: - items: - type: object - properties: - id: - type: string - name: - type: string - success: - type: boolean - required: - - id - - success - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package policy - tags: - - Fleet package policies - /api/fleet/package_policies/upgrade: - post: - operationId: upgrade-package-policy - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - packagePolicyIds: - items: - type: string - type: array - required: - - packagePolicyIds - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': content: application/json; Elastic-Api-Version=2023-10-31: schema: - items: - type: object - properties: - id: - type: string - name: - type: string - success: - type: boolean - required: - - id - - success - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '409': - $ref: '#/components/responses/Fleet_error' - summary: Upgrade package policy to a newer package version + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item tags: - - Fleet package policies - /api/fleet/package_policies/upgrade/dryrun: - post: - operationId: upgrade-package-policy-dry-run + - Security Exceptions API + put: + description: Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - packagePolicyIds: - items: - type: string - type: array - packageVersion: + _version: type: string + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemType required: - - packagePolicyIds + - type + - name + - description + - entries + description: Exception list item's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - items: - type: object - properties: - agent_diff: - $ref: '#/components/schemas/Fleet_upgrade_agent_diff' - diff: - $ref: '#/components/schemas/Fleet_upgrade_diff' - hasErrors: - type: boolean - required: - - hasErrors - type: array - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Dry run package policy upgrade - tags: - - Fleet package policies - /api/fleet/proxies: - get: - operationId: get-fleet-proxies - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_proxies' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List proxies + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item tags: - - Fleet proxies - post: - operationId: post-fleet-proxies - requestBody: + - Security Exceptions API + /api/exception_lists/items/_find: + get: + description: Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + type: array + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter + type: array + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + type: array + - in: query + name: search + required: false + schema: + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items + tags: + - Security Exceptions API + /api/exception_lists/summary: + get: + description: Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Exceptions API + /api/exceptions/shared: + post: + description: > + An exception list groups exception items and can be associated with + detection rules. A shared exception list can apply to multiple detection + rules. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + required: + - name + - description + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list + tags: + - Security Exceptions API + /api/fleet/agent_download_sources: + get: + operationId: get-download-sources + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_download_sources' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent binary download sources + tags: + - Elastic Agent binary download sources + post: + operationId: post-download-sources + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: type: string id: type: string + is_default: + type: boolean name: type: string - proxy_headers: - type: object - url: - type: string required: - name - - url + - host + - is_default responses: '200': content: @@ -9314,16 +9869,16 @@ paths: type: object properties: item: - $ref: '#/components/schemas/Fleet_proxies' + $ref: '#/components/schemas/Fleet_download_sources' description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Create proxy + summary: Create agent binary download source tags: - - Fleet proxies - /api/fleet/proxies/{itemId}: + - Elastic Agent binary download sources + /api/fleet/agent_download_sources/{sourceId}: delete: - operationId: delete-fleet-proxies + operationId: delete-download-source parameters: - $ref: '#/components/parameters/Fleet_kbn_xsrf' responses: @@ -9340,11 +9895,11 @@ paths: description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Delete proxy by ID + summary: Delete agent binary download source by ID tags: - - Fleet proxies + - Elastic Agent binary download sources get: - operationId: get-one-fleet-proxies + operationId: get-one-download-source responses: '200': content: @@ -9353,23 +9908,23 @@ paths: type: object properties: item: - $ref: '#/components/schemas/Fleet_proxies' + $ref: '#/components/schemas/Fleet_download_sources' required: - item description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Get proxy by ID + summary: Get agent binary download source by ID tags: - - Fleet proxies + - Elastic Agent binary download sources parameters: - in: path - name: itemId + name: sourceId required: true schema: type: string put: - operationId: update-fleet-proxies + operationId: update-download-source parameters: - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: @@ -9378,18 +9933,16 @@ paths: schema: type: object properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: + host: type: string + is_default: + type: boolean name: type: string - proxy_headers: - type: object - url: - type: string + required: + - name + - is_default + - host responses: '200': content: @@ -9398,20 +9951,40 @@ paths: type: object properties: item: - $ref: '#/components/schemas/Fleet_proxies' + $ref: '#/components/schemas/Fleet_download_sources' required: - item description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Update proxy by ID + summary: Update agent binary download source by ID tags: - - Fleet proxies - /api/fleet/service_tokens: - post: - operationId: generate-service-token + - Elastic Agent binary download sources + /api/fleet/agent_policies: + get: + description: '' + operationId: agent-policy-list parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_format' + - description: >- + When set to true, retrieve the related package policies for each + agent policy. + in: query + name: full + schema: + type: boolean + - description: >- + When set to true, do not count how many agents are in the agent + policy, this can improve performance if you are searching over a + large number of agent policies. The "agents" property will always be + 0 if set to true. + in: query + name: noAgentCount + schema: + type: boolean responses: '200': content: @@ -9419,22 +9992,36 @@ paths: schema: type: object properties: - name: - type: string - value: - type: string + items: + items: + $ref: '#/components/schemas/Fleet_agent_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Create service token + summary: List agent policies tags: - - Fleet service tokens - /api/fleet/service-tokens: + - Elastic Agent policies post: - deprecated: true - operationId: generate-service-token-deprecated + operationId: create-agent-policy parameters: - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_policy_create_request' responses: '200': content: @@ -9442,105 +10029,289 @@ paths: schema: type: object properties: - name: - type: string - value: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent policy + tags: + - Elastic Agent policies + /api/fleet/agent_policies/_bulk_get: + post: + operationId: bulk-get-agent-policies + parameters: + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of agent policy ids + items: type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent_policy' + type: array + required: + - items description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Create service token + summary: Bulk get agent policies tags: - - Fleet service tokens - /api/fleet/settings: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}: get: - operationId: get-settings + description: Get one agent policy + operationId: agent-policy-info + parameters: [] responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_settings_response' + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Get settings + summary: Get agent policy by ID tags: - - Fleet internals + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - $ref: '#/components/parameters/Fleet_format' put: - operationId: update-settings + operationId: update-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - additional_yaml_config: - type: string - fleet_server_hosts: - description: Protocol and path must be the same for each URL - items: - type: string - type: array - has_seen_add_data_notice: - type: boolean + $ref: '#/components/schemas/Fleet_agent_policy_update_request' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_settings_response' + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Update settings + summary: Update agent policy by ID tags: - - Fleet internals - /api/fleet/setup: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/copy: + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - $ref: '#/components/parameters/Fleet_format' post: - operationId: setup + operationId: agent-policy-copy parameters: - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + type: string + name: + type: string + required: + - name + description: '' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_setup_response' + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item description: OK '400': $ref: '#/components/responses/Fleet_error' - '500': + summary: Copy agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + operationId: agent-policy-download + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - message: + item: type: string - description: Internal Server Error - summary: Initiate Fleet setup + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Download agent policy by ID tags: - - Fleet internals - /api/fleet/uninstall_tokens: - get: - operationId: get-uninstall-tokens - parameters: - - description: The number of items to return - in: query - name: perPage - required: false - schema: - default: 20 - minimum: 5 - type: integer - - $ref: '#/components/parameters/Fleet_page_index' - - description: Partial match filtering for policy IDs - in: query + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: string + - in: query + name: standalone + required: false + schema: + type: string + - in: query + name: kubernetes + required: false + schema: + type: string + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + operationId: agent-policy-full + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + oneOf: + - type: string + - $ref: '#/components/schemas/Fleet_agent_policy_full' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get full agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: string + - in: query + name: standalone + required: false + schema: + type: string + - in: query + name: kubernetes + required: false + schema: + type: string + /api/fleet/agent_policies/delete: + parameters: [] + post: + operationId: delete-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + agentPolicyId: + type: string + force: + description: >- + bypass validation checks that can prevent agent policy + deletion + type: boolean + required: + - agentPolicyId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + success: + type: boolean + required: + - id + - success + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_status: + get: + operationId: get-agent-status + parameters: + - in: query name: policyId required: false schema: type: string + - deprecated: true + in: query + name: kuery + required: false + schema: + type: string responses: '200': content: @@ -9548,47 +10319,57 @@ paths: schema: type: object properties: - items: - items: - type: object - properties: - created_at: - type: string - id: - type: string - policy_id: - type: string - required: - - id - - policy_id - - created_at - type: array - page: - type: number - perPage: - type: number + active: + type: integer + all: + type: integer + error: + type: integer + events: + type: integer + inactive: + type: integer + offline: + type: integer + online: + type: integer + other: + type: integer total: - type: number + deprecated: true + type: integer + unenrolled: + type: integer + updating: + type: integer required: - - items + - active + - all + - error + - events + - inactive + - offline + - online + - other - total - - page - - perPage + - updating description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: List metadata for latest uninstall tokens per agent policy + summary: Get agent status summary tags: - - Fleet uninstall tokens - /api/fleet/uninstall_tokens/{uninstallTokenId}: + - Elastic Agent status + /api/fleet/agent_status/data: get: - operationId: get-uninstall-token + operationId: get-agent-data parameters: - - in: path - name: uninstallTokenId + - in: query + name: agentsIds required: true schema: - type: string + items: + type: string + type: array responses: '200': content: @@ -9596,5811 +10377,21848 @@ paths: schema: type: object properties: - item: - type: object - properties: - created_at: - type: string - id: - type: string - policy_id: - type: string - token: - type: string - required: - - id - - token - - policy_id - - created_at - required: - - item + items: + items: + additionalProperties: + type: object + properties: + data: + type: boolean + type: object + type: array description: OK '400': $ref: '#/components/responses/Fleet_error' - summary: Get one decrypted uninstall token by its ID + summary: Get incoming agent data tags: - - Fleet uninstall tokens - /api/ml/saved_objects/sync: + - Elastic Agent status + /api/fleet/agent-status: get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models. This API runs automatically when you start Kibana and - periodically thereafter. - operationId: mlSync + deprecated: true + operationId: get-agent-status-deprecated parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + - in: query + name: policyId + required: false + schema: + type: string responses: '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync machine learning saved objects - tags: - - ml - /api/saved_objects/_export: - post: - description: > - Retrieve sets of saved objects that you want to import into Kibana. - - You must include `type` or `objects` in the request body. - - - Exported saved objects are not backwards compatible and cannot be - imported into an older version of Kibana. - - - NOTE: The `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be exported. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: exportSavedObjectsDefault + type: object + properties: + error: + type: integer + events: + type: integer + inactive: + type: integer + offline: + type: integer + online: + type: integer + other: + type: integer + total: + type: integer + updating: + type: integer + required: + - error + - events + - inactive + - offline + - online + - other + - total + - updating + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent status summary + tags: + - Elastic Agent status + /api/fleet/agents: + get: + operationId: get-agents parameters: - - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_show_inactive' + - $ref: '#/components/parameters/Fleet_show_upgradeable' + - $ref: '#/components/parameters/Fleet_sort_field' + - $ref: '#/components/parameters/Fleet_sort_order' + - $ref: '#/components/parameters/Fleet_with_metrics' + - in: query + name: getStatusSummary + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_agents_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agents + tags: + - Elastic Agents + post: + operationId: get-agents-by-actions + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: - examples: - exportSavedObjectsRequest: - $ref: >- - #/components/examples/Serverless_saved_objects_export_objects_request schema: type: object properties: - excludeExportDetails: - default: false - description: Do not add export details entry at the end of the stream. - type: boolean - includeReferencesDeep: - description: >- - Includes all of the referenced objects in the exported - objects. - type: boolean - objects: - description: A list of objects to export. + actionIds: items: - type: object + type: string type: array - type: - description: >- - The saved object types to include in the export. Use `*` to - export all the types. - oneOf: - - type: string - - items: - type: string - type: array + required: + - policy_id required: true responses: '200': content: - application/x-ndjson; Elastic-Api-Version=2023-10-31: - examples: - exportSavedObjectsResponse: - $ref: >- - #/components/examples/Serverless_saved_objects_export_objects_response + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_get_by_actions' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agents by action ids + tags: + - Elastic Agents + /api/fleet/agents/{agentId}: + delete: + operationId: delete-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: true type: object - description: Indicates a successful call. + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent by ID + tags: + - Elastic Agents + get: + operationId: get-agent + parameters: + - $ref: '#/components/parameters/Fleet_with_metrics' + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Serverless_saved_objects_400_response' - description: Bad request. - summary: Export saved objects + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent by ID tags: - - saved objects - /api/saved_objects/_import: - post: - description: > - Create sets of Kibana saved objects from a file created by the export - API. - - Saved objects can be imported only into the same version, a newer minor - on the same major, or the next major. Exported saved objects are not - backwards compatible and cannot be imported into an older version of - Kibana. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: importSavedObjectsDefault + - Elastic Agents + parameters: + - in: path + name: agentId + required: true + schema: + type: string + put: + operationId: update-agent parameters: - - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' - - description: > - Creates copies of saved objects, regenerates each object ID, and - resets the origin. When used, potential conflict errors are avoided. - NOTE: This option cannot be used with the `overwrite` and - `compatibilityMode` options. - in: query - name: createNewCopies - required: false - schema: - type: boolean - - description: > - Overwrites saved objects when they already exist. When used, - potential conflict errors are automatically resolved by overwriting - the destination object. NOTE: This option cannot be used with the - `createNewCopies` option. - in: query - name: overwrite - required: false - schema: - type: boolean - - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. Use this option only if you encounter issues with imported - saved objects. NOTE: This option cannot be used with the - `createNewCopies` option. - in: query - name: compatibilityMode - required: false - schema: - type: boolean + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - examples: - importObjectsRequest: - $ref: >- - #/components/examples/Serverless_saved_objects_import_objects_request + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - file: - description: > - A file exported using the export API. NOTE: The - `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be included in - this file. Similarly, the - `savedObjects.maxImportPayloadBytes` setting limits the - overall size of the file that can be imported. + tags: + items: + type: string + type: array + user_provided_metadata: + type: object required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: - examples: - importObjectsResponse: - $ref: >- - #/components/examples/Serverless_saved_objects_import_objects_response schema: type: object properties: - errors: - description: > - Indicates the import was unsuccessful and specifies the - objects that failed to import. - - - NOTE: One object may result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and conflict error. - items: - type: object - type: array - success: - description: > - Indicates when the import was successfully completed. When - set to false, some objects may not have been created. For - additional information, refer to the `errors` and - `successResults` properties. - type: boolean - successCount: - description: Indicates the number of successfully imported records. - type: integer - successResults: - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. - - - NOTE: Objects are created only when all resolvable errors - are addressed, including conflicts and missing references. - If objects are created as new copies, each entry in the - `successResults` array includes a `destinationId` - attribute. + item: + $ref: '#/components/schemas/Fleet_agent' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent by ID + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/actions: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: new-agent-action + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + $ref: '#/components/schemas/Fleet_agent_action' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: items: - type: object + type: number type: array - description: Indicates a successful call. + headers: + type: string + statusCode: + type: number + description: OK '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent action + tags: + - Elastic Agent actions + /api/fleet/agents/{agentId}/reassign: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: reassign-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + policy_id: + type: string + required: + - policy_id + required: true + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Serverless_saved_objects_400_response' - description: Bad request. - summary: Import saved objects + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Reassign agent tags: - - saved objects - x-codeSamples: - - label: Import with createNewCopies - lang: cURL - source: | - curl \ - -X POST api/saved_objects/_import?createNewCopies=true - -H "kbn-xsrf: true" - --form file=@file.ndjson - /api/spaces/space: - get: - description: Get all spaces - operationId: '%2Fapi%2Fspaces%2Fspace#0' + - Elastic Agents + put: + deprecated: true + operationId: reassign-agent-deprecated parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - in: query - name: purpose - required: false - schema: - enum: - - any - - copySavedObjectsIntoSpace - - shareSavedObjectsIntoSpace - type: string - - in: query - name: include_authorized_purposes - required: true - schema: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - enum: - - false - type: boolean - x-oas-optional: true - - type: boolean - x-oas-optional: true - responses: {} - summary: '' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + policy_id: + type: string + required: + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Reassign agent tags: - - spaces + - Elastic Agents + /api/fleet/agents/{agentId}/request_diagnostics: + parameters: + - in: path + name: agentId + required: true + schema: + type: string post: - description: Create a space - operationId: '%2Fapi%2Fspaces%2Fspace#1' + operationId: request-diagnostics-agent parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - _reserved: - type: boolean - color: - type: string - description: - type: string - disabledFeatures: - default: [] + additional_metrics: items: - type: string + oneOf: + - enum: + - CPU + type: string type: array - id: - type: string - imageUrl: - type: string - initials: - maxLength: 2 - type: string - name: - minLength: 1 - type: string - required: - - id - - name - responses: {} - summary: '' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Request agent diagnostics tags: - - spaces - /api/spaces/space/{id}: - delete: - description: Delete a space - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#2' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: id - required: true - schema: - type: string - responses: {} - summary: '' - tags: - - spaces - get: - description: Get a space - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - in: path - name: id - required: true - schema: - type: string - responses: {} - summary: '' - tags: - - spaces - put: - description: Update a space - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#1' + - Elastic Agents + /api/fleet/agents/{agentId}/unenroll: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: unenroll-agent parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: id - required: true - schema: - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - _reserved: + force: + type: boolean + revoke: type: boolean - color: - type: string - description: - type: string - disabledFeatures: - default: [] - items: - type: string - type: array - id: - type: string - imageUrl: - type: string - initials: - maxLength: 2 - type: string - name: - minLength: 1 - type: string - required: - - id - - name - responses: {} - summary: '' - tags: - - spaces - /api/status: - get: - operationId: '%2Fapi%2Fstatus#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: Set to "true" to get the response in v7 format. - in: query - name: v7format - required: false - schema: - type: boolean - - description: Set to "true" to get the response in v8 format. - in: query - name: v8format - required: false - schema: - type: boolean responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: Overall status is OK and Kibana should be functioning normally. - '503': + type: object + description: OK + '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: >- - Kibana or some of it's essential services are unavailable. Kibana - may be degraded or unavailable. - summary: Get Kibana's current status + type: object + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: number + description: BAD REQUEST + summary: Unenroll agent tags: - - system - /s/{spaceId}/api/observability/slos: - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: findSlosOp + - Elastic Agents + /api/fleet/agents/{agentId}/upgrade: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: upgrade-agent parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: - type: string - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining - type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc - type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings - in: query - name: hideStale - schema: - type: boolean + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_upgrade_agent' + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request + $ref: '#/components/schemas/Fleet_upgrade_agent' + description: OK '400': + $ref: '#/components/responses/Fleet_error' + summary: Upgrade agent + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/uploads: + get: + operationId: list-agent-uploads + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': + type: object + properties: + body: + type: object + properties: + item: + items: + $ref: '#/components/schemas/Fleet_agent_diagnostics' + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent uploads + tags: + - Elastic Agents + parameters: + - in: path + name: agentId + required: true + schema: + type: string + /api/fleet/agents/action_status: + get: + operationId: agents-action-status + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - in: query + name: errorSize + schema: + default: 5 + type: integer + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs + type: object + properties: + items: + items: + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + latestErrors: + description: >- + latest errors that happened when the agents executed + the action + items: + type: object + properties: + agentId: + type: string + error: + type: string + timestamp: + type: string + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: string + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - POLICY_REASSIGN + - UPGRADE + - UNENROLL + - FORCE_UNENROLL + - UPDATE_TAGS + - CANCEL + - REQUEST_DIAGNOSTICS + - SETTINGS + - POLICY_CHANGE + - INPUT_ACTION + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - complete + - nbAgentsActioned + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - status + - creationTime + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent action status tags: - - slo + - Elastic Agent actions + /api/fleet/agents/actions/{actionId}/cancel: + parameters: + - in: path + name: actionId + required: true + schema: + type: string post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: createSloOp + operationId: agent-action-cancel parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true + - $ref: '#/components/parameters/Fleet_kbn_xsrf' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_action' + description: OK '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - servers: - - url: https://localhost:5601 - summary: Create an SLO + $ref: '#/components/responses/Fleet_error' + summary: Cancel agent action tags: - - slo - /s/{spaceId}/api/observability/slos/_delete_instances: + - Elastic Agent actions + /api/fleet/agents/bulk_reassign: post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp + operationId: bulk-reassign-agents parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: + example: + agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' + policy_id: policy_id schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' - required: true + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + policy_id: + description: new agent policy id + type: string + required: + - policy_id + - agents responses: - '204': - description: Successful request - '400': + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - servers: - - url: https://localhost:5601 - summary: Batch delete rollup and summary data + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk reassign agents tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}: - delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp + - Elastic Agents + /api/fleet/agents/bulk_request_diagnostics: + post: + operationId: bulk-request-diagnostics parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' + schema: + type: object + properties: + additional_metrics: + items: + oneOf: + - enum: + - CPU + type: string + type: array + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + batchSize: + type: number + required: + - agents responses: - '204': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk request diagnostics from agents tags: - - slo - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getSloOp + - Elastic Agents + /api/fleet/agents/bulk_unenroll: + post: + operationId: bulk-unenroll-agents parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId - schema: - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + force: false + revoke: true + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: >- + When passing agents by KQL query, unenrolls inactive agents + too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request + type: object + properties: + actionId: + type: string + description: OK '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk unenroll agents + tags: + - Elastic Agents + /api/fleet/agents/bulk_update_agent_tags: + post: + operationId: bulk-update-agent-tags + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + tagsToAdd: + - newTag + tagsToRemove: + - existingTag + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + batchSize: + type: number + tagsToAdd: + items: + type: string + type: array + tagsToRemove: + items: + type: string + type: array + required: + - agents + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk update agent tags tags: - - slo - put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: updateSloOp + - Elastic Agents + /api/fleet/agents/bulk_upgrade: + post: + operationId: bulk-upgrade-agents parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + rollout_duration_seconds: 3600 + source_uri: https://artifacts.elastic.co/downloads/beats/elastic-agent + start_time: '2022-08-03T14:00:00.000Z' + version: 8.4.0 schema: - $ref: '#/components/schemas/SLOs_update_slo_request' + $ref: '#/components/schemas/Fleet_bulk_upgrade_agents' required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request + type: object + properties: + actionId: + type: string + description: OK '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk upgrade agents + tags: + - Elastic Agents + /api/fleet/agents/files/{fileId}: + delete: + operationId: delete-agent-upload-file + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': + type: object + properties: + body: + type: object + properties: + deleted: + type: boolean + id: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete file uploaded by agent + tags: + - Elastic Agents + parameters: + - in: path + name: fileId + required: true + schema: + type: string + /api/fleet/agents/files/{fileId}/{fileName}: + get: + operationId: get-agent-upload-file + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': + type: object + properties: + body: + type: object + properties: + items: + type: object + properties: + body: {} + headers: {} + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get file uploaded by agent + tags: + - Elastic Agents + parameters: + - in: path + name: fileId + required: true + schema: + type: string + - in: path + name: fileName + required: true + schema: + type: string + /api/fleet/agents/setup: + get: + operationId: get-agents-setup-status + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO + $ref: '#/components/schemas/Fleet_fleet_status_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent setup info tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/_reset: + - Elastic Agents post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: resetSloOp + operationId: setup-agents parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + admin_password: + type: string + admin_username: + type: string + required: + - admin_username + - admin_password responses: - '204': + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request + $ref: '#/components/schemas/Fleet_fleet_setup_response' + description: OK '400': + $ref: '#/components/responses/Fleet_error' + summary: Initiate agent setup + tags: + - Elastic Agents + /api/fleet/agents/tags: + get: + operationId: get-agent-tags + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': + $ref: '#/components/schemas/Fleet_get_agent_tags_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent tags + tags: + - Elastic Agents + /api/fleet/data_streams: + get: + operationId: data-streams-list + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': + type: object + properties: + data_streams: + items: + $ref: '#/components/schemas/Fleet_data_stream' + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List data streams + tags: + - Data streams + parameters: [] + /api/fleet/enrollment_api_keys: + get: + operationId: get-enrollment-api-keys + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - page + - perPage + - total + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List enrollment API keys tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/disable: + - Fleet enrollment API keys post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: disableSloOp + operationId: create-enrollment-api-keys parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + description: The name of the enrollment API key. Must be unique. + type: string + policy_id: + description: >- + The ID of the agent policy the Elastic Agent will be + enrolled in. + type: string + required: + - policy_id responses: '200': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO + type: object + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create enrollment API key tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/enable: + - Fleet enrollment API keys + /api/fleet/enrollment_api_keys/{keyId}: + delete: + operationId: delete-enrollment-api-key + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Revoke enrollment API key by ID by marking it as inactive + tags: + - Fleet enrollment API keys + get: + operationId: get-enrollment-api-key + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get enrollment API key by ID + tags: + - Fleet enrollment API keys + parameters: + - in: path + name: keyId + required: true + schema: + type: string + /api/fleet/enrollment-api-keys: + get: + deprecated: true + operationId: get-enrollment-api-keys-deprecated + parameters: [] + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - page + - perPage + - total + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List enrollment API keys + tags: + - Fleet enrollment API keys post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: enableSloOp + deprecated: true + operationId: create-enrollment-api-keys-deprecated parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' responses: - '204': - description: Successful request + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + description: OK '400': + $ref: '#/components/responses/Fleet_error' + summary: Create enrollment API key + tags: + - Fleet enrollment API keys + /api/fleet/enrollment-api-keys/{keyId}: + delete: + deprecated: true + operationId: delete-enrollment-api-key-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete enrollment API key by ID + tags: + - Fleet enrollment API keys + get: + deprecated: true + operationId: get-enrollment-api-key-deprecated + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get enrollment API key by ID + tags: + - Fleet enrollment API keys + parameters: + - in: path + name: keyId + required: true + schema: + type: string + /api/fleet/epm/bulk_assets: + post: + operationId: bulk-get-assets + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + assetIds: + description: list of items necessary to fetch assets + items: + type: object + properties: + id: + type: string + type: + type: string + type: array + required: + - assetIds + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': + $ref: '#/components/schemas/Fleet_get_bulk_assets_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get assets + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/categories: + get: + operationId: get-package-categories + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO + $ref: '#/components/schemas/Fleet_get_categories_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List package categories tags: - - slo -components: - examples: - Data_views_create_data_view_request: - summary: Create a data view with runtime fields. - value: - data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - title: logstash-* - Data_views_create_runtime_field_request: - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - script: - source: emit(doc["foo"].value) - type: long - Data_views_get_data_view_response: - summary: >- - The get data view API returns a JSON object that contains information - about the data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - fieldFormats: - products.base_price: - id: number - params: - pattern: $0,0.00 - products.base_unit_price: - id: number - params: - pattern: $0,0.00 - products.min_price: - id: number - params: - pattern: $0,0.00 - products.price: - id: number - params: - pattern: $0,0.00 - products.taxful_price: - id: number - params: - pattern: $0,0.00 - products.taxless_price: - id: number - params: - pattern: $0,0.00 - taxful_total_price: - id: number - params: - pattern: $0,0.[00] - taxless_total_price: - id: number - params: - pattern: $0,0.00 - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: category + - Elastic Package Manager (EPM) + parameters: + - description: >- + Whether to include prerelease packages in categories count (e.g. beta, + rc, preview) + in: query + name: prerelease + schema: + default: false + type: boolean + - deprecated: true + in: query + name: experimental + schema: + default: false + type: boolean + - in: query + name: include_policy_templates + schema: + default: false + type: boolean + /api/fleet/epm/packages: + get: + operationId: list-all-packages + parameters: + - description: >- + Whether to exclude the install status of each package. Enabling this + option will opt in to caching for the response via `cache-control` + headers. If you don't need up-to-date installation info for a + package, and are querying for a list of available packages, + providing this flag can improve performance substantially. + in: query + name: excludeInstallStatus + schema: + default: false + type: boolean + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + - deprecated: true + in: query + name: experimental + schema: + default: false + type: boolean + - in: query + name: category + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_packages_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List packages + tags: + - Elastic Package Manager (EPM) + post: + description: '' + operationId: install-package-by-upload + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/gzip; Elastic-Api-Version=2023-10-31: + schema: + format: binary type: string - currency: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: currency - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + application/zip; Elastic-Api-Version=2023-10-31: + schema: + format: binary type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _meta: + type: object + properties: + install_source: + enum: + - upload + - registry + - bundled + type: string + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '429': + $ref: '#/components/responses/Fleet_error' + summary: Install by package by direct upload + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/_bulk: + post: + operationId: bulk-install-packages + parameters: + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + description: force install to ignore package verification errors + type: boolean + packages: + description: list of packages to install + items: + oneOf: + - description: package name + type: string + - type: object + properties: + name: + description: package name + type: string + version: + description: package version + type: string + type: array + required: + - packages + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_bulk_install_packages_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk install packages + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgkey}: + delete: + deprecated: true + operationId: delete-package-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgkey + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete ackage + tags: + - Elastic Package Manager (EPM) + get: + deprecated: true + operationId: get-package-deprecated + parameters: + - in: path + name: pkgkey + required: true + schema: + type: string + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - properties: + response: + $ref: '#/components/schemas/Fleet_package_info' + - properties: + savedObject: + type: string + status: + enum: + - installed + - installing + - install_failed + - not_installed + type: string + required: + - status + - savedObject + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package + tags: + - Elastic Package Manager (EPM) + post: + deprecated: true + description: '' + operationId: install-package-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgkey + required: true + schema: + type: string + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Install package + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: + operationId: delete-package + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: delete package even if policies used by agents + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + deprecated: true + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package + tags: + - Elastic Package Manager (EPM) + get: + operationId: get-package + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - properties: + item: + $ref: '#/components/schemas/Fleet_package_info' + - properties: + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + licensePath: + type: string + notice: + type: string + savedObject: + deprecated: true + type: object + status: + enum: + - installed + - installing + - install_failed + - not_installed + type: string + required: + - status + - savedObject + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: Ignore if the package is fails signature verification + in: query + name: ignoreUnverified + schema: + type: boolean + - description: >- + Return all fields from the package manifest, not just those supported + by the Elastic Package Registry + in: query + name: full + schema: + type: boolean + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + post: + description: '' + operationId: install-package + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + ignore_constraints: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _meta: + type: object + properties: + install_source: + enum: + - registry + - upload + - bundled + type: string + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Install package + tags: + - Elastic Package Manager (EPM) + put: + description: '' + operationId: update-package + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + keepPoliciesUpToDate: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + operationId: packages-get-file + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + headers: + type: object + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package file + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: path + name: filePath + required: true + schema: + type: string + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: '' + operationId: reauthorize-transforms + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: >- + Whether to include prerelease packages in categories count (e.g. + beta, rc, preview) + in: query + name: prerelease + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + transforms: + items: + type: object + properties: + transformId: + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + error: + type: string + success: + type: boolean + transformId: + type: string + required: + - transformId + - error + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Authorize transforms + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/stats: + get: + operationId: get-package-stats + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + $ref: '#/components/schemas/Fleet_package_usage_stats' + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package stats + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + /api/fleet/epm/packages/limited: + get: + operationId: list-limited-packages + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: string + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get limited package list + tags: + - Elastic Package Manager (EPM) + parameters: [] + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + operationId: get-inputs-template + responses: + '200': + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get inputs template + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: Format of response - json or yaml + in: query + name: format + schema: + enum: + - json + - yaml + - yml + type: string + - description: Specify if version is prerelease + in: query + name: prerelease + schema: + type: boolean + - description: Ignore if the package is fails signature verification + in: query + name: ignoreUnverified + schema: + type: boolean + /api/fleet/epm/verification_key_id: + get: + operationId: packages-get-verification-key-id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + id: + description: >- + the key ID of the GPG key used to verify package + signatures + nullable: true + type: string + headers: + type: object + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package signature verification key ID + tags: + - Elastic Package Manager (EPM) + parameters: [] + /api/fleet/fleet_server_hosts: + get: + operationId: get-fleet-server-hosts + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_fleet_server_host' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List Fleet Server hosts + tags: + - Fleet Server hosts + post: + operationId: post-fleet-server-hosts + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host_urls: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this fleet server host. See + the proxies API for more information. + type: string + required: + - name + - host_urls + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create Fleet Server host + tags: + - Fleet Server hosts + /api/fleet/fleet_server_hosts/{itemId}: + delete: + operationId: delete-fleet-server-hosts + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete Fleet Server host by ID + tags: + - Fleet Server hosts + get: + operationId: get-one-fleet-server-hosts + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get Fleet Server host by ID + tags: + - Fleet Server hosts + parameters: + - in: path + name: itemId + required: true + schema: + type: string + put: + operationId: update-fleet-server-hosts + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host_urls: + items: + type: string + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this fleet server host. See + the proxies API for more information. + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update Fleet Server host by ID + tags: + - Fleet Server hosts + /api/fleet/health_check: + post: + operationId: fleet-server-health-check + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + deprecated: true + type: string + id: + type: string + required: + - id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + deprecated: true + type: string + id: + description: Fleet Server host id + type: string + status: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Fleet Server health check + tags: + - Fleet internals + /api/fleet/kubernetes: + get: + operationId: get-full-k8s-manifest + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get full K8s agent manifest + tags: + - Fleet Kubernetes + /api/fleet/logstash_api_keys: + post: + operationId: generate-logstash-api-key + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + api_key: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Generate Logstash API key + tags: + - Fleet outputs + /api/fleet/outputs: + get: + operationId: get-outputs + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_output_create_request' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List outputs + tags: + - Fleet outputs + post: + operationId: post-outputs + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_output_create_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_create_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create output + tags: + - Fleet outputs + /api/fleet/outputs/{outputId}: + delete: + operationId: delete-output + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete output by ID + tags: + - Fleet outputs + get: + operationId: get-output + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_create_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get output by ID + tags: + - Fleet outputs + parameters: + - in: path + name: outputId + required: true + schema: + type: string + put: + operationId: update-output + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_output_update_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_update_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update output by ID + tags: + - Fleet outputs + /api/fleet/outputs/{outputId}/health: + get: + operationId: get-output-health + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get latest output health + tags: + - Fleet outputs + parameters: + - in: path + name: outputId + required: true + schema: + type: string + /api/fleet/package_policies: + get: + operationId: get-package-policies + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_format' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List package policies + tags: + - Fleet package policies + parameters: [] + post: + operationId: create-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_package_policy_request' + description: >- + You should use inputs as an object and not use the deprecated inputs + array. + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '409': + $ref: '#/components/responses/Fleet_error' + summary: Create package policy + tags: + - Fleet package policies + /api/fleet/package_policies/_bulk_get: + post: + operationId: bulk-get-package-policies + parameters: + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + description: list of package policy ids + items: + type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get package policies + tags: + - Fleet package policies + /api/fleet/package_policies/{packagePolicyId}: + delete: + operationId: delete-package-policy + parameters: + - in: query + name: force + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package policy by ID + tags: + - Fleet package policies + get: + operationId: get-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_format' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package policy by ID + tags: + - Fleet package policies + parameters: + - in: path + name: packagePolicyId + required: true + schema: + type: string + put: + operationId: update-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_package_policy_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update package policy by ID + tags: + - Fleet package policies + /api/fleet/package_policies/delete: + post: + operationId: post-delete-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + type: string + name: + type: string + success: + type: boolean + required: + - id + - success + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package policy + tags: + - Fleet package policies + /api/fleet/package_policies/upgrade: + post: + operationId: upgrade-package-policy + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + type: string + name: + type: string + success: + type: boolean + required: + - id + - success + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '409': + $ref: '#/components/responses/Fleet_error' + summary: Upgrade package policy to a newer package version + tags: + - Fleet package policies + /api/fleet/package_policies/upgrade/dryrun: + post: + operationId: upgrade-package-policy-dry-run + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + packagePolicyIds: + items: + type: string + type: array + packageVersion: + type: string + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + agent_diff: + $ref: '#/components/schemas/Fleet_upgrade_agent_diff' + diff: + $ref: '#/components/schemas/Fleet_upgrade_diff' + hasErrors: + type: boolean + required: + - hasErrors + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Dry run package policy upgrade + tags: + - Fleet package policies + /api/fleet/proxies: + get: + operationId: get-fleet-proxies + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_proxies' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List proxies + tags: + - Fleet proxies + post: + operationId: post-fleet-proxies + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + id: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + required: + - name + - url + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create proxy + tags: + - Fleet proxies + /api/fleet/proxies/{itemId}: + delete: + operationId: delete-fleet-proxies + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete proxy by ID + tags: + - Fleet proxies + get: + operationId: get-one-fleet-proxies + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get proxy by ID + tags: + - Fleet proxies + parameters: + - in: path + name: itemId + required: true + schema: + type: string + put: + operationId: update-fleet-proxies + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update proxy by ID + tags: + - Fleet proxies + /api/fleet/service_tokens: + post: + operationId: generate-service-token + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + value: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create service token + tags: + - Fleet service tokens + /api/fleet/service-tokens: + post: + deprecated: true + operationId: generate-service-token-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + value: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create service token + tags: + - Fleet service tokens + /api/fleet/settings: + get: + operationId: get-settings + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_settings_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get settings + tags: + - Fleet internals + put: + operationId: update-settings + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + additional_yaml_config: + type: string + fleet_server_hosts: + description: Protocol and path must be the same for each URL + items: + type: string + type: array + has_seen_add_data_notice: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_settings_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update settings + tags: + - Fleet internals + /api/fleet/setup: + post: + operationId: setup + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_setup_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + description: Internal Server Error + summary: Initiate Fleet setup + tags: + - Fleet internals + /api/fleet/uninstall_tokens: + get: + operationId: get-uninstall-tokens + parameters: + - description: The number of items to return + in: query + name: perPage + required: false + schema: + default: 20 + minimum: 5 + type: integer + - $ref: '#/components/parameters/Fleet_page_index' + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + created_at: + type: string + id: + type: string + policy_id: + type: string + required: + - id + - policy_id + - created_at + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List metadata for latest uninstall tokens per agent policy + tags: + - Fleet uninstall tokens + /api/fleet/uninstall_tokens/{uninstallTokenId}: + get: + operationId: get-uninstall-token + parameters: + - in: path + name: uninstallTokenId + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: object + properties: + created_at: + type: string + id: + type: string + policy_id: + type: string + token: + type: string + required: + - id + - token + - policy_id + - created_at + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get one decrypted uninstall token by its ID + tags: + - Fleet uninstall tokens + /api/lists: + delete: + description: | + Delete a list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - in: query + name: deleteReferences + required: false + schema: + default: false + type: boolean + - in: query + name: ignoreReferences + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a list + tags: + - Security Lists API + get: + description: Get the details of a list using the list ID. + operationId: ReadList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get list details + tags: + - Security Lists API + patch: + description: Update specific fields of an existing list using the list ID. + operationId: PatchList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a list + tags: + - Security Lists API + post: + description: Create a new list. + operationId: CreateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + serializer: + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a list + tags: + - Security Lists API + put: + description: > + Update a list using the list ID. The original list is replaced, and all + unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + - name + - description + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a list + tags: + - Security Lists API + /api/lists/_find: + get: + description: >- + Get a paginated subset of lists. By default, the first page is returned, + with 20 results per page. + operationId: FindLists + parameters: + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of lists to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get lists + tags: + - Security Lists API + /api/lists/index: + delete: + description: Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete list data streams + tags: + - Security Lists API + get: + description: Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of list data streams + tags: + - Security Lists API + post: + description: Create `.lists` and `.items` data streams in the relevant space. + operationId: CreateListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams + tags: + - Security Lists API + /api/lists/items: + delete: + description: Delete a list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a list item + tags: + - Security Lists API + get: + description: Get the details of a list item. + operationId: ReadListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a list item + tags: + - Security Lists API + patch: + description: Update specific fields of an existing list item using the list item ID. + operationId: PatchListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a list item + tags: + - Security Lists API + post: + description: > + Create a list item and associate it with the specified list. + + + All list items in the same list must be the same type. For example, each + list item in an `ip` list must define a specific IP address. + + > info + + > Before creating a list item, you must create a list. + operationId: CreateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a list item + tags: + - Security Lists API + put: + description: > + Update a list item using the list item ID. The original list item is + replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a list item + tags: + - Security Lists API + /api/lists/items/_export: + post: + description: Export list item values from the specified list. + operationId: ExportListItems + parameters: + - description: List's id to export + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: A `.txt` file containing list items from the specified list + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export list items + tags: + - Security Lists API + /api/lists/items/_find: + get: + description: Get all list items in the specified list. + operationId: FindListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of list items to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Lists_API_FindListItemsCursor + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get list items + tags: + - Security Lists API + /api/lists/items/_import: + post: + description: > + Import list items from a TXT or CSV file. The maximum file size is 9 + million bytes. + + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: > + Type of the importing list. + + + Required when importing a new list that is `list_id` is not + specified. + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - in: query + name: serializer + required: false + schema: + type: string + - in: query + name: deserializer + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + type: string + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: >- + A `.txt` or `.csv` file containing newline separated list + items + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import list items + tags: + - Security Lists API + /api/lists/privileges: + get: + operationId: ReadListPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get list privileges + tags: + - Security Lists API + /api/ml/saved_objects/sync: + get: + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models. This API runs automatically when you start Kibana and + periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync machine learning saved objects + tags: + - ml + /api/note: + delete: + description: Delete a note from a Timeline using the note ID. + operationId: DeleteNote + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + items: + type: string + nullable: true + type: array + required: + - noteIds + description: The ID of the note to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + description: Indicates the note was successfully deleted. + summary: Delete a note + tags: + - Security Timeline API + - access:securitySolution + get: + description: Get all notes for a given document. + operationId: GetNotes + parameters: + - in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - in: query + name: page + schema: + nullable: true + type: string + - in: query + name: perPage + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: sortField + schema: + nullable: true + type: string + - in: query + name: sortOrder + schema: + nullable: true + type: string + - in: query + name: filter + schema: + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + - type: object + description: Indicates the requested notes were returned. + summary: Get notes + tags: + - Security Timeline API + - access:securitySolution + patch: + description: Add a note to a Timeline or update an existing note. + operationId: PersistNoteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventDataView: + nullable: true + type: string + eventIngested: + nullable: true + type: string + eventTimestamp: + nullable: true + type: string + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + noteId: + nullable: true + type: string + overrideOwner: + nullable: true + type: boolean + version: + nullable: true + type: string + required: + - note + description: The note to add or update, along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistNote: + $ref: >- + #/components/schemas/Security_Timeline_API_ResponseNote + required: + - persistNote + required: + - data + description: Indicates the note was successfully created. + summary: Add or update a note + tags: + - Security Timeline API + - access:securitySolution + /api/osquery/live_queries: + get: + description: Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live queries + tags: + - Security Osquery API + post: + description: Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a live query + tags: + - Security Osquery API + /api/osquery/live_queries/{id}: + get: + description: Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_Id' + - in: query + name: query + schema: + additionalProperties: true + type: object + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query details + tags: + - Security Osquery API + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_Id' + - in: path + name: actionId + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_Id' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query results + tags: + - Security Osquery API + /api/osquery/packs: + get: + description: Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - in: query + name: query + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get packs + tags: + - Security Osquery API + post: + description: Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a pack + tags: + - Security Osquery API + /api/osquery/packs/{id}: + delete: + description: Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete a pack + tags: + - Security Osquery API + get: + description: Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get pack details + tags: + - Security Osquery API + put: + description: | + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update a pack + tags: + - Security Osquery API + /api/osquery/saved_queries: + get: + description: Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved queries + tags: + - Security Osquery API + post: + description: Create and run a saved query. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a saved query + tags: + - Security Osquery API + /api/osquery/saved_queries/{id}: + delete: + description: Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete a saved query + tags: + - Security Osquery API + get: + description: Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved query details + tags: + - Security Osquery API + put: + description: | + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update a saved query + tags: + - Security Osquery API + /api/pinned_event: + patch: + description: Pin an event to an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventId: + type: string + pinnedEventId: + nullable: true + type: string + timelineId: + type: string + required: + - eventId + - timelineId + description: The pinned event to add or update, along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistPinnedEventOnTimeline: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse + required: + - persistPinnedEventOnTimeline + required: + - data + description: Indicates the event was successfully pinned to the Timeline. + summary: Pin an event + tags: + - Security Timeline API + - access:securitySolution + /api/risk_score/engine/dangerously_delete_data: + delete: + description: >- + Cleaning up the the Risk Engine by removing the indices, mapping and + transforms + operationId: CleanUpRiskEngine + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cleanup_successful: + type: boolean + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API + /api/risk_score/engine/schedule_now: + post: + description: >- + Schedule the risk scoring engine to run as soon as possible. You can use + this to recalculate entity risk scores after updating their asset + criticality. + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: {} + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse + description: Unexpected error + summary: Run the risk scoring engine + tags: + - Security Entity Analytics API + /api/saved_objects/_export: + post: + description: > + Retrieve sets of saved objects that you want to import into Kibana. + + You must include `type` or `objects` in the request body. + + + Exported saved objects are not backwards compatible and cannot be + imported into an older version of Kibana. + + + NOTE: The `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be exported. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: exportSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsRequest: + $ref: >- + #/components/examples/Serverless_saved_objects_export_objects_request + schema: + type: object + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + includeReferencesDeep: + description: >- + Includes all of the referenced objects in the exported + objects. + type: boolean + objects: + description: A list of objects to export. + items: + type: object + type: array + type: + description: >- + The saved object types to include in the export. Use `*` to + export all the types. + oneOf: + - type: string + - items: + type: string + type: array + required: true + responses: + '200': + content: + application/x-ndjson; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsResponse: + $ref: >- + #/components/examples/Serverless_saved_objects_export_objects_response + schema: + additionalProperties: true + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Serverless_saved_objects_400_response' + description: Bad request. + summary: Export saved objects + tags: + - saved objects + /api/saved_objects/_import: + post: + description: > + Create sets of Kibana saved objects from a file created by the export + API. + + Saved objects can be imported only into the same version, a newer minor + on the same major, or the next major. Exported saved objects are not + backwards compatible and cannot be imported into an older version of + Kibana. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: importSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' + - description: > + Creates copies of saved objects, regenerates each object ID, and + resets the origin. When used, potential conflict errors are avoided. + NOTE: This option cannot be used with the `overwrite` and + `compatibilityMode` options. + in: query + name: createNewCopies + required: false + schema: + type: boolean + - description: > + Overwrites saved objects when they already exist. When used, + potential conflict errors are automatically resolved by overwriting + the destination object. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: overwrite + required: false + schema: + type: boolean + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. Use this option only if you encounter issues with imported + saved objects. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + importObjectsRequest: + $ref: >- + #/components/examples/Serverless_saved_objects_import_objects_request + schema: + type: object + properties: + file: + description: > + A file exported using the export API. NOTE: The + `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be included in + this file. Similarly, the + `savedObjects.maxImportPayloadBytes` setting limits the + overall size of the file that can be imported. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + importObjectsResponse: + $ref: >- + #/components/examples/Serverless_saved_objects_import_objects_response + schema: + type: object + properties: + errors: + description: > + Indicates the import was unsuccessful and specifies the + objects that failed to import. + + + NOTE: One object may result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and conflict error. + items: + type: object + type: array + success: + description: > + Indicates when the import was successfully completed. When + set to false, some objects may not have been created. For + additional information, refer to the `errors` and + `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: integer + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are created only when all resolvable errors + are addressed, including conflicts and missing references. + If objects are created as new copies, each entry in the + `successResults` array includes a `destinationId` + attribute. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Serverless_saved_objects_400_response' + description: Bad request. + summary: Import saved objects + tags: + - saved objects + x-codeSamples: + - label: Import with createNewCopies + lang: cURL + source: | + curl \ + -X POST api/saved_objects/_import?createNewCopies=true + -H "kbn-xsrf: true" + --form file=@file.ndjson + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: >- + Apply a bulk action to multiple anonymization fields. The bulk action is + applied to all anonymization fields that match the filter or to the list + of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of anonymization fields IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter anonymization fields + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Apply a bulk action to anonymization fields + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get anonymization fields + tags: + - Security AI Assistant API + - AnonymizationFields API + /api/security_ai_assistant/chat/complete: + post: + description: Create a model response for the given chat conversation. + operationId: ChatComplete + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + '200': + content: + application/octet-stream; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a model response + tags: + - Security AI Assistant API + - Chat Complete API + /api/security_ai_assistant/current_user/conversations: + post: + description: Create a new Security AI Assistant conversation. + operationId: CreateConversation + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: Get a list of all conversations for the current user. + operationId: FindConversations + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Conversations per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get conversations + tags: + - Security AI Assistant API + - Conversations API + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: Delete an existing conversation using the conversation ID. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Delete a conversation + tags: + - Security AI Assistant API + - Conversation API + get: + description: Get the details of an existing conversation using the conversation ID. + operationId: ReadConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get a conversation + tags: + - Security AI Assistant API + - Conversations API + put: + description: Update an existing conversation using the conversation ID. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Update a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: >- + Apply a bulk action to multiple prompts. The bulk action is applied to + all prompts that match the filter or to the list of prompts by their + IDs. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of prompts IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter promps + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Apply a bulk action to prompts + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/prompts/_find: + get: + description: Get a list of all prompts. + operationId: FindPrompts + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Prompts per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get prompts + tags: + - Security AI Assistant API + - Prompts API + /api/spaces/space: + get: + description: Get all spaces + operationId: '%2Fapi%2Fspaces%2Fspace#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - in: query + name: purpose + required: false + schema: + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace + type: string + - in: query + name: include_authorized_purposes + required: true + schema: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - enum: + - false + type: boolean + x-oas-optional: true + - type: boolean + x-oas-optional: true + responses: {} + summary: '' + tags: + - spaces + post: + description: Create a space + operationId: '%2Fapi%2Fspaces%2Fspace#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + type: string + description: + type: string + disabledFeatures: + default: [] + items: + type: string + type: array + id: + type: string + imageUrl: + type: string + initials: + maxLength: 2 + type: string + name: + minLength: 1 + type: string + required: + - id + - name + responses: {} + summary: '' + tags: + - spaces + /api/spaces/space/{id}: + delete: + description: Delete a space + operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: id + required: true + schema: + type: string + responses: {} + summary: '' + tags: + - spaces + get: + description: Get a space + operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - in: path + name: id + required: true + schema: + type: string + responses: {} + summary: '' + tags: + - spaces + put: + description: Update a space + operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + type: string + description: + type: string + disabledFeatures: + default: [] + items: + type: string + type: array + id: + type: string + imageUrl: + type: string + initials: + maxLength: 2 + type: string + name: + minLength: 1 + type: string + required: + - id + - name + responses: {} + summary: '' + tags: + - spaces + /api/status: + get: + operationId: '%2Fapi%2Fstatus#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: >- + Kibana or some of it's essential services are unavailable. Kibana + may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + /api/timeline: + delete: + description: Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + savedObjectIds: + items: + type: string + type: array + searchIds: + description: >- + Saved search ids that should be deleted alongside the + timelines + items: + type: string + type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + deleteTimeline: + type: boolean + required: + - deleteTimeline + required: + - data + description: Indicates the Timeline was successfully deleted. + summary: Delete Timelines or Timeline templates + tags: + - Security Timeline API + - access:securitySolution + get: + description: Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The ID of the template timeline to retrieve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineResponse + required: + - getOneTimeline + required: + - data + - additionalProperties: false + type: object + description: Indicates that the (template) Timeline was found and returned. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + - access:securitySolution + patch: + description: >- + Update an existing Timeline. You can update the title, description, date + range, pinned events, pinned queries, and/or pinned saved queries of an + existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates that the user does not have the required access to create + a draft Timeline. + summary: Update a Timeline + tags: + - Security Timeline API + - access:securitySolution + post: + description: Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: >- + The required Timeline fields used to create a new Timeline, along with + optional fields that will be created if not provided. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates the Timeline was successfully created. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_copy: + get: + description: | + Copies and returns a timeline or timeline template. + operationId: CopyTimeline + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + type: string + required: + - timeline + - timelineIdToCopy + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates that the timeline has been successfully copied. + summary: Copies timeline or timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_draft: + get: + description: >- + Get the details of the draft Timeline or Timeline template for the + current user. If the user doesn't have a draft Timeline, an empty + Timeline is returned. + operationId: GetDraftTimelines + parameters: + - in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates that the draft Timeline was successfully retrieved. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + If a draft Timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + This should never happen, but if a draft Timeline was not found and + we attempted to create one, it indicates that there is already a + draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Timeline API + - access:securitySolution + post: + description: > + Create a clean draft Timeline or Timeline template for the current user. + + > info + + > If the user already has a draft Timeline, the existing draft Timeline + is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + required: + - timelineType + description: >- + The type of Timeline to create. Valid values are `default` and + `template`. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that there is already a draft Timeline with the given + `timelineId`. + summary: Create a clean draft Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_export: + post: + description: Export Timelines as an NDJSON file. + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + items: + type: string + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates the Timelines were successfully exported. + '400': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that the export size limit was exceeded. + summary: Export Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_favorite: + patch: + description: Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistFavorite: + $ref: >- + #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse + required: + - persistFavorite + required: + - data + description: Indicates the favorite status was successfully updated. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the user does not have the required permissions to persist + the favorite status. + summary: Favorite a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_import: + post: + description: Import Timelines. + operationId: ImportTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: {} + isImmutable: + enum: + - 'true' + - 'false' + type: string + required: + - file + description: The Timelines to import as a readable stream. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult + description: Indicates the import of Timelines was successful. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: >- + Indicates the import of Timelines was unsuccessful because of an + invalid file extension. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + statusCode: + type: number + description: >- + Indicates that we were unable to locate the saved object client + necessary to handle the import. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_prepackaged: + post: + description: Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + prepackagedTimelines: + items: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + required: + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult + description: Indicates the installation of prepackaged Timelines was successful. + '500': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the installation of prepackaged Timelines was + unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/resolve: + get: + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Timeline_API_ResolvedTimeline + required: + - data + - additionalProperties: false + type: object + description: The (template) Timeline has been found + '400': + description: The request is missing parameters + '404': + description: The (template) Timeline was not found + summary: Get an existing saved Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timelines: + get: + description: Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: >- + If true, only timelines that are marked as favorites by the user are + returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - in: query + name: page_size + schema: + nullable: true + type: string + - in: query + name: page_index + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + customTemplateTimelineCount: + type: number + defaultTimelineCount: + type: number + elasticTemplateTimelineCount: + type: number + favoriteCount: + type: number + templateTimelineCount: + type: number + timeline: + items: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineResponse + type: array + totalCount: + type: number + required: + - timeline + - totalCount + description: Indicates that the (template) Timelines were found and returned. + '400': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad request. The user supplied invalid data. + summary: Get Timelines or Timeline templates + tags: + - Security Timeline API + - access:securitySolution + /s/{spaceId}/api/observability/slos: + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + post: + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + servers: + - url: https://localhost:5601 + summary: Create an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + servers: + - url: https://localhost:5601 + summary: Batch delete rollup and summary data + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}: + delete: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + put: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '200': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo +components: + examples: + Data_views_create_data_view_request: + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_get_data_view_response: + summary: >- + The get data view API returns a JSON object that contains information + about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: $0,0.00 + products.base_unit_price: + id: number + params: + pattern: $0,0.00 + products.min_price: + id: number + params: + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + summary: >- + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number + params: + pattern: $0,0.[00] + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword format: id: string isMapped: true - name: customer_first_name - readFromDocValues: false + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true scripted: false searchable: true shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: + summary: >- + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Serverless_saved_objects_export_objects_request: + summary: Export a specific saved object. + value: + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + type: map + Serverless_saved_objects_export_objects_response: + summary: >- + The export objects API response contains a JSON record for each exported + object. + value: + attributes: + description: '' + layerListJSON: >- + [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total + Requests by + Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web + logs + count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual + Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total + Requests and + Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web + logs + count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] + mapStateJSON: >- + {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} + title: '[Logs] Total Requests and Bytes' + uiStateJSON: '{"isDarkMode":false}' + coreMigrationVersion: 8.8.0 + created_at: '2023-08-23T20:03:32.204Z' + id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + managed: false + references: + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_1_join_0_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_2_source_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_3_source_index_pattern + type: index-pattern + type: map + typeMigrationVersion: 8.4.0 + updated_at: '2023-08-23T20:03:32.204Z' + version: WzEzLDFd + Serverless_saved_objects_import_objects_request: + value: + file: file.ndjson + Serverless_saved_objects_import_objects_response: + summary: >- + The import objects API response indicates a successful import and the + objects are created. Since these objects are created as new copies, each + entry in the successResults array includes a destinationId attribute. + value: + success: true + successCount: 1 + successResults: + - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + managed: false + meta: + icon: indexPatternApp + title: Kibana Sample Data Logs + type: index-pattern + parameters: + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Fleet_format: + description: Simplified or legacy format for package inputs + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + Fleet_kbn_xsrf: + description: Kibana's anti Cross-Site Request Forgery token. Can be any string value. + in: header + name: kbn-xsrf + required: true + schema: + type: string + Fleet_kuery: + in: query + name: kuery + required: false + schema: + type: string + Fleet_page_index: + in: query + name: page + required: false + schema: + default: 1 + type: integer + Fleet_page_size: + description: The number of items to return + in: query + name: perPage + required: false + schema: + default: 20 + type: integer + Fleet_show_inactive: + in: query + name: showInactive + required: false + schema: + type: boolean + Fleet_show_upgradeable: + in: query + name: showUpgradeable + required: false + schema: + type: boolean + Fleet_sort_field: + in: query + name: sortField + required: false + schema: + deprecated: true + type: string + Fleet_sort_order: + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + Fleet_with_metrics: + description: Return agent metrics, false by default + in: query + name: withMetrics + required: false + schema: + type: boolean + Machine_learning_APIs_simulateParam: + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Serverless_saved_objects_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + responses: + Fleet_error: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + schemas: + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: >- + Override an existing data view if a data view with the provided + title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. + type: string + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: >- + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Fleet_agent: + title: Agent + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + components: + items: + $ref: '#/components/schemas/Fleet_agent_component' + type: array + default_api_key: + type: string + default_api_key_id: + type: string + enrolled_at: + type: string + id: + type: string + last_checkin: + type: string + local_metadata: + $ref: '#/components/schemas/Fleet_agent_metadata' + metrics: + type: object + properties: + cpu_avg: + description: >- + Average agent CPU usage during the last 5 minutes, number + between 0-1 + type: number + memory_size_byte_avg: + description: Average agent memory consumption during the last 5 minutes + type: number + policy_id: + type: string + policy_revision: + type: number + status: + $ref: '#/components/schemas/Fleet_agent_status' + type: + $ref: '#/components/schemas/Fleet_agent_type' + unenrolled_at: + type: string + unenrollment_started_at: + type: string + user_provided_metadata: + $ref: '#/components/schemas/Fleet_agent_metadata' + required: + - type + - active + - enrolled_at + - id + - status + Fleet_agent_action: + oneOf: + - properties: + ack_data: + type: string + data: + type: string + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + - properties: + data: + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + type: + type: string + title: Agent action + Fleet_agent_component: + title: Agent component + type: object + properties: + id: + type: string + message: + type: string + status: + $ref: '#/components/schemas/Fleet_agent_component_status' + type: + type: string + units: + items: + $ref: '#/components/schemas/Fleet_agent_component_unit' + type: array + Fleet_agent_component_status: + enum: + - starting + - configuring + - healthy + - degraded + - failed + - stopping + - stopped + title: Agent component status + type: string + Fleet_agent_component_unit: + title: Agent component unit + type: object + properties: + id: + type: string + message: + type: string + payload: + type: object + status: + $ref: '#/components/schemas/Fleet_agent_component_status' + type: + $ref: '#/components/schemas/Fleet_agent_component_unit_type' + Fleet_agent_component_unit_type: + enum: + - input + - output + title: Agent component unit type + type: string + Fleet_agent_diagnostics: + title: Agent diagnostics + type: object + properties: + actionId: + type: string + createTime: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - IN_PROGRESS + required: + - id + - name + - createTime + - filePath + - actionId + - status + Fleet_agent_get_by_actions: + items: + items: + type: string + type: array + title: Agents get by action ids + type: array + Fleet_agent_metadata: + title: Agent metadata + type: object + Fleet_agent_policy: + title: Agent Policy + type: object + properties: + advanced_settings: + description: >- + Advanced settings stored in the agent policy, e.g. + agent_limits_go_max_procs + nullable: true + type: object + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + agents: + type: number + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + id: + type: string + inactivity_timeout: + type: integer + is_protected: + description: >- + Indicates whether the agent policy has tamper protection enabled. + Default false. + type: boolean + keep_monitoring_alive: + description: >- + When set to true, monitoring will be enabled but logs/metrics + collection will be disabled + nullable: true + type: boolean + monitoring_diagnostics: + type: object + properties: + limit: + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_http: + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + required: + - enabled + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + type: string + namespace: + type: string + overrides: + description: >- + Override settings that are defined in the agent policy. Input + settings cannot be overridden. The override option should be used + only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_policies: + description: >- + This field is present only when retrieving a single agent policy, or + when retrieving a list of agent policies with the ?full=true + parameter + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + revision: + type: number + supports_agentless: + description: >- + Indicates whether the agent policy supports agentless integrations. + Only allowed in a serverless environment. + type: boolean + unenroll_timeout: + type: integer + unprivileged_agents: + type: number + updated_by: + type: string + updated_on: + format: date-time + type: string + required: + - id + - status + - name + - namespace + Fleet_agent_policy_create_request: + title: Create agent policy request + type: object + properties: + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + description: Force agent policy creation even if packages are not verified. + type: boolean + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + id: + type: string + inactivity_timeout: + type: integer + is_protected: + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + unenroll_timeout: + type: integer + required: + - name + - namespace + Fleet_agent_policy_full: + oneOf: + - type: object + properties: + item: + type: string + - type: object + properties: + item: + $ref: '#/components/schemas/Fleet_full_agent_policy' + title: Agent policy full response + type: object + Fleet_agent_policy_update_request: + title: Update agent policy request + type: object + properties: + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + description: Force agent policy creation even if packages are not verified. + type: boolean + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + inactivity_timeout: + type: integer + is_protected: + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + unenroll_timeout: + type: integer + required: + - name + - namespace + Fleet_agent_status: + enum: + - offline + - error + - online + - inactive + - warning + title: Elastic Agent status + type: string + Fleet_agent_type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + title: Agent type + type: string + Fleet_bulk_install_packages_response: + title: Bulk install packages response + type: object + properties: + items: + items: + type: object + properties: + name: + type: string + version: + type: string + type: array + response: + deprecated: true + items: + type: object + properties: + name: + type: string + version: + type: string + type: array + required: + - items + Fleet_bulk_upgrade_agents: + title: Bulk upgrade agents + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + force: + description: Force upgrade, skipping validation (should be used with caution) + type: boolean + rollout_duration_seconds: + description: rolling upgrade window duration in seconds + type: number + skipRateLimitCheck: + description: Skip rate limit check for upgrade + type: boolean + source_uri: + description: alternative upgrade binary download url + type: string + start_time: + description: start time of upgrade in ISO 8601 format + type: string + version: + description: version to upgrade to + type: string + required: + - agents + - version + Fleet_data_stream: + title: Data stream + type: object + properties: + dashboard: + items: + type: object + properties: + id: + type: string + title: + type: string + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + size_in_bytes: + type: number + size_in_bytes_formatted: + type: string + type: + type: string + Fleet_download_sources: + title: Download Source + type: object + properties: + host: + type: string + id: + type: string + is_default: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this download source. See the proxies + API for more information. + nullable: true + type: string + required: + - is_default + - name + - host + Fleet_elasticsearch_asset_type: + enum: + - component_template + - ingest_pipeline + - index_template + - ilm_policy + - transform + - data_stream_ilm_policy + title: Elasticsearch asset type + type: string + Fleet_enrollment_api_key: + title: Enrollment API key + type: object + properties: + active: + description: >- + When false, the enrollment API key is revoked and cannot be used for + enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + Fleet_fleet_server_host: + title: Fleet Server Host + type: object + properties: + host_urls: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + proxy_id: + type: string + required: + - fleet_server_hosts + - id + - is_default + - is_preconfigured + - host_urls + Fleet_fleet_settings_response: + title: Fleet settings response + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_settings' + required: + - item + Fleet_fleet_setup_response: + title: Fleet Setup response + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + type: array + required: + - isInitialized + - nonFatalErrors + Fleet_fleet_status_response: + title: Fleet status response + type: object + properties: + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + type: array + missing_requirements: + items: + enum: + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + Fleet_full_agent_policy: + title: Full agent policy + type: object + properties: + agent: + nullable: true + type: string + fleet: + oneOf: + - type: object + properties: + hosts: + items: + type: string + type: array + proxy_headers: {} + proxy_url: + type: string + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + - type: object + properties: + kibana: + type: object + properties: + hosts: + items: + type: string + type: array + path: + type: string + protocol: + type: string + id: + type: string + inputs: + type: string + monitoring: + type: object + properties: + diagnostics: + type: object + properties: + limit: + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + required: + - enabled + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + output_permissions: + additionalProperties: + type: object + properties: + data: + $ref: >- + #/components/schemas/Fleet_full_agent_policy_output_permissions + output: + type: integer + type: object + outputs: + additionalProperties: + $ref: '#/components/schemas/Fleet_full_agent_policy_output' + type: object + revision: + type: number + secret_references: + items: + type: object + properties: + id: + type: string + type: array + required: + - id + - outputs + - inputs + Fleet_full_agent_policy_input: + allOf: + - additionalProperties: true + type: object + properties: + data_stream: + type: object + properties: + namespace: + type: string + required: + - namespace + id: + type: string + meta: + additionalProperties: true + type: object + properties: + package: + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: + type: string + revision: + type: number + streams: + $ref: '#/components/schemas/Fleet_full_agent_policy_input_stream' + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + title: Full agent policy input + Fleet_full_agent_policy_input_stream: + allOf: + - additionalProperties: true + type: object + properties: + data_stream: + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + - type + id: + type: string + required: + - id + - data_stream + title: Full agent policy input stream + Fleet_full_agent_policy_output: + title: Full agent policy + type: object + properties: + additionalProperties: + type: object + properties: + text: {} + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + type: array + proxy_headers: {} + proxy_url: + type: string + type: {} + required: + - type + - hosts + - ca_sha256 + Fleet_full_agent_policy_output_permissions: + additionalProperties: + type: object + properties: + data: + type: object + properties: + cluster: + items: + type: string + type: array + indices: + items: + type: object + properties: + names: + items: + type: string + type: array + privileges: + items: + type: string + type: array + type: array + packagePolicyName: + type: string + title: Full agent policy output permissions + Fleet_get_agent_tags_response: + title: Get Agent Tags response + type: object + properties: + items: + items: + type: string + type: array + Fleet_get_agents_response: + title: Get Agent response + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_agent' + type: array + page: + type: number + perPage: + type: number + statusSummary: + type: object + properties: + degraded': + type: number + enrolling: + type: number + error: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + unenrolled: + type: number + unenrolling: + type: number + updating: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + Fleet_get_bulk_assets_response: + deprecated: true + properties: + items: + items: + type: object + properties: + appLink: + type: string + attributes: + type: object + properties: + description: + type: string + title: + type: string + id: + type: string + type: + $ref: '#/components/schemas/Fleet_saved_object_type' + updatedAt: + type: string + type: array + required: + - items + title: Bulk get assets response + type: object + Fleet_get_categories_response: + title: Get categories response + type: object + properties: + items: + items: + type: object + properties: + count: + type: number + id: + type: string + title: + type: string + required: + - id + - title + - count + type: array + response: + items: + deprecated: true + type: object + properties: + count: + type: number + id: + type: string + title: + type: string + required: + - id + - title + - count + type: array + required: + - items + Fleet_get_packages_response: + title: Get Packages response + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_search_result' + type: array + response: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_search_result' + type: array + required: + - items + Fleet_installation_info: + title: Installation info object + type: object + properties: + created_at: + type: string + experimental_data_stream_features: + type: array + properties: + data_stream: type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name + features: + type: object + properties: + doc_value_only_numeric: + nullable: true + type: boolean + doc_value_only_other: + nullable: true + type: boolean + synthetic_source: + nullable: true + type: boolean + tsdb: + nullable: true + type: boolean + install_format_schema_version: + type: string + install_kibana_space_id: + type: string + install_source: + enum: + - registry + - upload + - bundled + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + type: object + properties: + deferred: + type: boolean + id: + type: string + type: + $ref: '#/components/schemas/Fleet_elasticsearch_asset_type' + installed_kibana: + type: object + properties: + id: + type: string + type: + $ref: '#/components/schemas/Fleet_kibana_saved_object_type' + latest_executed_state: + description: Latest successfully executed state in package install state machine + type: object + properties: + error: type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + name: + enum: + - create_restart_installation + - install_kibana_assets + - install_ilm_policies + - install_ml_model + - install_index_template_pipelines + - remove_legacy_templates + - update_current_write_indices + - install_transforms + - delete_previous_pipelines + - save_archive_entries_from_assets_map + - update_so type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name + started_at: type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + latest_install_failed_attempts: + description: Latest failed install errors + items: + type: object + properties: + created_at: + type: string + error: + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + target_version: + type: string + type: array + name: + type: string + namespaces: + items: + type: string + type: array + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - verified + - unverified + - unknown + type: string + version: + type: string + required: + - installed_kibana + - installed_es + - name + - version + - install_status + - install_version + - install_started_at + - install_source + - verification_status + - latest_install_failed_attempts + Fleet_kibana_saved_object_type: + enum: + - dashboard + - visualization + - search + - index-pattern + - map + - lens + - ml-module + - security-rule + - csp_rule_template + title: Kibana saved object asset type + type: string + Fleet_new_package_policy: + description: '' + properties: + description: + type: string + enabled: + type: boolean + inputs: + items: + type: object + properties: + config: + type: object + enabled: + type: boolean + processors: + items: + type: string + type: array + streams: + items: {} + type: array + type: + type: string + vars: + type: object + required: + - type + - enabled + type: array + name: + type: string + namespace: + type: string + output_id: + type: string + overrides: + type: object + package: + type: object + properties: + name: type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + requires_root: + type: boolean + title: type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + version: type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name + required: + - name + - version + policy_id: + deprecated: true + nullable: true + type: string + policy_ids: + items: + type: string + type: array + required: + - inputs + - name + title: New package policy + type: object + Fleet_output_create_request: + discriminator: + mapping: + elasticsearch: '#/components/schemas/Fleet_output_create_request_elasticsearch' + kafka: '#/components/schemas/Fleet_output_create_request_kafka' + logstash: '#/components/schemas/Fleet_output_create_request_logstash' + remote_elasticsearch: >- + #/components/schemas/Fleet_output_create_request_remote_elasticsearch + propertyName: type + oneOf: + - $ref: '#/components/schemas/Fleet_output_create_request_elasticsearch' + - $ref: '#/components/schemas/Fleet_output_create_request_kafka' + - $ref: '#/components/schemas/Fleet_output_create_request_logstash' + - $ref: >- + #/components/schemas/Fleet_output_create_request_remote_elasticsearch + title: Output + Fleet_output_create_request_elasticsearch: + title: elasticsearch + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + certificate_authorities: + items: + type: string + type: array + key: type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + type: + enum: + - elasticsearch + type: string + required: + - name + Fleet_output_create_request_kafka: + title: kafka + type: object + properties: + auth_type: + type: string + broker_timeout: + type: number + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + client_id: + type: string + compression: + type: string + compression_level: + type: number + config: + type: object + config_yaml: + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + headers: + items: + type: object + properties: + key: + type: string + value: + type: string + type: array + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + key: + type: string + name: + type: string + partition: + type: string + password: + type: string + proxy_id: + type: string + random: + type: object + properties: + group_events: type: number - email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required_acks: + type: number + round_robin: + type: object + properties: + group_events: + type: number + sasl: + type: object + properties: + mechanism: type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + secrets: + type: object + properties: + password: type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + ssl: + type: object + properties: + key: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + certificate_authorities: + items: + type: string + type: array + key: type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + verification_mode: + enum: + - none + - full + - certificate + - strict type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer + timeout: + type: number + topic: + type: string + topics: + deprecated: true + description: Use topic instead. + items: + type: object + properties: + topic: + type: string + when: + deprecated: true + description: >- + Deprecated, kafka output do not support conditionnal topics + anymore. + type: object + properties: + condition: + type: string + type: + type: string + type: array + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + - type + - topics + - auth_type + - hosts + Fleet_output_create_request_logstash: + title: logstash + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + type: string + secrets: + type: object + properties: + ssl: + type: object + properties: + key: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + certificate_authorities: + items: + type: string + type: array + key: type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id + type: + enum: + - logstash + type: string + required: + - name + - hosts + - type + Fleet_output_create_request_remote_elasticsearch: + title: remote_elasticsearch + type: object + properties: + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + secrets: + type: object + properties: + service_token: type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + service_token: + type: string + type: + enum: + - remote_elasticsearch + type: string + required: + - name + Fleet_output_update_request: + discriminator: + mapping: + elasticsearch: '#/components/schemas/Fleet_output_update_request_elasticsearch' + kafka: '#/components/schemas/Fleet_output_update_request_kafka' + logstash: '#/components/schemas/Fleet_output_update_request_logstash' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Fleet_output_update_request_elasticsearch' + - $ref: '#/components/schemas/Fleet_output_update_request_kafka' + - $ref: '#/components/schemas/Fleet_output_update_request_logstash' + title: Output + Fleet_output_update_request_elasticsearch: + title: elasticsearch + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + disk_queue_path: type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - elasticsearch + type: string + required: + - name + - hosts + - type + Fleet_output_update_request_kafka: + title: kafka + type: object + properties: + auth_type: + type: string + broker_timeout: + type: number + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + client_id: + type: string + compression: + type: string + compression_level: + type: number + config: + type: object + config_yaml: + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + headers: + items: + type: object + properties: + key: + type: string + value: + type: string + type: array + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + key: + type: string + name: + type: string + partition: + type: string + password: + type: string + proxy_id: + type: string + random: + type: object + properties: + group_events: type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required_acks: + type: number + round_robin: + type: object + properties: + group_events: type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer + sasl: + type: object + properties: + mechanism: type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + shipper: + type: object + properties: + compression_level: type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + disk_queue_path: type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + certificate_authorities: + items: + type: string + type: array + key: type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + verification_mode: + enum: + - none + - full + - certificate + - strict + type: string + timeout: + type: number + topic: + type: string + topics: + deprecated: true + description: Use topic instead. + items: + type: object + properties: + topic: + type: string + when: + deprecated: true + description: >- + Deprecated, kafka output do not support conditionnal topics + anymore. + type: object + properties: + condition: + type: string + type: + type: string + type: array + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + Fleet_output_update_request_logstash: + title: logstash + type: object + properties: + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + disk_queue_path: type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + certificate_authorities: + items: + type: string + type: array + key: type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + type: + enum: + - logstash + type: string + required: + - name + Fleet_package_info: + title: Package information + type: object + properties: + assets: + items: + type: string + type: array + categories: + items: + type: string + type: array + conditions: + type: object + properties: + elasticsearch: + type: object + properties: + subscription: + enum: + - basic + - gold + - platinum + - enterprise + type: string + kibana: + type: object + properties: + versions: + type: string + data_streams: + items: + type: object + properties: + ingeset_pipeline: + type: string + name: + type: string + package: + type: string + release: + type: string + title: + type: string + type: + type: string + vars: + items: + type: object + properties: + default: + type: string + name: + type: string + required: + - name + - default + type: array + required: + - title + - name + - release + - ingeset_pipeline + - type + - package + type: array + description: + type: string + download: + type: string + elasticsearch: + type: object + properties: + privileges: + type: object + properties: + cluster: + items: + type: string + type: array + format_version: + type: string + icons: + items: + type: string + type: array + internal: + type: boolean + name: + type: string + path: + type: string + readme: + type: string + release: + deprecated: true + description: >- + release label is deprecated, derive from the version instead + (packages follow semver) + enum: + - experimental + - beta + - ga + type: string + screenshots: + items: + type: object + properties: + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + - path + type: array + source: + type: object + properties: + license: + enum: + - Apache-2.0 + - Elastic-2.0 type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + title: + type: string + type: + type: string + version: + type: string + required: + - name + - title + - version + - description + - type + - categories + - conditions + - assets + - format_version + - download + - path + Fleet_package_policy: + allOf: + - type: object + properties: + id: type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + inputs: + oneOf: + - items: {} + type: array + - type: object + revision: type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - id + - revision + - $ref: '#/components/schemas/Fleet_new_package_policy' + title: Package policy + Fleet_package_policy_request: + title: Package Policy Request + type: object + properties: + description: + description: Package policy description + example: my description + type: string + force: + description: >- + Force package policy creation even if package is not verified, or if + the agent policy is managed. + type: boolean + id: + description: Package policy unique identifier + type: string + inputs: + additionalProperties: + type: object + properties: + enabled: + description: enable or disable that input, (default to true) + type: boolean + streams: + additionalProperties: + type: object + properties: + enabled: + description: enable or disable that stream, (default to true) + type: boolean + vars: + description: >- + Stream level variable (see integration documentation for + more information) + type: object + description: >- + Input streams (see integration documentation to know what + streams are available) + type: object + vars: + description: >- + Input level variable (see integration documentation for more + information) + type: object + description: >- + Package policy inputs (see integration documentation to know what + inputs are available) + example: + nginx-logfile: + enabled: true + streams: + nginx.access: + enabled: true + vars: + ignore_older: 72h + paths: + - /var/log/nginx/access.log* + preserve_original_event: false + tags: + - nginx-access + type: object + name: + description: Package policy name (should be unique) + example: nginx-123 + type: string + namespace: + description: >- + The package policy namespace. Leave blank to inherit the agent + policy's namespace. + example: customnamespace + type: string + output_id: + description: Output ID to send package data to + example: output-id + nullable: true + type: string + overrides: + description: >- + Override settings that are defined in the package policy. The + override option should be used only in unusual circumstances and not + as a routine procedure. + nullable: true + type: object + properties: + inputs: + type: object + package: + type: object + properties: + name: + description: Package name + example: nginx type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + version: + description: Package version + example: 1.6.0 + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Agent policy ID where that package policy will be added + example: agent-policy-id + nullable: true + type: string + policy_ids: + description: Agent policy IDs where that package policy will be added + example: + - agent-policy-id + items: + type: string + type: array + vars: + description: >- + Package root level variable (see integration documentation for more + information) + type: object + required: + - name + - package + Fleet_package_usage_stats: + title: Package usage stats + type: object + properties: + agent_policy_count: + type: integer + required: + - agent_policy_count + Fleet_proxies: + title: Fleet Proxy + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + id: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + required: + - name + - url + Fleet_saved_object_type: + oneOf: + - enum: + - dashboard + - visualization + - search + - index_pattern + - map + - lens + - security_rule + - csp_rule_template + - ml_module + - tag + - osquery_pack_asset + - osquery_saved_query + type: string + - enum: + - index + - component_template + - ingest_pipeline + - index_template + - ilm_policy + - transform + - data_stream_ilm_policy + - ml_model + type: string + title: Saved Object type + Fleet_search_result: + title: Search result + type: object + properties: + description: + type: string + download: + type: string + icons: + type: string + installationInfo: + $ref: '#/components/schemas/Fleet_installation_info' + name: + type: string + path: + type: string + savedObject: + deprecated: true + type: object + status: + type: string + title: + type: string + type: + type: string + version: + type: string + required: + - description + - download + - icons + - name + - path + - title + - type + - version + - status + Fleet_settings: + title: Settings + type: object + properties: + fleet_server_hosts: + deprecated: true + items: + type: string + type: array + has_seen_add_data_notice: + type: boolean + id: + type: string + prerelease_integrations_enabled: + type: boolean + required: + - fleet_server_hosts + - id + Fleet_upgrade_agent: + title: Upgrade agent + type: object + properties: + force: + description: Force upgrade, skipping validation (should be used with caution) + type: boolean + skipRateLimitCheck: + description: Skip rate limit check for upgrade + type: boolean + source_uri: + type: string + version: + type: string + required: + - version + Fleet_upgrade_agent_diff: + items: + items: + $ref: '#/components/schemas/Fleet_full_agent_policy_input' + type: array + title: Package policy Upgrade dryrun + type: array + Fleet_upgrade_diff: + items: + allOf: + - $ref: '#/components/schemas/Fleet_package_policy' + - allOf: + - $ref: '#/components/schemas/Fleet_new_package_policy' + - type: object + properties: + errors: + items: + type: object + properties: + key: + type: string + message: + type: string + type: array + missingVars: + items: + type: string + type: array + type: object + title: Package policy Upgrade dryrun + type: array + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. + type: object + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: >- + Kibana's operational status as well as a detailed breakdown of plugin + statuses indication of various loads (like event loop utilization and + network traffic) at time of request. + type: object + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: >- + Unique, generated Kibana instance UUID. This UUID should persist + even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + build_flavor: + description: >- + The build flavour determines configuration and behavior of + Kibana. On premise users will almost always run the + "traditional" flavour, while other flavours are reserved for + Elastic-specific use cases. + enum: + - serverless + - traditional type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + build_hash: + description: >- + A unique hash value representing the git commit of this Kibana + build. type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + build_number: + description: >- + A monotonically increasing number, each subsequent build will + have a higher number. type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + build_snapshot: + description: Whether this build is a snapshot build. type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + number: + description: A semantic version number. type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + Machine_learning_APIs_mlSync200Response: + properties: + datafeedsAdded: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. + type: object + datafeedsRemoved: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. + type: object + savedObjectsCreated: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + savedObjectsDeleted: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + title: Successful sync API response + type: object + Machine_learning_APIs_mlSync4xxResponse: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful sync API response + type: object + Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for anomaly detection jobs + type: object + Machine_learning_APIs_mlSyncResponseDatafeeds: + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for datafeeds + type: object + Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for data frame analytics jobs + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: If saved objects are missing for trained models, they are created. + type: object + title: Sync API response for created saved objects + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. + type: object + title: Sync API response for deleted saved objects + type: object + Machine_learning_APIs_mlSyncResponseSuccess: + description: The success or failure of the synchronization. + type: boolean + Machine_learning_APIs_mlSyncResponseTrainedModels: + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for trained models + type: object + Security_AI_Assistant_API_AnonymizationFieldCreateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + field: + type: string + required: + - field + Security_AI_Assistant_API_AnonymizationFieldDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_AnonymizationFieldResponse: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + createdAt: + type: string + createdBy: + type: string + field: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + namespace: + description: Kibana space + type: string + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + required: + - id + - field + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: + enum: + - ANONYMIZATION_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + type: object + properties: + anonymization_fields_count: + type: integer + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + type: array + updated: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_AnonymizationFieldUpdateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + id: + type: string + required: + - id + Security_AI_Assistant_API_ApiConfig: + type: object + properties: + actionTypeId: + description: action type id + type: string + connectorId: + description: connector id + type: string + defaultSystemPromptId: + description: defaultSystemPromptId + type: string + model: + description: model + type: string + provider: + $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' + description: Provider + required: + - connectorId + - actionTypeId + Security_AI_Assistant_API_BulkCrudActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_AI_Assistant_API_ChatCompleteProps: + type: object + properties: + connectorId: + type: string + conversationId: + type: string + isStream: + type: boolean + langSmithApiKey: + type: string + langSmithProject: + type: string + messages: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' + type: array + model: + type: string + persist: + type: boolean + promptId: + type: string + responseLanguage: + type: string + required: + - messages + - persist + - connectorId + Security_AI_Assistant_API_ChatMessage: + description: AI assistant message. + type: object + properties: + content: + description: Message content. + type: string + data: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' + description: ECS object to attach to the context of the message. + fields_to_anonymize: + items: + type: string + type: array + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' + description: Message role. + required: + - role + Security_AI_Assistant_API_ChatMessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_ConversationCategory: + description: The conversation category. + enum: + - assistant + - insights + type: string + Security_AI_Assistant_API_ConversationConfidence: + description: The conversation confidence. + enum: + - low + - medium + - high + type: string + Security_AI_Assistant_API_ConversationCreateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + description: The conversation id. + type: string + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + type: string + required: + - title + Security_AI_Assistant_API_ConversationResponse: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + createdAt: + description: The last time conversation was updated. + type: string + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + namespace: + description: Kibana space + type: string + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + title: + description: The conversation title. + type: string + updatedAt: + description: The last time conversation was updated. + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - title + - createdAt + - users + - namespace + - category + Security_AI_Assistant_API_ConversationSummary: + type: object + properties: + confidence: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationConfidence + description: >- + How confident you are about this being a correct and useful + learning. + content: + description: Summary text of the conversation over time. + type: string + public: + description: Define if summary is marked as publicly available. + type: boolean + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp summary was updated. + Security_AI_Assistant_API_ConversationUpdateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + title: + description: The conversation title. + type: string + required: + - id + Security_AI_Assistant_API_FindAnonymizationFieldsSortField: + enum: + - created_at + - anonymized + - allowed + - field + - updated_at + type: string + Security_AI_Assistant_API_FindConversationsSortField: + enum: + - created_at + - is_default + - title + - updated_at + type: string + Security_AI_Assistant_API_FindPromptsSortField: + enum: + - created_at + - is_default + - name + - updated_at + type: string + Security_AI_Assistant_API_Message: + description: AI assistant conversation message. + type: object + properties: + content: + description: Message content. + type: string + isError: + description: Is error message. + type: boolean + reader: + $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' + description: Message content. + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' + description: Message role. + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp message was sent or received. + traceData: + $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' + description: trace Data + required: + - timestamp + - content + - role + Security_AI_Assistant_API_MessageData: + additionalProperties: true + type: object + Security_AI_Assistant_API_MessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_AI_Assistant_API_NormalizedAnonymizationFieldError: + type: object + properties: + anonymization_fields: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + type: array + err_code: + type: string + message: + type: string + status_code: + type: integer + required: + - message + - status_code + - anonymization_fields + Security_AI_Assistant_API_NormalizedPromptError: + type: object + properties: + err_code: + type: string + message: + type: string + prompts: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - prompts + Security_AI_Assistant_API_PromptCreateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + required: + - name + - content + - promptType + Security_AI_Assistant_API_PromptDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_PromptResponse: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + createdAt: + type: string + createdBy: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + namespace: + description: Kibana space + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - name + - promptType + - content + Security_AI_Assistant_API_PromptsBulkActionSkipReason: + enum: + - PROMPT_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_PromptsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_PromptsBulkCrudActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + prompts_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_PromptsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_PromptType: + description: Prompt type + enum: + - system + - quick + type: string + Security_AI_Assistant_API_PromptUpdateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + id: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + required: + - id + Security_AI_Assistant_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + type: string + Security_AI_Assistant_API_Reader: + additionalProperties: true + type: object + Security_AI_Assistant_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanomymize messsages + type: object + Security_AI_Assistant_API_SortOrder: + enum: + - asc + - desc + type: string + Security_AI_Assistant_API_TraceData: + description: trace Data + type: object + properties: + traceId: + description: Could be any string, not necessarily a UUID + type: string + transactionId: + description: Could be any string, not necessarily a UUID + type: string + Security_AI_Assistant_API_User: + description: Could be any string, not necessarily a UUID + type: object + properties: + id: + description: User id + type: string + name: + description: User name + type: string + Security_Detections_API_AlertAssignees: + type: object + properties: + add: + description: A list of users ids to assign. + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + remove: + description: A list of users ids to unassign. + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + required: + - add + - remove + Security_Detections_API_AlertIds: + description: A list of alerts ids. + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + minItems: 1 + type: array + Security_Detections_API_AlertsIndex: + deprecated: true + description: (deprecated) Has no effect. + type: string + Security_Detections_API_AlertsIndexNamespace: + description: Has no effect. + type: string + Security_Detections_API_AlertsSort: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + - items: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsSortCombinations + type: array + Security_Detections_API_AlertsSortCombinations: + anyOf: + - type: string + - additionalProperties: true + type: object + Security_Detections_API_AlertStatus: + enum: + - open + - closed + - acknowledged + - in-progress + type: string + Security_Detections_API_AlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration + group_by: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' + missing_fields_strategy: + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy + required: + - group_by + Security_Detections_API_AlertSuppressionDuration: + type: object + properties: + unit: + enum: + - s + - m + - h + type: string + value: + minimum: 1 + type: integer + required: + - value + - unit + Security_Detections_API_AlertSuppressionGroupBy: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_AlertSuppressionMissingFieldsStrategy: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + + doNotSuppress - per each document a separate alert will be created + + suppress - only alert will be created per suppress by bucket + enum: + - doNotSuppress + - suppress + type: string + Security_Detections_API_AlertTag: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + Security_Detections_API_AlertTags: + items: + $ref: '#/components/schemas/Security_Detections_API_AlertTag' + type: array + Security_Detections_API_AnomalyThreshold: + description: Anomaly threshold + minimum: 0 + type: integer + Security_Detections_API_BuildingBlockType: + description: >- + Determines if the rule acts as a building block. By default, + building-block alerts are not displayed in the UI. These rules are used + as a foundation for other rules that do generate alerts. Its value must + be default. + type: string + Security_Detections_API_BulkActionEditPayload: + anyOf: + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule + Security_Detections_API_BulkActionEditPayloadIndexPatterns: + type: object + properties: + overwrite_data_views: + type: boolean + type: + enum: + - add_index_patterns + - delete_index_patterns + - set_index_patterns + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadInvestigationFields: + type: object + properties: + type: + enum: + - add_investigation_fields + - delete_investigation_fields + - set_investigation_fields + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadRuleActions: + type: object + properties: + type: + enum: + - add_rule_actions + - set_rule_actions + type: string + value: + type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleAction + type: array + throttle: + $ref: >- + #/components/schemas/Security_Detections_API_ThrottleForBulkActions + required: + - actions + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadSchedule: + type: object + properties: + type: + enum: + - set_schedule + type: string + value: + type: object + properties: + interval: + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + lookback: + description: Lookback time for the rule + example: 1h + pattern: ^[1-9]\d*[smh]$ type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - interval + - lookback + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadTags: + type: object + properties: + type: + enum: + - add_tags + - delete_tags + - set_tags + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadTimeline: + type: object + properties: + type: + enum: + - set_timeline + type: string + value: + type: object + properties: + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + required: + - timeline_id + - timeline_title + required: + - type + - value + Security_Detections_API_BulkActionsDryRunErrCode: + enum: + - IMMUTABLE + - MACHINE_LEARNING_AUTH + - MACHINE_LEARNING_INDEX_PATTERN + - ESQL_INDEX_PATTERN + - MANUAL_RULE_RUN_FEATURE + - MANUAL_RULE_RUN_DISABLED_RULE + type: string + Security_Detections_API_BulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' + required: + - id + - skip_reason + Security_Detections_API_BulkDeleteRules: + type: object + properties: + action: + enum: + - delete + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Detections_API_BulkDisableRules: + type: object + properties: + action: + enum: + - disable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Detections_API_BulkDuplicateRules: + type: object + properties: + action: + enum: + - duplicate + type: string + duplicate: + type: object + properties: + include_exceptions: + description: Whether to copy exceptions from the original rule + type: boolean + include_expired_exceptions: + description: Whether to copy expired exceptions from the original rule + type: boolean + required: + - include_exceptions + - include_expired_exceptions + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Detections_API_BulkEditActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleError + type: array + results: + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResults + summary: + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionSummary + required: + - results + - summary + message: + type: string + rules_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_Detections_API_BulkEditActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + deleted: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + skipped: + items: + $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' + type: array + updated: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_Detections_API_BulkEditActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_Detections_API_BulkEditRules: + type: object + properties: + action: + enum: + - edit + type: string + edit: + description: Array of objects containing the edit operations + items: + $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' + minItems: 1 + type: array + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + - edit + Security_Detections_API_BulkEditSkipReason: + enum: + - RULE_NOT_MODIFIED + type: string + Security_Detections_API_BulkEnableRules: + type: object + properties: + action: + enum: + - enable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Detections_API_BulkExportActionResponse: + type: string + Security_Detections_API_BulkExportRules: + type: object + properties: + action: + enum: + - export + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Detections_API_BulkManualRuleRun: + type: object + properties: + action: + enum: + - run + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + run: + type: object + properties: + end_date: + description: End date of the manual rule run type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + start_date: + description: Start date of the manual rule run type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Serverless_saved_objects_export_objects_request: - summary: Export a specific saved object. - value: - excludeExportDetails: true - includeReferencesDeep: false - objects: - - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - type: map - Serverless_saved_objects_export_objects_response: - summary: >- - The export objects API response contains a JSON record for each exported - object. - value: - attributes: - description: '' - layerListJSON: >- - [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total - Requests by - Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web - logs - count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual - Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total - Requests and - Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web - logs - count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] - mapStateJSON: >- - {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} - title: '[Logs] Total Requests and Bytes' - uiStateJSON: '{"isDarkMode":false}' - coreMigrationVersion: 8.8.0 - created_at: '2023-08-23T20:03:32.204Z' - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - managed: false - references: - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_1_join_0_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_2_source_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_3_source_index_pattern - type: index-pattern - type: map - typeMigrationVersion: 8.4.0 - updated_at: '2023-08-23T20:03:32.204Z' - version: WzEzLDFd - Serverless_saved_objects_import_objects_request: - value: - file: file.ndjson - Serverless_saved_objects_import_objects_response: - summary: >- - The import objects API response indicates a successful import and the - objects are created. Since these objects are created as new copies, each - entry in the successResults array includes a destinationId attribute. - value: - success: true - successCount: 1 - successResults: - - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - managed: false + required: + - start_date + required: + - action + - run + Security_Detections_API_ConcurrentSearches: + minimum: 1 + type: integer + Security_Detections_API_DataViewId: + type: string + Security_Detections_API_DefaultParams: + type: object + properties: + command: + enum: + - isolate + type: string + comment: + type: string + required: + - command + Security_Detections_API_EcsMapping: + additionalProperties: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + type: object + Security_Detections_API_EndpointResponseAction: + type: object + properties: + action_type_id: + enum: + - .endpoint + type: string + params: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' + - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' + required: + - action_type_id + - params + Security_Detections_API_EqlOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + event_category_override: + $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + tiebreaker_field: + $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' + timestamp_field: + $ref: '#/components/schemas/Security_Detections_API_TimestampField' + Security_Detections_API_EqlQueryLanguage: + enum: + - eql + type: string + Security_Detections_API_EqlRequiredFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' + description: Query language to use + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + required: + - type + - query + - language + Security_Detections_API_EqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' + Security_Detections_API_EqlRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: - icon: indexPatternApp - title: Kibana Sample Data Logs - type: index-pattern - parameters: - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Fleet_format: - description: Simplified or legacy format for package inputs - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - Fleet_kbn_xsrf: - description: Kibana's anti Cross-Site Request Forgery token. Can be any string value. - in: header - name: kbn-xsrf - required: true - schema: - type: string - Fleet_kuery: - in: query - name: kuery - required: false - schema: - type: string - Fleet_page_index: - in: query - name: page - required: false - schema: - default: 1 - type: integer - Fleet_page_size: - description: The number of items to return - in: query - name: perPage - required: false - schema: - default: 20 - type: integer - Fleet_show_inactive: - in: query - name: showInactive - required: false - schema: - type: boolean - Fleet_show_upgradeable: - in: query - name: showUpgradeable - required: false - schema: - type: boolean - Fleet_sort_field: - in: query - name: sortField - required: false - schema: - deprecated: true - type: string - Fleet_sort_order: - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - Fleet_with_metrics: - description: Return agent metrics, false by default - in: query - name: withMetrics - required: false - schema: - type: boolean - Machine_learning_APIs_simulateParam: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_EqlRulePatchFields: + allOf: + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' + description: Query language to use + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' + Security_Detections_API_EqlRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_ErrorSchema: + additionalProperties: false + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + id: + type: string + item_id: + minLength: 1 + type: string + list_id: + minLength: 1 + type: string + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - error + Security_Detections_API_EsqlQueryLanguage: + enum: + - esql + type: string + Security_Detections_API_EsqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' + Security_Detections_API_EsqlRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EsqlRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + Security_Detections_API_EsqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + description: ESQL query to execute + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + type: + description: Rule type + enum: + - esql + type: string + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + Security_Detections_API_EsqlRuleRequiredFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + description: ESQL query to execute + type: + description: Rule type + enum: + - esql + type: string + required: + - type + - language + - query + Security_Detections_API_EsqlRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EventCategoryOverride: + type: string + Security_Detections_API_ExceptionListType: + description: The exception type + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Detections_API_ExternalRuleSource: description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - Serverless_saved_objects_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. + type: object + properties: + is_customized: + $ref: >- + #/components/schemas/Security_Detections_API_IsExternalRuleCustomized + type: + enum: + - external + type: string + required: + - type + - is_customized + Security_Detections_API_FindRulesSortField: + enum: + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status + - name + - risk_score + - riskScore + - severity + - updated_at + - updatedAt + type: string + Security_Detections_API_HistoryWindowStart: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + Security_Detections_API_IndexPatternArray: + items: type: string - SLOs_space_id: + type: array + Security_Detections_API_InternalRuleSource: description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. + type: object + properties: + type: + enum: + - internal + type: string + required: + - type + Security_Detections_API_InvestigationFields: + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. + + Added in PR #163235 + + Right now we only have a single field but anticipate adding more related + fields to store various + + configuration states such as `override` - where a user might say if they + want only these fields to + + display, or if they want these fields + the fields we select. When + expanding this field, it may look + + something like: + + ```typescript + + const investigationFields = z.object({ + field_names: NonEmptyArray(NonEmptyString), + override: z.boolean().optional(), + }); + + ``` + type: object + properties: + field_names: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + minItems: 1 + type: array + required: + - field_names + Security_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. + type: string + Security_Detections_API_IsExternalRuleCustomized: + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). + type: boolean + Security_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. + type: boolean + Security_Detections_API_IsRuleImmutable: + deprecated: true + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. + type: boolean + Security_Detections_API_ItemsPerSearch: + minimum: 1 + type: integer + Security_Detections_API_KqlQueryLanguage: + enum: + - kuery + - lucene + type: string + Security_Detections_API_MachineLearningJobId: + description: Machine learning job ID + oneOf: + - type: string + - items: + type: string + minItems: 1 + type: array + Security_Detections_API_MachineLearningRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields + Security_Detections_API_MachineLearningRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + Security_Detections_API_MachineLearningRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + Security_Detections_API_MachineLearningRulePatchFields: + allOf: + - type: object + properties: + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning + type: string + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields + Security_Detections_API_MachineLearningRuleRequiredFields: + type: object + properties: + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + type: + description: Rule type + enum: + - machine_learning + type: string + required: + - type + - machine_learning_job_id + - anomaly_threshold + Security_Detections_API_MachineLearningRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + Security_Detections_API_MaxSignals: + minimum: 1 + type: integer + Security_Detections_API_NewTermsFields: + items: type: string - responses: - Fleet_error: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - schemas: - Data_views_400_response: - title: Bad request + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_NewTermsRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields + Security_Detections_API_NewTermsRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + Security_Detections_API_NewTermsRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: - error: - example: Bad Request + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_NewTermsRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + Security_Detections_API_NewTermsRulePatchFields: + allOf: + - type: object + properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + Security_Detections_API_NewTermsRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' + Security_Detections_API_NewTermsRuleRequiredFields: + type: object + properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms type: string + required: + - type + - query + - new_terms_fields + - history_window_start + Security_Detections_API_NewTermsRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_NewTermsRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + Security_Detections_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Detections_API_NormalizedRuleAction: + additionalProperties: false + type: object + properties: + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' + required: + - id + - params + Security_Detections_API_NormalizedRuleError: + type: object + properties: + err_code: + $ref: >- + #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode message: type: string - statusCode: - example: 400 - type: number + rules: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' + type: array + status_code: + type: integer required: - - statusCode - - error - message - Data_views_404_response: + - status_code + - rules + Security_Detections_API_OsqueryParams: type: object properties: - error: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' + pack_id: + type: string + queries: + items: + $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' + type: array + query: + type: string + saved_query_id: + type: string + timeout: + type: number + Security_Detections_API_OsqueryQuery: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' + id: + description: Query ID + type: string + platform: + type: string + query: + description: Query to run + type: string + removed: + type: boolean + snapshot: + type: boolean + version: + description: Query version + type: string + required: + - id + - query + Security_Detections_API_OsqueryResponseAction: + type: object + properties: + action_type_id: enum: - - Not Found - example: Not Found + - .osquery + type: string + params: + $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' + required: + - action_type_id + - params + Security_Detections_API_PlatformErrorResponse: + type: object + properties: + error: type: string message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found type: string statusCode: - enum: - - 404 - example: 404 type: integer - Data_views_allownoindex: - description: Allows the data view saved object to exist before the data is available. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request + required: + - statusCode + - error + - message + Security_Detections_API_ProcessesParams: type: object properties: - data_view: - description: The data view object. + command: + enum: + - kill-process + - suspend-process + type: string + comment: + type: string + config: type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: + field: + description: Field to use instead of process.pid type: string + overwrite: + default: true + description: Whether to overwrite field with process.pid + type: boolean required: - - title - override: - default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. - type: boolean + - field required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object + - command + - config + Security_Detections_API_QueryRule: + allOf: + - type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' + Security_Detections_API_QueryRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + Security_Detections_API_QueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_QueryRuleDefaultableFields: type: object properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 - type: string - customLabel: - description: Custom label for the field. - type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + Security_Detections_API_QueryRuleOptionalFields: type: object properties: - script: - type: object + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + Security_Detections_API_QueryRulePatchFields: + allOf: + - type: object properties: - source: - description: Script for the runtime field. + type: + description: Rule type + enum: + - query type: string + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + Security_Detections_API_QueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' + Security_Detections_API_QueryRuleRequiredFields: + type: object + properties: type: - description: Mapping type of the runtime field. + description: Rule type + enum: + - query type: string required: - - script - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request + Security_Detections_API_QueryRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + required: + - query + - language + Security_Detections_API_QueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_RelatedIntegration: + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. + + + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + + + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: + + + - `package`: name of the package (required, unique id) + + - `version`: version of the package (required, semver-compatible) + + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + + several integrations; in this case, `integration` should be specified. + + + @example + + const x: RelatedIntegration = { + package: 'windows', + version: '1.5.x', + }; + + + @example + + const x: RelatedIntegration = { + package: 'azure', + version: '~1.1.6', + integration: 'activitylogs', + }; type: object properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string - type: array - forType: - description: Limit the affected saved objects by type. - type: string - fromId: - description: The saved object reference to change. - type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. - type: string - toId: - description: New saved object reference value to replace the old value. - type: string + integration: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. + - package + - version + Security_Detections_API_RelatedIntegrationArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' + type: array + Security_Detections_API_RequiredField: + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and + + the rule will generate an alert. + + + Required field is an event field that must be present in the source + indices of a given rule. + + + @example + + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + + @example + + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; type: object properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object + ecs: + description: Whether the field is an ECS field + type: boolean + name: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: Type of the Elasticsearch field required: - - aggs - - params - Data_views_typemeta_response: + - name + - type + - ecs + Security_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredField' + type: array + Security_Detections_API_RequiredFieldInput: description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. type: object properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: - type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean + name: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: Type of an Elasticsearch field required: - - data_view - Fleet_agent: - title: Agent + - name + - type + Security_Detections_API_ResponseAction: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' + - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' + Security_Detections_API_ResponseFields: type: object properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - components: - items: - $ref: '#/components/schemas/Fleet_agent_component' - type: array - default_api_key: - type: string - default_api_key_id: + created_at: + format: date-time type: string - enrolled_at: + created_by: type: string + execution_summary: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + immutable: + $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' + required_fields: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' + revision: + minimum: 0 + type: integer + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_source: + $ref: '#/components/schemas/Security_Detections_API_RuleSource' + updated_at: + format: date-time type: string - last_checkin: - type: string - local_metadata: - $ref: '#/components/schemas/Fleet_agent_metadata' - metrics: - type: object - properties: - cpu_avg: - description: >- - Average agent CPU usage during the last 5 minutes, number - between 0-1 - type: number - memory_size_byte_avg: - description: Average agent memory consumption during the last 5 minutes - type: number - policy_id: - type: string - policy_revision: - type: number - status: - $ref: '#/components/schemas/Fleet_agent_status' - type: - $ref: '#/components/schemas/Fleet_agent_type' - unenrolled_at: - type: string - unenrollment_started_at: + updated_by: type: string - user_provided_metadata: - $ref: '#/components/schemas/Fleet_agent_metadata' required: - - type - - active - - enrolled_at - id - - status - Fleet_agent_action: - oneOf: - - properties: - ack_data: - type: string - data: - type: string - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - - properties: - data: - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - type: - type: string - title: Agent action - Fleet_agent_component: - title: Agent component + - rule_id + - immutable + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + Security_Detections_API_RiskScore: + description: Risk score (0 to 100) + maximum: 100 + minimum: 0 + type: integer + Security_Detections_API_RiskScoreMapping: + description: >- + Overrides generated alerts' risk_score with a value from the source + event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: array + Security_Detections_API_RuleAction: type: object properties: - id: - type: string - message: - type: string - status: - $ref: '#/components/schemas/Fleet_agent_component_status' - type: + action_type_id: + description: The action type used for sending notifications. type: string - units: - items: - $ref: '#/components/schemas/Fleet_agent_component_unit' - type: array - Fleet_agent_component_status: + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' + uuid: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + Security_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + type: object + Security_Detections_API_RuleActionFrequency: + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). + type: object + properties: + notifyWhen: + $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' + summary: + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + nullable: true + required: + - summary + - notifyWhen + - throttle + Security_Detections_API_RuleActionGroup: + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. + type: string + Security_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Detections_API_RuleActionNotifyWhen: + description: >- + The condition for throttling the notification: `onActionGroupChange`, + `onActiveAlert`, or `onThrottleInterval` enum: - - starting - - configuring - - healthy - - degraded - - failed - - stopping - - stopped - title: Agent component status + - onActiveAlert + - onThrottleInterval + - onActionGroupChange type: string - Fleet_agent_component_unit: - title: Agent component unit + Security_Detections_API_RuleActionParams: + additionalProperties: true + description: >- + Object containing the allowed connector fields, which varies according + to the connector type. type: object - properties: - id: + Security_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule type: string - message: + - description: Time interval in seconds, minutes, hours, or days. + example: 1h + pattern: ^[1-9]\d*[smhd]$ type: string - payload: - type: object - status: - $ref: '#/components/schemas/Fleet_agent_component_status' - type: - $ref: '#/components/schemas/Fleet_agent_component_unit_type' - Fleet_agent_component_unit_type: - enum: - - input - - output - title: Agent component unit type + Security_Detections_API_RuleAuthorArray: + items: + type: string + type: array + Security_Detections_API_RuleCreateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + discriminator: + propertyName: type + Security_Detections_API_RuleDescription: + minLength: 1 type: string - Fleet_agent_diagnostics: - title: Agent diagnostics + Security_Detections_API_RuleDetailsInError: type: object properties: - actionId: - type: string - createTime: - type: string - filePath: - type: string id: type: string name: type: string - status: + required: + - id + Security_Detections_API_RuleExceptionList: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: ID of the exception container + list_id: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: List ID of the exception container + namespace_type: + description: Determines the exceptions validity in rule's Kibana space enum: - - READY - - AWAITING_UPLOAD - - DELETED - - IN_PROGRESS + - agnostic + - single + type: string + type: + $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' required: - id - - name - - createTime - - filePath - - actionId - - status - Fleet_agent_get_by_actions: + - list_id + - type + - namespace_type + Security_Detections_API_RuleExecutionMetrics: + type: object + properties: + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + total_enrichment_duration_ms: + description: >- + Total time spent enriching documents during current rule execution + cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during current rule execution + cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response + minimum: 0 + type: integer + Security_Detections_API_RuleExecutionStatus: + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. + enum: + - going to run + - running + - partial failure + - failed + - succeeded + type: string + Security_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Detections_API_RuleExecutionSummary: + type: object + properties: + last_execution: + type: object + properties: + date: + description: Date of the last execution + format: date-time + type: string + message: + type: string + metrics: + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionMetrics + status: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' + description: Status of the last execution + status_order: + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder + required: + - date + - status + - status_order + - message + - metrics + required: + - last_execution + Security_Detections_API_RuleFalsePositiveArray: items: - items: - type: string - type: array - title: Agents get by action ids + type: string type: array - Fleet_agent_metadata: - title: Agent metadata + Security_Detections_API_RuleFilterArray: + items: {} + type: array + Security_Detections_API_RuleInterval: + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). + type: string + Security_Detections_API_RuleIntervalFrom: + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + Security_Detections_API_RuleIntervalTo: + type: string + Security_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Detections_API_RuleMetadata: + additionalProperties: true type: object - Fleet_agent_policy: - title: Agent Policy + Security_Detections_API_RuleName: + minLength: 1 + type: string + Security_Detections_API_RuleNameOverride: + description: Sets the source field for the alert's signal.rule.name value + type: string + Security_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Detections_API_UUID' + Security_Detections_API_RulePatchProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' + Security_Detections_API_RulePreviewLoggedRequest: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + duration: + type: integer + request: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - request + Security_Detections_API_RulePreviewLogs: type: object properties: - advanced_settings: - description: >- - Advanced settings stored in the agent policy, e.g. - agent_limits_go_max_procs - nullable: true - type: object - agent_features: + duration: + description: Execution duration in milliseconds + type: integer + errors: items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array - agents: - type: number - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - global_data_tags: + requests: items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest type: array - id: - type: string - inactivity_timeout: - type: integer - is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. - type: boolean - keep_monitoring_alive: - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true - type: boolean - monitoring_diagnostics: - type: object - properties: - limit: - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: + startedAt: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + warnings: items: - enum: - - metrics - - logs - type: string + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array - monitoring_http: - type: object + required: + - errors + - warnings + - duration + Security_Detections_API_RulePreviewParams: + type: object + properties: + invocationCount: + type: integer + timeframeEnd: + format: date-time + type: string + required: + - invocationCount + - timeframeEnd + Security_Detections_API_RuleQuery: + type: string + Security_Detections_API_RuleReferenceArray: + items: + type: string + type: array + Security_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' + discriminator: + propertyName: type + Security_Detections_API_RuleSignatureId: + description: Could be any string, not necessarily a UUID + type: string + Security_Detections_API_RuleSource: + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' + - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' + Security_Detections_API_RuleTagArray: + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. + items: + type: string + type: array + Security_Detections_API_RuleUpdateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' + discriminator: + propertyName: type + Security_Detections_API_RuleVersion: + description: The rule's version number. + minimum: 1 + type: integer + Security_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Detections_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Detections_API_SavedQueryId: + type: string + Security_Detections_API_SavedQueryRule: + allOf: + - type: object properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: - type: boolean - host: - type: string - port: - type: number + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: + - name + - description + - risk_score + - severity + - version + - tags - enabled - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - type: string - namespace: - type: string - overrides: - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_policies: - description: >- - This field is present only when retrieving a single agent policy, or - when retrieving a list of agent policies with the ?full=true - parameter + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields + Security_Detections_API_SavedQueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + Security_Detections_API_SavedQueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + Security_Detections_API_SavedQueryRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_SavedQueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + response_actions: items: - $ref: '#/components/schemas/Fleet_package_policy' + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array - revision: - type: number - supports_agentless: - description: >- - Indicates whether the agent policy supports agentless integrations. - Only allowed in a serverless environment. - type: boolean - unenroll_timeout: - type: integer - unprivileged_agents: - type: number - updated_by: - type: string - updated_on: - format: date-time + Security_Detections_API_SavedQueryRulePatchFields: + allOf: + - type: object + properties: + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query + type: string + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + Security_Detections_API_SavedQueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields + Security_Detections_API_SavedQueryRuleRequiredFields: + type: object + properties: + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query type: string required: - - id - - status - - name - - namespace - Fleet_agent_policy_create_request: - title: Create agent policy request + - type + - saved_id + Security_Detections_API_SavedQueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_SavedQueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + Security_Detections_API_SetAlertsStatusByIds: type: object properties: - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - description: Force agent policy creation even if packages are not verified. - type: boolean - global_data_tags: + signal_ids: items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + minItems: 1 type: array - id: + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatus' + required: + - signal_ids + - status + Security_Detections_API_SetAlertsStatusByQuery: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed type: string - inactivity_timeout: - type: integer - is_protected: - type: boolean - monitoring_enabled: - items: + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatus' + required: + - query + - status + Security_Detections_API_SetAlertTags: + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Detections_API_SetupGuide: + type: string + Security_Detections_API_Severity: + description: Severity of the rule + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + type: string + operator: enum: - - metrics - - logs + - equals type: string - type: array - monitoring_output_id: - nullable: true - type: string - name: - type: string - namespace: + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Detections_API_SiemErrorResponse: + type: object + properties: + message: type: string - unenroll_timeout: + status_code: type: integer required: - - name - - namespace - Fleet_agent_policy_full: - oneOf: + - status_code + - message + Security_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Detections_API_Threat: + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' + type: array + required: + - framework + - tactic + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + items: + type: string + type: array + Security_Detections_API_ThreatIndicatorPath: + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) + type: string + Security_Detections_API_ThreatMapping: + items: + type: object + properties: + entries: + items: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + type: array + required: + - entries + minItems: 1 + type: array + Security_Detections_API_ThreatMatchRule: + allOf: - type: object properties: - item: - type: string + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields + Security_Detections_API_ThreatMatchRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + Security_Detections_API_ThreatMatchRuleCreateProps: + allOf: - type: object properties: - item: - $ref: '#/components/schemas/Fleet_full_agent_policy' - title: Agent policy full response + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object - Fleet_agent_policy_update_request: - title: Update agent policy request + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThreatMatchRuleOptionalFields: type: object properties: - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - data_output_id: - nullable: true + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + concurrent_searches: + $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + items_per_search: + $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + threat_filters: + $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' + threat_language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThreatMatchRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match + type: string + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + Security_Detections_API_ThreatMatchRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields + Security_Detections_API_ThreatMatchRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match type: string - description: + required: + - type + - query + - threat_query + - threat_mapping + - threat_index + Security_Detections_API_ThreatMatchRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_ThreatMatchRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + Security_Detections_API_ThreatQuery: + description: Query to run + type: string + Security_Detections_API_ThreatSubtechnique: + type: object + properties: + id: + description: Subtechnique ID type: string - download_source_id: - nullable: true + name: + description: Subtechnique name type: string - fleet_server_host_id: - nullable: true + reference: + description: Subtechnique reference type: string - force: - description: Force agent policy creation even if packages are not verified. - type: boolean - global_data_tags: - items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object - type: array - inactivity_timeout: - type: integer - is_protected: - type: boolean - monitoring_enabled: - items: - enum: - - metrics - - logs - type: string - type: array - monitoring_output_id: - nullable: true + required: + - id + - name + - reference + Security_Detections_API_ThreatTactic: + type: object + properties: + id: + description: Tactic ID type: string name: + description: Tactic name type: string - namespace: + reference: + description: Tactic reference type: string - unenroll_timeout: - type: integer required: + - id - name - - namespace - Fleet_agent_status: - enum: - - offline - - error - - online - - inactive - - warning - title: Elastic Agent status - type: string - Fleet_agent_type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - title: Agent type - type: string - Fleet_bulk_install_packages_response: - title: Bulk install packages response + - reference + Security_Detections_API_ThreatTechnique: type: object properties: - items: - items: - type: object - properties: - name: - type: string - version: - type: string - type: array - response: - deprecated: true + id: + description: Technique ID + type: string + name: + description: Technique name + type: string + reference: + description: Technique reference + type: string + subtechnique: + description: Array containing more specific information on the attack technique items: - type: object - properties: - name: - type: string - version: - type: string + $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' type: array required: - - items - Fleet_bulk_upgrade_agents: - title: Bulk upgrade agents + - id + - name + - reference + Security_Detections_API_Threshold: type: object properties: - agents: - oneOf: - - description: KQL query string, leave empty to action all agents + cardinality: + $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' + field: + $ref: '#/components/schemas/Security_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' + required: + - field + - value + Security_Detections_API_ThresholdAlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration + required: + - duration + Security_Detections_API_ThresholdCardinality: + items: + type: object + properties: + field: + type: string + value: + minimum: 0 + type: integer + required: + - field + - value + type: array + Security_Detections_API_ThresholdField: + description: Field to aggregate on + oneOf: + - type: string + - items: + type: string + type: array + Security_Detections_API_ThresholdRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields + Security_Detections_API_ThresholdRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + Security_Detections_API_ThresholdRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + Security_Detections_API_ThresholdRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThresholdRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + Security_Detections_API_ThresholdRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold type: string - - description: list of agent IDs + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + Security_Detections_API_ThresholdRulePatchProps: + allOf: + - type: object + properties: + actions: items: - type: string + $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array - force: - description: Force upgrade, skipping validation (should be used with caution) - type: boolean - rollout_duration_seconds: - description: rolling upgrade window duration in seconds - type: number - skipRateLimitCheck: - description: Skip rate limit check for upgrade - type: boolean - source_uri: - description: alternative upgrade binary download url - type: string - start_time: - description: start time of upgrade in ISO 8601 format - type: string - version: - description: version to upgrade to + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRulePatchFields + Security_Detections_API_ThresholdRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold type: string required: - - agents - - version - Fleet_data_stream: - title: Data stream + - type + - query + - threshold + Security_Detections_API_ThresholdRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_ThresholdRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + Security_Detections_API_ThresholdValue: + description: Threshold value + minimum: 1 + type: integer + Security_Detections_API_ThrottleForBulkActions: + description: >- + The condition for throttling the notification: 'rule', 'no_actions', or + time duration + enum: + - rule + - 1h + - 1d + - 7d + type: string + Security_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Detections_API_TimestampField: + description: Contains the event timestamp used for sorting a sequence of events + type: string + Security_Detections_API_TimestampOverride: + description: Sets the time field used to query indices + type: string + Security_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Detections_API_WarningSchema: type: object properties: - dashboard: - items: - type: object - properties: - id: - type: string - title: - type: string - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: + actionPath: type: string - package_version: + buttonLabel: type: string - size_in_bytes: - type: number - size_in_bytes_formatted: + message: type: string type: type: string - Fleet_download_sources: - title: Download Source + required: + - type + - message + - actionPath + Security_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' + - additionalProperties: false + type: object + Security_Endpoint_Exceptions_API_EndpointListItem: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + Security_Endpoint_Exceptions_API_ExceptionList: type: object properties: - host: + _version: type: string - id: + created_at: + format: date-time type: string - is_default: + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId + immutable: type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags + tie_breaker_id: type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the proxies - API for more information. - nullable: true + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: type: string + version: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion required: - - is_default + - id + - list_id + - type - name - - host - Fleet_elasticsearch_asset_type: - enum: - - component_template - - ingest_pipeline - - index_template - - ilm_policy - - transform - - data_stream_ilm_policy - title: Elasticsearch asset type + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Endpoint_Exceptions_API_ExceptionListDescription: type: string - Fleet_enrollment_api_key: - title: Enrollment API key + Security_Endpoint_Exceptions_API_ExceptionListHumanId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + description: Human readable string identifier, e.g. `trusted-linux-processes` + Security_Endpoint_Exceptions_API_ExceptionListId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ExceptionListItem: type: object properties: - active: - description: >- - When false, the enrollment API key is revoked and cannot be used for - enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. + _version: type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray created_at: + format: date-time type: string - id: - type: string - name: - description: The name of the enrollment API key. + created_by: type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - Fleet_fleet_server_host: - title: Fleet Server Host - type: object - properties: - host_urls: - items: - type: string - type: array id: - type: string - is_default: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + tie_breaker_id: type: string - proxy_id: - type: string - required: - - fleet_server_hosts - - id - - is_default - - is_preconfigured - - host_urls - Fleet_fleet_settings_response: - title: Fleet settings response - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_settings' - required: - - item - Fleet_fleet_setup_response: - title: Fleet Setup response - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - type: array - required: - - isInitialized - - nonFatalErrors - Fleet_fleet_status_response: - title: Fleet status response - type: object - properties: - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - type: array - missing_requirements: - items: - enum: - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - type: array - package_verification_key_id: - type: string - required: - - isReady - - missing_requirements - - missing_optional_features - Fleet_full_agent_policy: - title: Full agent policy - type: object - properties: - agent: - nullable: true + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time type: string - fleet: - oneOf: - - type: object - properties: - hosts: - items: - type: string - type: array - proxy_headers: {} - proxy_url: - type: string - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - - type: object - properties: - kibana: - type: object - properties: - hosts: - items: - type: string - type: array - path: - type: string - protocol: - type: string - id: + updated_by: type: string - inputs: + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Endpoint_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + created_at: + format: date-time type: string - monitoring: - type: object - properties: - diagnostics: - type: object - properties: - limit: - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - required: - - enabled - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - output_permissions: - additionalProperties: - type: object - properties: - data: - $ref: >- - #/components/schemas/Fleet_full_agent_policy_output_permissions - output: - type: integer - type: object - outputs: - additionalProperties: - $ref: '#/components/schemas/Fleet_full_agent_policy_output' - type: object - revision: - type: number - secret_references: - items: - type: object - properties: - id: - type: string - type: array + created_by: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + updated_at: + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - id - - outputs - - inputs - Fleet_full_agent_policy_input: - allOf: - - additionalProperties: true + - comment + - created_at + - created_by + Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + list: type: object properties: - data_stream: - type: object - properties: - namespace: - type: string - required: - - namespace id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - revision: - type: number - streams: - $ref: '#/components/schemas/Fleet_full_agent_policy_input_stream' + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' type: - type: string - use_output: - type: string + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' required: - id - - name - - revision - type - - data_stream - - use_output - title: Full agent policy input - Fleet_full_agent_policy_input_stream: - allOf: - - additionalProperties: true - type: object - properties: - data_stream: - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - - type - id: - type: string - required: - - id - - data_stream - title: Full agent policy input stream - Fleet_full_agent_policy_output: - title: Full agent policy + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ExceptionListItemId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemName: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Endpoint_Exceptions_API_ExceptionListName: + type: string + Security_Endpoint_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Endpoint_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Endpoint_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Endpoint_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ListId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Endpoint_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Endpoint_Exceptions_API_PlatformErrorResponse: type: object properties: - additionalProperties: - type: object - properties: - text: {} - ca_sha256: - nullable: true + error: type: string - hosts: - items: - type: string - type: array - proxy_headers: {} - proxy_url: + message: type: string - type: {} + statusCode: + type: integer required: - - type - - hosts - - ca_sha256 - Fleet_full_agent_policy_output_permissions: - additionalProperties: - type: object - properties: - data: - type: object - properties: - cluster: - items: - type: string - type: array - indices: - items: - type: object - properties: - names: - items: - type: string - type: array - privileges: - items: - type: string - type: array - type: array - packagePolicyName: - type: string - title: Full agent policy output permissions - Fleet_get_agent_tags_response: - title: Get Agent Tags response + - statusCode + - error + - message + Security_Endpoint_Exceptions_API_SiemErrorResponse: type: object properties: - items: - items: - type: string - type: array - Fleet_get_agents_response: - title: Get Agent response + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Endpoint_Management_API_ActionLogRequestQuery: type: object properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_agent' - type: array + end_date: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' page: - type: number - perPage: - type: number - statusSummary: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + page_size: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + start_date: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + Security_Endpoint_Management_API_ActionStateSuccessResponse: + type: object + properties: + body: type: object properties: - degraded': - type: number - enrolling: - type: number - error: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - unenrolled: - type: number - unenrolling: - type: number - updating: - type: number - total: - type: number + data: + type: object + properties: + canEncrypt: + type: boolean + required: + - data required: - - items - - total - - page - - perPage - Fleet_get_bulk_assets_response: - deprecated: true + - body + Security_Endpoint_Management_API_ActionStatusSuccessResponse: + type: object properties: - items: - items: - type: object - properties: - appLink: - type: string - attributes: - type: object - properties: - description: - type: string - title: - type: string - id: - type: string - type: - $ref: '#/components/schemas/Fleet_saved_object_type' - updatedAt: - type: string - type: array + body: + type: object + properties: + data: + type: object + properties: + agent_id: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentId + pending_actions: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema + required: + - agent_id + - pending_actions + required: + - data required: - - items - title: Bulk get assets response + - body + Security_Endpoint_Management_API_AgentId: + description: Agent ID + type: string + Security_Endpoint_Management_API_AgentIds: + minLength: 1 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Endpoint_Management_API_AgentTypes: + enum: + - endpoint + - sentinel_one + - crowdstrike + type: string + Security_Endpoint_Management_API_AlertIds: + description: A list of alerts ids. + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_NonEmptyString' + minItems: 1 + type: array + Security_Endpoint_Management_API_CaseIds: + description: Case IDs to be updated (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Endpoint_Management_API_Command: + description: The command to be executed (cannot be an empty string) + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + minLength: 1 + type: string + Security_Endpoint_Management_API_Commands: + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + type: array + Security_Endpoint_Management_API_Comment: + description: Optional comment + type: string + Security_Endpoint_Management_API_EndDate: + description: End date + type: string + Security_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Endpoint_Management_API_EntityId: type: object - Fleet_get_categories_response: - title: Get categories response + properties: + entity_id: + minLength: 1 + type: string + Security_Endpoint_Management_API_ExecuteRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + command: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Command + timeout: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Timeout + required: + - command + required: + - parameters + Security_Endpoint_Management_API_GetEndpointActionListRouteQuery: type: object properties: - items: - items: - type: object - properties: - count: - type: number - id: - type: string - title: - type: string - required: - - id - - title - - count - type: array - response: - items: - deprecated: true - type: object - properties: - count: - type: number - id: - type: string - title: - type: string - required: - - id - - title - - count - type: array - required: - - items - Fleet_get_packages_response: - title: Get Packages response + agentIds: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + agentTypes: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + commands: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + endDate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + page: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + startDate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + types: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + userIds: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + withOutputs: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + Security_Endpoint_Management_API_GetFileRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema + Security_Endpoint_Management_API_IsolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema + Security_Endpoint_Management_API_KillProcessRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EntityId + - type: object + properties: + process_name: + description: Valid for SentinelOne agent type only + minLength: 1 + type: string + required: + - parameters + Security_Endpoint_Management_API_ListRequestQuery: type: object properties: - items: - items: - $ref: '#/components/schemas/Fleet_search_result' - type: array - response: - deprecated: true + hostStatuses: items: - $ref: '#/components/schemas/Fleet_search_result' + enum: + - healthy + - offline + - updating + - inactive + - unenrolled + type: string type: array + kuery: + nullable: true + type: string + page: + default: 0 + description: Page number + minimum: 0 + type: integer + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + sortDirection: + enum: + - asc + - desc + nullable: true + type: string + sortField: + enum: + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin + type: string required: - - items - Fleet_installation_info: - title: Installation info object + - hostStatuses + Security_Endpoint_Management_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Endpoint_Management_API_NoParametersRequestSchema: type: object properties: - created_at: + body: + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + required: + - body + Security_Endpoint_Management_API_Page: + default: 1 + description: Page number + minimum: 1 + type: integer + Security_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + maximum: 100 + minimum: 1 + type: integer + Security_Endpoint_Management_API_Parameters: + description: Optional parameters object + type: object + Security_Endpoint_Management_API_PendingActionDataType: + type: integer + Security_Endpoint_Management_API_PendingActionsSchema: + oneOf: + - type: object + properties: + execute: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + get-file: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + isolate: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + kill-process: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + running-processes: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + scan: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + suspend-process: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + unisolate: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + upload: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + - additionalProperties: true + type: object + Security_Endpoint_Management_API_Pid: + type: object + properties: + pid: + minimum: 1 + type: integer + Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + type: object + properties: + note: type: string - experimental_data_stream_features: - type: array + Security_Endpoint_Management_API_ScanRouteRequestBody: + allOf: + - type: object properties: - data_stream: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Endpoint_Management_API_StartDate: + description: Start date + type: string + Security_Endpoint_Management_API_SuccessResponse: + type: object + properties: {} + Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EntityId + required: + - parameters + Security_Endpoint_Management_API_Timeout: + description: The maximum timeout value in milliseconds (optional) + minimum: 1 + type: integer + Security_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Endpoint_Management_API_Types: + description: List of types of response actions + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Endpoint_Management_API_UnisolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema + Security_Endpoint_Management_API_UploadRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + file: + format: binary type: string - features: + parameters: type: object properties: - doc_value_only_numeric: - nullable: true - type: boolean - doc_value_only_other: - nullable: true - type: boolean - synthetic_source: - nullable: true - type: boolean - tsdb: - nullable: true + overwrite: + default: false type: boolean - install_format_schema_version: - type: string - install_kibana_space_id: + required: + - parameters + - file + Security_Endpoint_Management_API_UserIds: + description: User IDs + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 type: string - install_source: - enum: - - registry - - upload - - bundled + Security_Endpoint_Management_API_WithOutputs: + description: Shows detailed outputs for an action response + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 type: string - install_status: - enum: - - installed - - installing - - install_failed + Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + type: object + properties: + index: + type: integer + message: type: string - installed_es: - type: object + required: + - message + - index + Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + type: object + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + Security_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + Security_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts + - type: object properties: - deferred: - type: boolean - id: + '@timestamp': + description: The time the record was created or updated. + example: '2017-07-21T17:32:28Z' + format: date-time type: string - type: - $ref: '#/components/schemas/Fleet_elasticsearch_asset_type' - installed_kibana: + required: + - '@timestamp' + Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: + type: object + properties: + asset: type: object properties: - id: - type: string - type: - $ref: '#/components/schemas/Fleet_kibana_saved_object_type' - latest_executed_state: - description: Latest successfully executed state in package install state machine + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - asset + host: type: object properties: - error: - type: string + asset: + type: object + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality name: - enum: - - create_restart_installation - - install_kibana_assets - - install_ilm_policies - - install_ml_model - - install_index_template_pipelines - - remove_legacy_templates - - update_current_write_indices - - install_transforms - - delete_previous_pipelines - - save_archive_entries_from_assets_map - - update_so type: string - started_at: + required: + - name + user: + type: object + properties: + asset: + type: object + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + name: type: string - latest_install_failed_attempts: - description: Latest failed install errors - items: - type: object - properties: - created_at: - type: string - error: - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - target_version: - type: string - type: array - name: - type: string - namespaces: - items: - type: string - type: array - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - verified - - unverified - - unknown - type: string - version: - type: string + required: + - name required: - - installed_kibana - - installed_es - - name - - version - - install_status - - install_version - - install_started_at - - install_source - - verification_status - - latest_install_failed_attempts - Fleet_kibana_saved_object_type: - enum: - - dashboard - - visualization - - search - - index-pattern - - map - - lens - - ml-module - - security-rule - - csp_rule_template - title: Kibana saved object asset type - type: string - Fleet_new_package_policy: - description: '' + - asset + Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: + type: object properties: - description: + id_field: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + description: The field representing the ID. + example: host.name + id_value: + description: The ID value of the asset. type: string - enabled: + required: + - id_value + - id_field + Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: + type: object + properties: + cleanup_successful: + example: false type: boolean - inputs: + errors: items: type: object properties: - config: - type: object - enabled: - type: boolean - processors: - items: - type: string - type: array - streams: - items: {} - type: array - type: + error: type: string - vars: - type: object + seq: + type: integer required: - - type - - enabled + - seq + - error type: array - name: + required: + - cleanup_successful + - errors + Security_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality_level + Security_Entity_Analytics_API_EngineDescriptor: + type: object + properties: + filter: type: string - namespace: + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + Security_Entity_Analytics_API_EngineStatus: + enum: + - installing + - started + - stopped + type: string + Security_Entity_Analytics_API_Entity: + oneOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' + Security_Entity_Analytics_API_EntityRiskLevels: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + Security_Entity_Analytics_API_EntityRiskScoreRecord: + type: object + properties: + '@timestamp': + description: The time at which the risk score was calculated. + example: '2017-07-21T17:32:28Z' + format: date-time type: string - output_id: + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: >- + The normalized numeric value of the given entity's risk score. + Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + category_1_count: + description: >- + The number of risk input documents that contributed to the Category + 1 score (`category_1_score`). + format: integer + type: number + category_1_score: + description: >- + The contribution of Category 1 to the overall risk score + (`calculated_score`). Category 1 contains Detection Engine Alerts. + format: double + type: number + category_2_count: + format: integer + type: number + category_2_score: + format: double + type: number + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + criticality_modifier: + format: double + type: number + id_field: + description: >- + The identifier field defining this risk score. Coupled with + `id_value`, uniquely identifies the entity being scored. + example: host.name type: string - overrides: + id_value: + description: >- + The identifier value defining this risk score. Coupled with + `id_field`, uniquely identifies the entity being scored. + example: example.host + type: string + inputs: + description: >- + A list of the highest-risk documents contributing to this risk + score. Useful for investigative purposes. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' + type: array + notes: + items: + type: string + type: array + required: + - '@timestamp' + - id_field + - id_value + - calculated_level + - calculated_score + - calculated_score_norm + - category_1_score + - category_1_count + - inputs + - notes + Security_Entity_Analytics_API_EntityType: + enum: + - user + - host + type: string + Security_Entity_Analytics_API_HostEntity: + type: object + properties: + asset: type: object - package: + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + entity: type: object properties: - name: + definitionId: type: string - requires_root: - type: boolean - title: + definitionVersion: type: string - version: + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + source: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + host: + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + type: + items: + type: string + type: array required: - name - - version - policy_id: - deprecated: true - nullable: true - type: string - policy_ids: + Security_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + type: string + Security_Entity_Analytics_API_IndexPattern: + type: string + Security_Entity_Analytics_API_InspectQuery: + type: object + properties: + dsl: + items: + type: string + type: array + response: items: type: string type: array required: - - inputs - - name - title: New package policy - type: object - Fleet_output_create_request: - discriminator: - mapping: - elasticsearch: '#/components/schemas/Fleet_output_create_request_elasticsearch' - kafka: '#/components/schemas/Fleet_output_create_request_kafka' - logstash: '#/components/schemas/Fleet_output_create_request_logstash' - remote_elasticsearch: >- - #/components/schemas/Fleet_output_create_request_remote_elasticsearch - propertyName: type - oneOf: - - $ref: '#/components/schemas/Fleet_output_create_request_elasticsearch' - - $ref: '#/components/schemas/Fleet_output_create_request_kafka' - - $ref: '#/components/schemas/Fleet_output_create_request_logstash' - - $ref: >- - #/components/schemas/Fleet_output_create_request_remote_elasticsearch - title: Output - Fleet_output_create_request_elasticsearch: - title: elasticsearch + - dsl + - response + Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: type: object properties: - ca_sha256: + full_error: type: string - ca_trusted_fingerprint: + message: type: string - config: - type: object - config_yaml: + required: + - message + - full_error + Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: + type: object + properties: + success: + type: boolean + Security_Entity_Analytics_API_RiskScoreInput: + description: A generic representation of a document contributing to a Risk Score. + type: object + properties: + category: + description: The risk category of the risk input document. + example: category_1 + type: string + contribution_score: + format: double + type: number + description: + description: A human-readable description of the risk input document. + example: 'Generated from Detection Engine Rule: Malware Prevention Alert' type: string - hosts: - items: - type: string - type: array id: + description: The unique identifier (`_id`) of the original source document + example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: + index: + description: The unique index (`_index`) of the original source document + example: .internal.alerts-security.alerts-default-000001 type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency + risk_score: + description: The weighted risk score of the risk input document. + format: double + maximum: 100 + minimum: 0 + type: number + timestamp: + description: The @timestamp of the risk input document. + example: '2017-07-21T17:32:28Z' type: string - proxy_id: + required: + - id + - index + - description + - category + Security_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable + type: object + properties: + message: type: string - shipper: + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + Security_Entity_Analytics_API_UserEntity: + type: object + properties: + asset: type: object properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + entity: type: object properties: - certificate: + definitionId: type: string - certificate_authorities: + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + source: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + - source + user: + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: items: type: string type: array - key: + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: type: string - type: - enum: - - elasticsearch + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + roles: + items: + type: string + type: array + required: + - name + Security_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment + type: array + Security_Exceptions_API_CreateRuleExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment + type: array + Security_Exceptions_API_CreateRuleExceptionListItemProps: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time type: string + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: + - type - name - Fleet_output_create_request_kafka: - title: kafka + - description + - entries + Security_Exceptions_API_ExceptionList: type: object properties: - auth_type: + _version: type: string - broker_timeout: - type: number - ca_sha256: + created_at: + format: date-time type: string - ca_trusted_fingerprint: + created_by: type: string - client_id: + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + immutable: + type: boolean + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + tie_breaker_id: type: string - compression: + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + updated_at: + format: date-time type: string - compression_level: - type: number - config: - type: object - config_yaml: + updated_by: type: string - connection_type: - enum: - - plaintext - - encryption + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Exceptions_API_ExceptionListDescription: + type: string + Security_Exceptions_API_ExceptionListHumanId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + description: Human readable string identifier, e.g. `trusted-linux-processes` + Security_Exceptions_API_ExceptionListId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: type: string - headers: - items: - type: object - properties: - key: - type: string - value: - type: string - type: array - hosts: - items: - type: string - type: array - id: + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - key: + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time type: string + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + tie_breaker_id: type: string - partition: + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + updated_at: + format: date-time type: string - password: + updated_by: type: string - proxy_id: + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + created_at: + format: date-time type: string - random: - type: object - properties: - group_events: - type: number - required_acks: - type: number - round_robin: - type: object - properties: - group_events: - type: number - sasl: - type: object - properties: - mechanism: - type: string - secrets: - type: object - properties: - password: - type: string - ssl: - type: object - properties: - key: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - verification_mode: - enum: - - none - - full - - certificate - - strict - type: string - timeout: - type: number - topic: + created_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + updated_at: + format: date-time type: string - topics: - deprecated: true - description: Use topic instead. - items: - type: object - properties: - topic: - type: string - when: - deprecated: true - description: >- - Deprecated, kafka output do not support conditionnal topics - anymore. - type: object - properties: - condition: - type: string - type: - type: string - type: array + updated_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' + type: array + Security_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' + type: array + Security_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator type: enum: - - kafka - type: string - username: - type: string - version: + - list type: string required: - - name - type - - topics - - auth_type - - hosts - Fleet_output_create_request_logstash: - title: logstash + - field + - list + - operator + Security_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: - ca_sha256: - type: string - ca_trusted_fingerprint: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match type: string - config: - type: object - config_yaml: + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any type: string - hosts: + value: items: - type: string + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + minItems: 1 type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - type: string - secrets: - type: object - properties: - ssl: - type: object - properties: - key: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator type: enum: - - logstash + - wildcard type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - name - - hosts - type - Fleet_output_create_request_remote_elasticsearch: - title: remote_elasticsearch + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryNested: type: object properties: - hosts: + entries: items: - type: string + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - secrets: - type: object - properties: - service_token: - type: string - service_token: - type: string + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' type: enum: - - remote_elasticsearch + - nested type: string required: - - name - Fleet_output_update_request: - discriminator: - mapping: - elasticsearch: '#/components/schemas/Fleet_output_update_request_elasticsearch' - kafka: '#/components/schemas/Fleet_output_update_request_kafka' - logstash: '#/components/schemas/Fleet_output_update_request_logstash' - propertyName: type + - type + - field + - entries + Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - - $ref: '#/components/schemas/Fleet_output_update_request_elasticsearch' - - $ref: '#/components/schemas/Fleet_output_update_request_kafka' - - $ref: '#/components/schemas/Fleet_output_update_request_logstash' - title: Output - Fleet_output_update_request_elasticsearch: - title: elasticsearch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + Security_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Exceptions_API_ExceptionListItemHumanId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ExceptionListItemId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Exceptions_API_ExceptionListItemName: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListItemTags: + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: array + Security_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Exceptions_API_ExceptionListName: + type: string + Security_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListsImportBulkError: type: object properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: + error: type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + required: + - error + Security_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError + type: array + Security_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_FindExceptionListsFilter: + type: string + Security_Exceptions_API_ListId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: + message: type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - elasticsearch + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: type: string + status_code: + type: integer required: - - name - - hosts - - type - Fleet_output_update_request_kafka: - title: kafka + - status_code + - message + Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: - auth_type: - type: string - broker_timeout: - type: number - ca_sha256: - type: string - ca_trusted_fingerprint: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment + type: array + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Lists_API_FindListItemsCursor: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_FindListItemsFilter: + type: string + Security_Lists_API_FindListsCursor: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_FindListsFilter: + type: string + Security_Lists_API_List: + type: object + properties: + _version: type: string - client_id: + '@timestamp': + format: date-time type: string - compression: + created_at: + format: date-time type: string - compression_level: - type: number - config: - type: object - config_yaml: + created_by: type: string - connection_type: - enum: - - plaintext - - encryption + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + deserializer: type: string - headers: - items: - type: object - properties: - key: - type: string - value: - type: string - type: array - hosts: - items: - type: string - type: array id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: + $ref: '#/components/schemas/Security_Lists_API_ListId' + immutable: type: boolean - key: - type: string + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + serializer: type: string - partition: - type: string - password: - type: string - proxy_id: - type: string - random: - type: object - properties: - group_events: - type: number - required_acks: - type: number - round_robin: - type: object - properties: - group_events: - type: number - sasl: - type: object - properties: - mechanism: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - verification_mode: - enum: - - none - - full - - certificate - - strict - type: string - timeout: - type: number - topic: + tie_breaker_id: type: string - topics: - deprecated: true - description: Use topic instead. - items: - type: object - properties: - topic: - type: string - when: - deprecated: true - description: >- - Deprecated, kafka output do not support conditionnal topics - anymore. - type: object - properties: - condition: - type: string - type: - type: string - type: array type: - enum: - - kafka + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + format: date-time type: string - username: + updated_by: type: string version: - type: string + minimum: 1 + type: integer required: + - id + - type - name - Fleet_output_update_request_logstash: - title: logstash + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListDescription: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListId: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListItem: type: object properties: - ca_sha256: + _version: type: string - ca_trusted_fingerprint: + '@timestamp': + format: date-time type: string - config: - type: object - config_yaml: + created_at: + format: date-time + type: string + created_by: + type: string + deserializer: type: string - hosts: - items: - type: string - type: array id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + serializer: type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: + tie_breaker_id: type: string - proxy_id: + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + format: date-time type: string - shipper: + updated_by: + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListItemId: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListItemMetadata: + additionalProperties: true + type: object + Security_Lists_API_ListItemPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListItemValue: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListMetadata: + additionalProperties: true + type: object + Security_Lists_API_ListName: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: type: boolean - ssl: + type: object type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - logstash + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Lists_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Lists_API_PlatformErrorResponse: + type: object + properties: + error: type: string + message: + type: string + statusCode: + type: integer required: - - name - Fleet_package_info: - title: Package information + - statusCode + - error + - message + Security_Lists_API_SiemErrorResponse: type: object properties: - assets: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Osquery_API_ArrayQueries: + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_Id' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_CreateLiveQueryRequestBody: + type: object + properties: + agent_all: + type: boolean + agent_ids: items: type: string type: array - categories: + agent_platforms: items: type: string type: array - conditions: - type: object - properties: - elasticsearch: - type: object - properties: - subscription: - enum: - - basic - - gold - - platinum - - enterprise - type: string - kibana: - type: object - properties: - versions: - type: string - data_streams: + agent_policy_ids: items: - type: object - properties: - ingeset_pipeline: - type: string - name: - type: string - package: - type: string - release: - type: string - title: - type: string - type: - type: string - vars: - items: - type: object - properties: - default: - type: string - name: - type: string - required: - - name - - default - type: array - required: - - title - - name - - release - - ingeset_pipeline - - type - - package + type: string type: array - description: - type: string - download: - type: string - elasticsearch: - type: object - properties: - privileges: - type: object - properties: - cluster: - items: - type: string - type: array - format_version: - type: string - icons: + alert_ids: items: type: string type: array - internal: - type: boolean + case_ids: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + event_ids: + items: + type: string + type: array + metadata: + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + Security_Osquery_API_CreatePacksRequestBody: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_CreateSavedQueryRequestBody: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_DefaultSuccessResponse: + type: object + properties: {} + Security_Osquery_API_Description: + type: string + Security_Osquery_API_DescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Description' + nullable: true + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + type: object + Security_Osquery_API_ECSMappingItem: + type: object + properties: + field: type: string - path: + value: + oneOf: + - type: string + - items: + type: string + type: array + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + Security_Osquery_API_Enabled: + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + Security_Osquery_API_FindLiveQueryRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + pageSize: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + sort: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + sortOrder: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + Security_Osquery_API_FindPacksRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + pageSize: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + sort: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + sortOrder: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + Security_Osquery_API_FindSavedQueryRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + pageSize: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + sort: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + sortOrder: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + Security_Osquery_API_GetLiveQueryResultsRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + pageSize: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + sort: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + sortOrder: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + Security_Osquery_API_Id: + type: string + Security_Osquery_API_Interval: + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + Security_Osquery_API_KueryOrUndefined: + nullable: true + type: string + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + type: object + Security_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_Id' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_PackId: + type: string + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + Security_Osquery_API_PackName: + type: string + Security_Osquery_API_PageOrUndefined: + nullable: true + type: integer + Security_Osquery_API_PageSizeOrUndefined: + nullable: true + type: integer + Security_Osquery_API_Platform: + type: string + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + Security_Osquery_API_PolicyIds: + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + Security_Osquery_API_Query: + type: string + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + Security_Osquery_API_Removed: + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + Security_Osquery_API_SavedQueryId: + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + Security_Osquery_API_Shards: + additionalProperties: + type: number + type: object + Security_Osquery_API_Snapshot: + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + Security_Osquery_API_SortOrderOrUndefined: + oneOf: + - nullable: true type: string - readme: + - enum: + - asc + - desc + Security_Osquery_API_SortOrUndefined: + nullable: true + type: string + Security_Osquery_API_UpdatePacksRequestBody: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_UpdateSavedQueryRequestBody: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' + platform: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_Version: + type: string + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + Security_Timeline_API_BareNote: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true type: string - release: - deprecated: true - description: >- - release label is deprecated, derive from the version instead - (packages follow semver) - enum: - - experimental - - beta - - ga + eventId: + nullable: true type: string - screenshots: - items: - type: object - properties: - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - - path - type: array - source: - type: object - properties: - license: - enum: - - Apache-2.0 - - Elastic-2.0 - type: string - title: + note: + nullable: true + type: string + timelineId: + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + required: + - timelineId + Security_Timeline_API_BarePinnedEvent: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true type: string - type: + eventId: type: string - version: + timelineId: + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true type: string required: - - name - - title - - version - - description - - type - - categories - - conditions - - assets - - format_version - - download - - path - Fleet_package_policy: - allOf: - - type: object - properties: - id: - type: string - inputs: - oneOf: - - items: {} - type: array - - type: object - revision: - type: number - required: - - id - - revision - - $ref: '#/components/schemas/Fleet_new_package_policy' - title: Package policy - Fleet_package_policy_request: - title: Package Policy Request + - eventId + - timelineId + Security_Timeline_API_ColumnHeaderResult: type: object properties: - description: - description: Package policy description - example: my description - type: string - force: - description: >- - Force package policy creation even if package is not verified, or if - the agent policy is managed. + aggregatable: + nullable: true type: boolean - id: - description: Package policy unique identifier - type: string - inputs: - additionalProperties: - type: object - properties: - enabled: - description: enable or disable that input, (default to true) - type: boolean - streams: - additionalProperties: - type: object - properties: - enabled: - description: enable or disable that stream, (default to true) - type: boolean - vars: - description: >- - Stream level variable (see integration documentation for - more information) - type: object - description: >- - Input streams (see integration documentation to know what - streams are available) - type: object - vars: - description: >- - Input level variable (see integration documentation for more - information) - type: object - description: >- - Package policy inputs (see integration documentation to know what - inputs are available) - example: - nginx-logfile: - enabled: true - streams: - nginx.access: - enabled: true - vars: - ignore_older: 72h - paths: - - /var/log/nginx/access.log* - preserve_original_event: false - tags: - - nginx-access - type: object - name: - description: Package policy name (should be unique) - example: nginx-123 + category: + nullable: true type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - example: customnamespace + columnHeaderType: + nullable: true type: string - output_id: - description: Output ID to send package data to - example: output-id + description: nullable: true type: string - overrides: - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. + example: nullable: true - type: object - properties: - inputs: - type: object - package: - type: object - properties: - name: - description: Package name - example: nginx - type: string - version: - description: Package version - example: 1.6.0 - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Agent policy ID where that package policy will be added - example: agent-policy-id + type: string + id: nullable: true type: string - policy_ids: - description: Agent policy IDs where that package policy will be added - example: - - agent-policy-id + indexes: items: type: string + nullable: true type: array - vars: - description: >- - Package root level variable (see integration documentation for more - information) - type: object - required: - - name - - package - Fleet_package_usage_stats: - title: Package usage stats - type: object - properties: - agent_policy_count: - type: integer - required: - - agent_policy_count - Fleet_proxies: - title: Fleet Proxy + name: + nullable: true + type: string + placeholder: + nullable: true + type: string + searchable: + nullable: true + type: boolean + type: + nullable: true + type: string + Security_Timeline_API_DataProviderQueryMatch: type: object properties: - certificate: + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true type: string - certificate_authorities: + kqlQuery: + nullable: true type: string - certificate_key: + name: + nullable: true type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean id: + nullable: true type: string - name: + kqlQuery: + nullable: true type: string - proxy_headers: - type: object - url: + name: + nullable: true type: string - required: - - name - - url - Fleet_saved_object_type: + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: >- + The type of data provider to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: oneOf: - - enum: - - dashboard - - visualization - - search - - index_pattern - - map - - lens - - security_rule - - csp_rule_template - - ml_module - - tag - - osquery_pack_asset - - osquery_saved_query + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + code: + nullable: true + type: number + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + message: + nullable: true type: string - - enum: - - index - - component_template - - ingest_pipeline - - index_template - - ilm_policy - - transform - - data_stream_ilm_policy - - ml_model + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: type: string - title: Saved Object type - Fleet_search_result: - title: Search result + required: + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: type: object properties: - description: - type: string - download: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true type: string - icons: + userName: + nullable: true type: string - installationInfo: - $ref: '#/components/schemas/Fleet_installation_info' - name: + Security_Timeline_API_FilterTimelineResult: + type: object + properties: + exists: + nullable: true type: string - path: + match_all: + nullable: true type: string - savedObject: - deprecated: true + meta: + nullable: true type: object - status: + properties: + alias: + nullable: true + type: string + controlledBy: + nullable: true + type: string + disabled: + nullable: true + type: boolean + field: + nullable: true + type: string + formattedValue: + nullable: true + type: string + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true type: string - title: + query: + nullable: true type: string - type: + range: + nullable: true type: string - version: + script: + nullable: true type: string - required: - - description - - download - - icons - - name - - path - - title - - type - - version - - status - Fleet_settings: - title: Settings + Security_Timeline_API_GetNotesResult: type: object properties: - fleet_server_hosts: - deprecated: true + notes: items: - type: string + $ref: '#/components/schemas/Security_Timeline_API_Note' type: array - has_seen_add_data_notice: - type: boolean - id: - type: string - prerelease_integrations_enabled: - type: boolean + totalCount: + type: number required: - - fleet_server_hosts - - id - Fleet_upgrade_agent: - title: Upgrade agent + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: type: object properties: - force: - description: Force upgrade, skipping validation (should be used with caution) - type: boolean - skipRateLimitCheck: - description: Skip rate limit check for upgrade - type: boolean - source_uri: - type: string - version: - type: string - required: - - version - Fleet_upgrade_agent_diff: - items: - items: - $ref: '#/components/schemas/Fleet_full_agent_policy_input' - type: array - title: Package policy Upgrade dryrun - type: array - Fleet_upgrade_diff: - items: - allOf: - - $ref: '#/components/schemas/Fleet_package_policy' - - allOf: - - $ref: '#/components/schemas/Fleet_new_package_policy' - - type: object - properties: - errors: - items: - type: object - properties: - key: - type: string - message: - type: string - type: array - missingVars: - items: - type: string - type: array + errors: + items: type: object - title: Package policy Upgrade dryrun - type: array - Kibana_HTTP_APIs_core_status_redactedResponse: - additionalProperties: false - description: A minimal representation of Kibana's operational status. + properties: + error: + type: object + properties: + message: + type: string + status_code: + type: number + id: + type: string + type: array + success: + type: boolean + success_count: + type: number + timelines_installed: + type: number + timelines_updated: + type: number + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + type: string + version: + type: string + required: + - noteId + - version + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - allOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - $ref: >- + #/components/schemas/Security_Timeline_API_PinnedEventBaseResponseBody + - nullable: true + type: object + Security_Timeline_API_PersistTimelineResponse: type: object properties: - status: - additionalProperties: false + data: type: object properties: - overall: - additionalProperties: false + persistTimeline: type: object properties: - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' required: - - level + - timeline required: - - overall + - persistTimeline required: - - status - Kibana_HTTP_APIs_core_status_response: - additionalProperties: false - description: >- - Kibana's operational status as well as a detailed breakdown of plugin - statuses indication of various loads (like event loop utilization and - network traffic) at time of request. + - data + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + type: string + version: + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventBaseResponseBody: + type: object + properties: + code: + type: number + message: + type: string + required: + - code + Security_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + oneOf: + - nullable: true + type: string + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: + type: object + properties: + alias_purpose: + $ref: >- + #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject + required: + - timeline + - outcome + Security_Timeline_API_ResponseNote: + type: object + properties: + code: + type: number + message: + type: string + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - code + - message + - note + Security_Timeline_API_RowRendererId: + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: type: object properties: - metrics: - additionalProperties: false - description: Metric groups collected by Kibana. - type: object - properties: - collection_interval_in_millis: - description: The interval at which metrics should be collected. - type: number - elasticsearch_client: - additionalProperties: false - description: Current network metrics of Kibana's Elasticsearch client. - type: object - properties: - totalActiveSockets: - description: Count of network sockets currently in use. - type: number - totalIdleSockets: - description: Count of network sockets currently idle. - type: number - totalQueuedRequests: - description: Count of requests not yet assigned to sockets. - type: number - required: - - totalActiveSockets - - totalIdleSockets - - totalQueuedRequests - last_updated: - description: The time metrics were collected. - type: string - required: - - elasticsearch_client - - last_updated - - collection_interval_in_millis - name: - description: Kibana instance name. + columns: + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + nullable: true + type: number + createdBy: + nullable: true type: string - status: - additionalProperties: false + dataProviders: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + nullable: true + type: string + dateRange: + nullable: true type: object properties: - core: - additionalProperties: false - description: Statuses of core Kibana services. - type: object - properties: - elasticsearch: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - savedObjects: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - required: - - elasticsearch - - savedObjects - overall: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical + end: + oneOf: + - nullable: true type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. + - nullable: true + type: number + start: + oneOf: + - nullable: true type: string - required: - - level - - summary - - meta - plugins: - additionalProperties: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - description: A dynamic mapping of plugin ID to plugin status. - type: object - required: - - overall - - core - - plugins - uuid: - description: >- - Unique, generated Kibana instance UUID. This UUID should persist - even if the Kibana process restarts. + - nullable: true + type: number + description: + nullable: true type: string - version: - additionalProperties: false + eqlOptions: + nullable: true type: object properties: - build_date: - description: The date and time of this build. + eventCategoryField: + nullable: true type: string - build_flavor: - description: >- - The build flavour determines configuration and behavior of - Kibana. On premise users will almost always run the - "traditional" flavour, while other flavours are reserved for - Elastic-specific use cases. - enum: - - serverless - - traditional + query: + nullable: true type: string - build_hash: - description: >- - A unique hash value representing the git commit of this Kibana - build. + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + nullable: true + type: string + excludedRowRendererIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + filters: + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + indexNames: + items: + type: string + nullable: true + type: array + kqlMode: + nullable: true + type: string + kqlQuery: + $ref: >- + #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult + nullable: true + savedQueryId: + nullable: true + type: string + savedSearchId: + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + status: + enum: + - active + - draft + - immutable + nullable: true + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + title: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: type: string - build_number: - description: >- - A monotonically increasing number, each subsequent build will - have a higher number. - type: number - build_snapshot: - description: Whether this build is a snapshot build. - type: boolean - number: - description: A semantic version number. + version: type: string required: - - number - - build_hash - - build_number - - build_snapshot - - build_flavor - - build_date - required: - - name - - uuid - - version - - status - - metrics - Machine_learning_APIs_mlSync200Response: + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + type: object properties: - datafeedsAdded: - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. - type: object - datafeedsRemoved: - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. + filterQuery: + nullable: true type: object - savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated - savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted - title: Successful sync API response + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: type: object - Machine_learning_APIs_mlSync4xxResponse: properties: - error: - example: Unauthorized + columnId: + nullable: true type: string - message: + columnType: + nullable: true type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful sync API response - type: object - Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for anomaly detection jobs - type: object - Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for datafeeds - type: object - Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for data frame analytics jobs - type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. - properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: If saved objects are missing for trained models, they are created. - type: object - title: Sync API response for created saved objects - type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + sortDirection: + nullable: true + type: string + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: >- + #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + items: + type: string + nullable: true + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + items: + type: string + nullable: true + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. - properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. - type: object - title: Sync API response for deleted saved objects - type: object - Machine_learning_APIs_mlSyncResponseSuccess: - description: The success or failure of the synchronization. - type: boolean - Machine_learning_APIs_mlSyncResponseTrainedModels: + The status of the timeline. Valid values are `active`, `draft`, and + `immutable`. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for trained models - type: object + The type of timeline to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string Serverless_saved_objects_400_response: title: Bad request type: object @@ -16682,6 +33500,44 @@ tags: permanently breaks future Kibana versions. name: saved objects x-displayName: Saved objects + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: >- + You can create rules that automatically turn events and external alerts + sent to Elastic Security into detection alerts. These alerts are displayed + on the Detections page. + name: Security Detections API + x-displayName: Security detections + - description: >- + Endpoint Exceptions API allows you to manage detection rule endpoint + exceptions to prevent a rule from generating an alert from incoming events + even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: '' + name: Security Entity Analytics API + x-displayName: Security entity analytics + - description: >- + Exceptions API allows you to manage detection rule exceptions to prevent a + rule from generating an alert from incoming events even when the rule's + other criteria are met. + name: Security Exceptions API + x-displayName: Security exceptions + - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline - description: SLO APIs enable you to define, manage and track service-level objectives name: slo - name: spaces diff --git a/oas_docs/output/kibana.staging.yaml b/oas_docs/output/kibana.staging.yaml index 3114d0bb7622a..91c28d6ec9388 100644 --- a/oas_docs/output/kibana.staging.yaml +++ b/oas_docs/output/kibana.staging.yaml @@ -42240,33 +42240,42 @@ tags: x-displayName: Saved objects - description: Manage and interact with Security Assistant resources. name: Security AI Assistant API + x-displayName: Security AI assistant - description: >- You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page. name: Security Detections API + x-displayName: Security detections - description: >- Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Endpoint Exceptions API + x-displayName: Security endpoint exceptions - description: Interact with and manage endpoints running the Elastic Defend integration. name: Security Endpoint Management API + x-displayName: Security endpoint management - description: '' name: Security Entity Analytics API + x-displayName: Security entity analytics - description: >- Exceptions API allows you to manage detection rule exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Exceptions API + x-displayName: Security exceptions - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items. name: Security Lists API + x-displayName: Security lists - description: Run live queries, manage packs and saved queries. name: Security Osquery API + x-displayName: Security Osquery - description: >- You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. name: Security Timeline API + x-displayName: Security timeline - description: SLO APIs enable you to define, manage and track service-level objectives name: slo - name: spaces diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index da28a9a3ade65..91c28d6ec9388 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -6578,6 +6578,270 @@ paths: summary: Search for annotations tags: - APM annotations + /api/asset_criticality: + delete: + description: Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + deleted: + description: >- + True if the record was deleted or false if the record did + not exist. + type: boolean + record: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: The deleted record if it existed. + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete an asset criticality record + tags: + - Security Entity Analytics API + get: + description: Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get an asset criticality record + tags: + - Security Entity Analytics API + post: + description: > + Create or update an asset criticality record for a specific entity. + + + If a record already exists for the specified entity, that record is + overwritten with the specified value. If a record doesn't exist for the + specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + refresh: + description: >- + If 'wait_for' the request will wait for the index + refresh. + enum: + - wait_for + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + summary: Upsert an asset criticality record + tags: + - Security Entity Analytics API + /api/asset_criticality/bulk: + post: + description: > + Bulk upsert up to 1000 asset criticality records. + + + If asset criticality records already exist for the specified entities, + those records are overwritten with the specified values. If asset + criticality records don't exist for the specified entities, new records + are created. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: Bulk upsert asset criticality records + tags: + - Security Entity Analytics API + /api/asset_criticality/list: + get: + description: List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - \@timestamp + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Bulk upload successful + summary: List asset criticality records + tags: + - Security Entity Analytics API /api/cases: delete: description: > @@ -8444,102 +8708,52 @@ paths: summary: Preview a saved object reference swap tags: - data views - /api/encrypted_saved_objects/_rotate_key: - post: - description: > - Superuser role required. - - - If a saved object cannot be decrypted using the primary encryption key, - then Kibana will attempt to decrypt it using the specified - decryption-only keys. In most of the cases this overhead is negligible, - but if you're dealing with a large number of saved objects and - experiencing performance issues, you may want to rotate the encryption - key. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: rotateEncryptionKey - parameters: - - description: > - Specifies a maximum number of saved objects that Kibana can process - in a single batch. Bulk key rotation is an iterative process since - Kibana may not be able to fetch and process all required saved - objects in one go and splits processing into consequent batches. By - default, the batch size is 10000, which is also a maximum allowed - value. - in: query - name: batch_size - required: false - schema: - default: 10000 - type: number - - description: > - Limits encryption key rotation only to the saved objects with the - specified type. By default, Kibana tries to rotate the encryption - key for all saved object types that may contain encrypted - attributes. - in: query - name: type - required: false - schema: - type: string + /api/detection_engine/index: + delete: + operationId: DeleteAlertsIndex responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: - examples: - rotateEncryptionKeyResponse: - $ref: '#/components/examples/Saved_objects_key_rotation_response' schema: type: object properties: - failed: - description: > - Indicates the number of the saved objects that were still - encrypted with one of the old encryption keys that Kibana - failed to re-encrypt with the primary key. - type: number - successful: - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - - - NOTE: In most cases, `total` will be greater than - `successful` even if `failed` is zero. The reason is that - Kibana may not need or may not be able to rotate - encryption keys for all encrypted saved objects. - type: number - total: - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - type: number - description: Indicates a successful call. - '400': + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - '429': + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: Already in progress. - summary: Rotate a key for encrypted saved objects + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: string + description: Index does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an alerts index tags: - - saved objects - /api/fleet/agent_download_sources: + - Security Detections API + - Alert index API get: - operationId: get-download-sources + operationId: ReadAlertsIndex responses: '200': content: @@ -8547,62 +8761,46 @@ paths: schema: type: object properties: - items: - items: - $ref: '#/components/schemas/Fleet_download_sources' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent binary download sources - tags: - - Elastic Agent binary download sources - post: - operationId: post-download-sources - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - type: string - id: - type: string - is_default: - type: boolean - name: - type: string - required: - - name - - host - - is_default - responses: - '200': + index_mapping_outdated: + nullable: true + type: boolean + name: + type: string + required: + - name + - index_mapping_outdated + description: Successful response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent binary download source + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Reads the alert index name if it exists tags: - - Elastic Agent binary download sources - /api/fleet/agent_download_sources/{sourceId}: - delete: - operationId: delete-download-source - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Detections API + - Alert index API + post: + operationId: CreateAlertsIndex responses: '200': content: @@ -8610,18 +8808,52 @@ paths: schema: type: object properties: - id: - type: string + acknowledged: + type: boolean required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent binary download source by ID + - acknowledged + description: Successful response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Create an alerts index tags: - - Elastic Agent binary download sources + - Security Detections API + - Alert index API + /api/detection_engine/privileges: get: - operationId: get-one-download-source + description: > + Retrieves whether or not the user is authenticated, and the user's + Kibana + + space and index privileges, which determine if the user can create an + + index for the Elastic Security alerts generated by + + detection engine rules. + operationId: ReadPrivileges responses: '200': content: @@ -8629,602 +8861,511 @@ paths: schema: type: object properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' + has_encryption_key: + type: boolean + is_authenticated: + type: boolean required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent binary download source by ID + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space tags: - - Elastic Agent binary download sources - parameters: - - in: path - name: sourceId - required: true - schema: - type: string - put: - operationId: update-download-source + - Security Detections API + - Privileges API + /api/detection_engine/rules: + delete: + description: Delete a detection rule using the `rule_id` or `id` field. + operationId: DeleteRule parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - type: string - is_default: - type: boolean - name: - type: string - required: - - name - - is_default - - host + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent binary download source by ID + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule tags: - - Elastic Agent binary download sources - /api/fleet/agent_policies: + - Security Detections API + - Rules API get: - description: '' - operationId: agent-policy-list + description: Retrieve a detection rule using the `rule_id` or `id` field. + operationId: ReadRule parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_format' - - description: >- - When set to true, retrieve the related package policies for each - agent policy. + - description: The rule's `id` value. in: query - name: full + name: id + required: false schema: - type: boolean - - description: >- - When set to true, do not count how many agents are in the agent - policy, this can improve performance if you are searching over a - large number of agent policies. The "agents" property will always be - 0 if set to true. + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. in: query - name: noAgentCount + name: rule_id + required: false schema: - type: boolean + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent_policy' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent policies + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Retrieve a detection rule tags: - - Elastic Agent policies - post: - operationId: create-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Detections API + - Rules API + patch: + description: >- + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + operationId: PatchRule requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_agent_policy_create_request' + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent policy + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule tags: - - Elastic Agent policies - /api/fleet/agent_policies/_bulk_get: + - Security Detections API + - Rules API post: - operationId: bulk-get-agent-policies - parameters: - - $ref: '#/components/parameters/Fleet_format' + description: Create a new detection rule. + operationId: CreateRule requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of agent policy ids - items: - type: string - type: array - ignoreMissing: - type: boolean - required: - - ids + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent_policy' - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get agent policies + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}: - get: - description: Get one agent policy - operationId: agent-policy-info - parameters: [] + - Security Detections API + - Rules API + put: + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: UpdateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent policy by ID + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - $ref: '#/components/parameters/Fleet_format' - put: - operationId: update-agent-policy + - Security Detections API + - Rules API + /api/detection_engine/rules/_bulk_action: + post: + description: >- + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + operationId: PerformRulesBulkAction parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: Enables dry run mode for the request call. + in: query + name: dry_run + required: false + schema: + type: boolean requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_agent_policy_update_request' + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDisableRules + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: >- + #/components/schemas/Security_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Detections_API_BulkManualRuleRun + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResponse + - $ref: >- + #/components/schemas/Security_Detections_API_BulkExportActionResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent policy by ID + summary: Apply a bulk action to detection rules tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/copy: - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - $ref: '#/components/parameters/Fleet_format' + - Security Detections API + - Bulk API + /api/detection_engine/rules/_bulk_create: post: - operationId: agent-policy-copy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + deprecated: true + description: Create new detection rules in bulk. + operationId: BulkCreateRules requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - description: - type: string - name: - type: string - required: - - name - description: '' + items: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + type: array + description: A JSON array of rules, where each rule contains the required fields. + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + summary: Create multiple detection rules + tags: + - Security Detections API + - Bulk API + /api/detection_engine/rules/_bulk_delete: + delete: + deprecated: true + description: Delete detection rules in bulk. + operationId: BulkDeleteRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: type: object properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Copy agent policy by ID - tags: - - Elastic Agent policies - /api/fleet/agent_policies/{agentPolicyId}/download: - get: - operationId: agent-policy-download + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + rule_id: + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId + type: array + description: >- + A JSON array of `id` or `rule_id` fields of the rules you want to + delete. + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - type: string - description: OK + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. '400': - $ref: '#/components/responses/Fleet_error' - summary: Download agent policy by ID - tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: download - required: false - schema: - type: string - - in: query - name: standalone - required: false - schema: - type: string - - in: query - name: kubernetes - required: false - schema: - type: string - /api/fleet/agent_policies/{agentPolicyId}/full: - get: - operationId: agent-policy-full - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - oneOf: - - type: string - - $ref: '#/components/schemas/Fleet_agent_policy_full' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get full agent policy by ID + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Delete multiple detection rules tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: download - required: false - schema: - type: string - - in: query - name: standalone - required: false - schema: - type: string - - in: query - name: kubernetes - required: false - schema: - type: string - /api/fleet/agent_policies/delete: - parameters: [] + - Security Detections API + - Bulk API post: - operationId: delete-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + deprecated: true + description: Deletes multiple rules. + operationId: BulkDeleteRulesPost requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - agentPolicyId: - type: string - force: - description: >- - bypass validation checks that can prevent agent policy - deletion - type: boolean - required: - - agentPolicyId + items: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + rule_id: + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId + type: array + description: >- + A JSON array of `id` or `rule_id` fields of the rules you want to + delete. + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - id: - type: string - success: - type: boolean - required: - - id - - success - description: OK + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent policy by ID - tags: - - Elastic Agent policies - /api/fleet/agent_status: - get: - operationId: get-agent-status - parameters: - - in: query - name: policyId - required: false - schema: - type: string - - deprecated: true - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - active: - type: integer - all: - type: integer - error: - type: integer - events: - type: integer - inactive: - type: integer - offline: - type: integer - online: - type: integer - other: - type: integer - total: - deprecated: true - type: integer - unenrolled: - type: integer - updating: - type: integer - required: - - active - - all - - error - - events - - inactive - - offline - - online - - other - - total - - updating - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent status summary - tags: - - Elastic Agent status - /api/fleet/agent_status/data: - get: - operationId: get-agent-data - parameters: - - in: query - name: agentsIds - required: true - schema: - items: - type: string - type: array - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - additionalProperties: - type: object - properties: - data: - type: boolean - type: object - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get incoming agent data + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Delete multiple detection rules tags: - - Elastic Agent status - /api/fleet/agent-status: - get: + - Security Detections API + - Bulk API + /api/detection_engine/rules/_bulk_update: + patch: deprecated: true - operationId: get-agent-status-deprecated - parameters: - - in: query - name: policyId - required: false - schema: - type: string + description: >- + Update specific fields of existing detection rules using the `rule_id` + or `id` field. + operationId: BulkPatchRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + type: array + description: A JSON array of rules, where each rule contains the required fields. + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - error: - type: integer - events: - type: integer - inactive: - type: integer - offline: - type: integer - online: - type: integer - other: - type: integer - total: - type: integer - updating: - type: integer - required: - - error - - events - - inactive - - offline - - online - - other - - total - - updating - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent status summary + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + summary: Patch multiple detection rules tags: - - Elastic Agent status - /api/fleet/agents: - get: - operationId: get-agents - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_show_inactive' - - $ref: '#/components/parameters/Fleet_show_upgradeable' - - $ref: '#/components/parameters/Fleet_sort_field' - - $ref: '#/components/parameters/Fleet_sort_order' - - $ref: '#/components/parameters/Fleet_with_metrics' - - in: query - name: getStatusSummary - required: false - schema: - type: boolean + - Security Detections API + - Bulk API + put: + deprecated: true + description: > + Update multiple detection rules using the `rule_id` or `id` field. The + original rules are replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: BulkUpdateRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + type: array + description: >- + A JSON array where each element includes the `id` or `rule_id` field + of the rule you want to update and the fields you want to modify. + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_agents_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agents + $ref: >- + #/components/schemas/Security_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + summary: Update multiple detection rules tags: - - Elastic Agents + - Security Detections API + - Bulk API + /api/detection_engine/rules/_export: post: - operationId: get-agents-by-actions + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > You cannot export prebuilt rules. + operationId: ExportRules parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: File name for saving the exported rules. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: + nullable: true type: object properties: - actionIds: + objects: + description: >- + Array of `rule_id` fields. Exports all rules when + unspecified. items: - type: string + type: object + properties: + rule_id: + $ref: >- + #/components/schemas/Security_Detections_API_RuleSignatureId + required: + - rule_id type: array required: - - policy_id - required: true + - objects + required: false responses: '200': content: - application/json; Elastic-Api-Version=2023-10-31: + application/ndjson; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_agent_get_by_actions' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agents by action ids + description: An `.ndjson` file containing the returned rules. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules tags: - - Elastic Agents - /api/fleet/agents/{agentId}: - delete: - operationId: delete-agent + - Security Detections API + - Import/Export API + /api/detection_engine/rules/_find: + get: + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. + operationId: FindRules parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer responses: '200': content: @@ -9232,98 +9373,371 @@ paths: schema: type: object properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent by ID - tags: - - Elastic Agents - get: - operationId: get-agent + data: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RuleResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + summary: List all detection rules + tags: + - Security Detections API + - Rules API + /api/detection_engine/rules/_import: + post: + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. + operationId: ImportRules parameters: - - $ref: '#/components/parameters/Fleet_with_metrics' + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: false type: object properties: - item: - $ref: '#/components/schemas/Fleet_agent' + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: >- + #/components/schemas/Security_Detections_API_WarningSchema + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent by ID + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules tags: - - Elastic Agents - parameters: - - in: path - name: agentId - required: true - schema: - type: string - put: - operationId: update-agent + - Security Detections API + - Import/Export API + /api/detection_engine/rules/{id}/exceptions: + post: + description: Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: Detection rule's identifier + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_RuleId' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - tags: + items: items: - type: string + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps type: array - user_provided_metadata: - type: object + required: + - items + description: Rule exception list items required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception list items + tags: + - Security Exceptions API + /api/detection_engine/rules/prepackaged: + put: + description: Install and update all Elastic prebuilt detection rules and Timelines. + operationId: InstallPrebuiltRulesAndTimelines + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false type: object properties: - item: - $ref: '#/components/schemas/Fleet_agent' + rules_installed: + description: The number of rules installed + minimum: 0 + type: integer + rules_updated: + description: The number of rules updated + minimum: 0 + type: integer + timelines_installed: + description: The number of timelines installed + minimum: 0 + type: integer + timelines_updated: + description: The number of timelines updated + minimum: 0 + type: integer required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent by ID + - rules_installed + - rules_updated + - timelines_installed + - timelines_updated + description: Indicates a successful call + summary: Install prebuilt detection rules and Timelines tags: - - Elastic Agents - /api/fleet/agents/{agentId}/actions: - parameters: - - in: path - name: agentId - required: true - schema: - type: string + - Security Detections API + - Prebuilt Rules API + /api/detection_engine/rules/prepackaged/_status: + get: + description: >- + Retrieve the status of all Elastic prebuilt detection rules and + Timelines. + operationId: ReadPrebuiltRulesAndTimelinesStatus + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + rules_custom_installed: + description: The total number of custom rules + minimum: 0 + type: integer + rules_installed: + description: The total number of installed prebuilt rules + minimum: 0 + type: integer + rules_not_installed: + description: >- + The total number of available prebuilt rules that are not + installed + minimum: 0 + type: integer + rules_not_updated: + description: The total number of outdated prebuilt rules + minimum: 0 + type: integer + timelines_installed: + description: The total number of installed prebuilt timelines + minimum: 0 + type: integer + timelines_not_installed: + description: >- + The total number of available prebuilt timelines that are + not installed + minimum: 0 + type: integer + timelines_not_updated: + description: The total number of outdated prebuilt timelines + minimum: 0 + type: integer + required: + - rules_custom_installed + - rules_installed + - rules_not_installed + - rules_not_updated + - timelines_installed + - timelines_not_installed + - timelines_not_updated + description: Indicates a successful call + summary: Retrieve the status of prebuilt detection rules and Timelines + tags: + - Security Detections API + - Prebuilt Rules API + /api/detection_engine/rules/preview: post: - operationId: new-agent-action + operationId: RulePreview parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: >- + Enables logging and returning in response ES queries, performed + during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - $ref: '#/components/schemas/Fleet_agent_action' + anyOf: + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewParams + discriminator: + propertyName: type + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied required: true responses: '200': @@ -9332,874 +9746,1082 @@ paths: schema: type: object properties: - body: + isAborted: + type: boolean + logs: items: - type: number + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLogs type: array - headers: - type: string - statusCode: - type: number - description: OK + previewId: + $ref: >- + #/components/schemas/Security_Detections_API_NonEmptyString + required: + - logs + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent action + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range tags: - - Elastic Agent actions - /api/fleet/agents/{agentId}/reassign: - parameters: - - in: path - name: agentId - required: true - schema: - type: string + - Security Detections API + - Rule preview API + /api/detection_engine/signals/assignees: post: - operationId: reassign-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - policy_id: - type: string + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + description: List of alerts ids to assign and unassign passed assignees. required: - - policy_id + - assignees + - ids required: true responses: '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: OK + description: Indicates a successful call. '400': - $ref: '#/components/responses/Fleet_error' - summary: Reassign agent + description: Invalid request. + summary: Assign and unassign users from detection alerts tags: - - Elastic Agents - put: - deprecated: true - operationId: reassign-agent-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: + - Security Detections API + /api/detection_engine/signals/finalize_migration: + post: + description: > + Finalize successful migrations of detection alerts. This replaces the + original index's alias with the successfully migrated index's alias. + + The endpoint is idempotent; therefore, it can safely be used to poll a + given migration and, upon completion, + + finalize it. + operationId: FinalizeAlertsMigration + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - policy_id: - type: string + migration_ids: + items: + type: string + minItems: 1 + type: array required: - - policy_id + - migration_ids + description: Array of `migration_id`s to finalize required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: OK + items: + $ref: >- + #/components/schemas/Security_Detections_API_MigrationFinalizationResult + type: array + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Reassign agent + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Finalize detection alert migrations tags: - - Elastic Agents - /api/fleet/agents/{agentId}/request_diagnostics: - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: request-diagnostics-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Detections API + - Alerts migration API + /api/detection_engine/signals/migration: + delete: + description: > + Migrations favor data integrity over shard size. Consequently, unused or + orphaned indices are artifacts of + + the migration process. A successful migration will result in both the + old and new indices being present. + + As such, the old, orphaned index can (and likely should) be deleted. + + + While you can delete these indices manually, + + the endpoint accomplishes this task by applying a deletion policy to the + relevant index, causing it to be deleted + + after 30 days. It also deletes other artifacts specific to the migration + implementation. + operationId: AlertsMigrationCleanup requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - additional_metrics: + migration_ids: items: - oneOf: - - enum: - - CPU - type: string + type: string + minItems: 1 type: array + required: + - migration_ids + description: Array of `migration_id`s to cleanup + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string - description: OK + items: + $ref: >- + #/components/schemas/Security_Detections_API_MigrationCleanupResult + type: array + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Request agent diagnostics + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Clean up detection alert migrations tags: - - Elastic Agents - /api/fleet/agents/{agentId}/unenroll: - parameters: - - in: path - name: agentId - required: true - schema: - type: string + - Security Detections API + - Alerts migration API post: - operationId: unenroll-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: > + Initiate a migration of detection alerts. + + Migrations are initiated per index. While the process is neither + destructive nor interferes with existing data, it may be + resource-intensive. As such, it is recommended that you plan your + migrations accordingly. + operationId: CreateAlertsMigration requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - force: - type: boolean - revoke: - type: boolean + allOf: + - type: object + properties: + index: + items: + $ref: >- + #/components/schemas/Security_Detections_API_NonEmptyString + minItems: 1 + type: array + required: + - index + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsReindexOptions + description: Alerts migration parameters + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object - description: OK + properties: + indices: + items: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess + - $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexMigrationError + - $ref: >- + #/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration + type: array + required: + - indices + description: Successful response '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Initiate a detection alert migration + tags: + - Security Detections API + - Alerts migration API + /api/detection_engine/signals/migration_status: + post: + description: >- + Retrieve indices that contain detection alerts of a particular age, + along with migration information for each of those indices. + operationId: ReadAlertsMigrationStatus + parameters: + - description: Maximum age of qualifying detection alerts + in: query + name: from + required: true + schema: + description: > + Time from which data is analyzed. For example, now-4200s means the + rule analyzes data from 70 minutes + + before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - error: - type: string - message: - type: string - statusCode: - enum: - - 400 - type: number - description: BAD REQUEST - summary: Unenroll agent + indices: + items: + $ref: >- + #/components/schemas/Security_Detections_API_IndexMigrationStatus + type: array + required: + - indices + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Retrieve the status of detection alert migrations tags: - - Elastic Agents - /api/fleet/agents/{agentId}/upgrade: - parameters: - - in: path - name: agentId - required: true - schema: - type: string + - Security Detections API + - Alerts migration API + /api/detection_engine/signals/search: post: - operationId: upgrade-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_upgrade_agent' + description: Elasticsearch query and aggregation request + type: object + properties: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object + fields: + items: + type: string + type: array + query: + additionalProperties: true + type: object + runtime_mappings: + additionalProperties: true + type: object + size: + minimum: 0 + type: integer + sort: + $ref: '#/components/schemas/Security_Detections_API_AlertsSort' + track_total_hits: + type: boolean + description: Search and/or aggregation query required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_upgrade_agent' - description: OK + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Upgrade agent + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts tags: - - Elastic Agents - /api/fleet/agents/{agentId}/uploads: - get: - operationId: list-agent-uploads + - Security Detections API + - Alerts API + /api/detection_engine/signals/status: + post: + description: Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: true + description: Elasticsearch update by query response type: object - properties: - body: - type: object - properties: - item: - items: - $ref: '#/components/schemas/Fleet_agent_diagnostics' - type: array - description: OK + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent uploads - tags: - - Elastic Agents - parameters: - - in: path - name: agentId - required: true - schema: - type: string - /api/fleet/agents/action_status: - get: - operationId: agents-action-status - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - in: query - name: errorSize - schema: - default: 5 - type: integer - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - latestErrors: - description: >- - latest errors that happened when the agents executed - the action - items: - type: object - properties: - agentId: - type: string - error: - type: string - timestamp: - type: string - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: string - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - POLICY_REASSIGN - - UPGRADE - - UNENROLL - - FORCE_UNENROLL - - UPDATE_TAGS - - CANCEL - - REQUEST_DIAGNOSTICS - - SETTINGS - - POLICY_CHANGE - - INPUT_ACTION - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - complete - - nbAgentsActioned - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - status - - creationTime - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent action status - tags: - - Elastic Agent actions - /api/fleet/agents/actions/{actionId}/cancel: - parameters: - - in: path - name: actionId - required: true - schema: - type: string - post: - operationId: agent-action-cancel - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_action' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Cancel agent action + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status tags: - - Elastic Agent actions - /api/fleet/agents/bulk_reassign: + - Security Detections API + - Alerts API + /api/detection_engine/signals/tags: post: - operationId: bulk-reassign-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags requestBody: content: application/json; Elastic-Api-Version=2023-10-31: - example: - agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' - policy_id: policy_id schema: type: object properties: - agents: - oneOf: - - description: KQL query string, leave empty to action all agents - type: string - - description: list of agent IDs - items: - type: string - type: array - policy_id: - description: new agent policy id - type: string + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' required: - - policy_id - - agents + - ids + - tags + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: true + description: Elasticsearch update by query response type: object - properties: - actionId: - type: string - description: OK + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk reassign agents + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags tags: - - Elastic Agents - /api/fleet/agents/bulk_request_diagnostics: - post: - operationId: bulk-request-diagnostics - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' - schema: - type: object - properties: - additional_metrics: - items: - oneOf: - - enum: - - CPU - type: string - type: array - agents: - oneOf: - - description: KQL query string, leave empty to action all agents - type: string - - description: list of agent IDs - items: - type: string - type: array - batchSize: - type: number - required: - - agents + - Security Detections API + - Alerts API + /api/detection_engine/tags: + get: + description: List all unique tags from all detection rules. + operationId: ReadTags responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk request diagnostics from agents + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags tags: - - Elastic Agents - /api/fleet/agents/bulk_unenroll: + - Security Detections API + - Tags API + /api/encrypted_saved_objects/_rotate_key: post: - operationId: bulk-unenroll-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - force: false - revoke: true - schema: - type: object - properties: - agents: - oneOf: - - description: KQL query string, leave empty to action all agents - type: string - - description: list of agent IDs - items: - type: string - type: array - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: >- - When passing agents by KQL query, unenrolls inactive agents - too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents + description: > + Superuser role required. + + + If a saved object cannot be decrypted using the primary encryption key, + then Kibana will attempt to decrypt it using the specified + decryption-only keys. In most of the cases this overhead is negligible, + but if you're dealing with a large number of saved objects and + experiencing performance issues, you may want to rotate the encryption + key. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: rotateEncryptionKey + parameters: + - description: > + Specifies a maximum number of saved objects that Kibana can process + in a single batch. Bulk key rotation is an iterative process since + Kibana may not be able to fetch and process all required saved + objects in one go and splits processing into consequent batches. By + default, the batch size is 10000, which is also a maximum allowed + value. + in: query + name: batch_size + required: false + schema: + default: 10000 + type: number + - description: > + Limits encryption key rotation only to the saved objects with the + specified type. By default, Kibana tries to rotate the encryption + key for all saved object types that may contain encrypted + attributes. + in: query + name: type + required: false + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: + examples: + rotateEncryptionKeyResponse: + $ref: '#/components/examples/Saved_objects_key_rotation_response' schema: type: object properties: - actionId: - type: string - description: OK + failed: + description: > + Indicates the number of the saved objects that were still + encrypted with one of the old encryption keys that Kibana + failed to re-encrypt with the primary key. + type: number + successful: + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. + + + NOTE: In most cases, `total` will be greater than + `successful` even if `failed` is zero. The reason is that + Kibana may not need or may not be able to rotate + encryption keys for all encrypted saved objects. + type: number + total: + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. + type: number + description: Indicates a successful call. '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk unenroll agents - tags: - - Elastic Agents - /api/fleet/agents/bulk_update_agent_tags: - post: - operationId: bulk-update-agent-tags - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - tagsToAdd: - - newTag - tagsToRemove: - - existingTag - schema: - type: object - properties: - agents: - oneOf: - - description: KQL query string, leave empty to action all agents - type: string - - description: list of agent IDs - items: - type: string - type: array - batchSize: - type: number - tagsToAdd: - items: - type: string - type: array - tagsToRemove: - items: - type: string - type: array - required: - - agents - responses: - '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + '429': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk update agent tags + description: Already in progress. + summary: Rotate a key for encrypted saved objects tags: - - Elastic Agents - /api/fleet/agents/bulk_upgrade: + - saved objects + /api/endpoint_list: post: - operationId: bulk-upgrade-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - rollout_duration_seconds: 3600 - source_uri: https://artifacts.elastic.co/downloads/beats/elastic-agent - start_time: '2022-08-03T14:00:00.000Z' - version: 8.4.0 - schema: - $ref: '#/components/schemas/Fleet_bulk_upgrade_agents' - required: true + description: >- + Create an endpoint exception list, which groups endpoint exception list + items. If an endpoint exception list already exists, an empty response + is returned. + operationId: CreateEndpointList responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string - description: OK + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk upgrade agents + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an endpoint exception list tags: - - Elastic Agents - /api/fleet/agents/files/{fileId}: + - Security Endpoint Exceptions API + /api/endpoint_list/items: delete: - operationId: delete-agent-upload-file + description: >- + Delete an endpoint exception list item using the `id` or `item_id` + field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - body: - type: object - properties: - deleted: - type: boolean - id: - type: string - description: OK + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete file uploaded by agent - tags: - - Elastic Agents - parameters: - - in: path - name: fileId - required: true - schema: - type: string - /api/fleet/agents/files/{fileId}/{fileName}: - get: - operationId: get-agent-upload-file - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - body: - type: object - properties: - items: - type: object - properties: - body: {} - headers: {} - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get file uploaded by agent + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Delete an endpoint exception list item tags: - - Elastic Agents - parameters: - - in: path - name: fileId - required: true - schema: - type: string - - in: path - name: fileName - required: true - schema: - type: string - /api/fleet/agents/setup: + - Security Endpoint Exceptions API get: - operationId: get-agents-setup-status + description: >- + Get the details of an endpoint exception list item using the `id` or + `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_status_response' - description: OK + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + type: array + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent setup info + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get an endpoint exception list item tags: - - Elastic Agents + - Security Endpoint Exceptions API post: - operationId: setup-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + description: >- + Create an endpoint exception list item, and associate it with the + endpoint exception list. + operationId: CreateEndpointListItem requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - admin_password: - type: string - admin_username: - type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType required: - - admin_username - - admin_password + - type + - name + - description + - entries + description: Exception list item's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_setup_response' - description: OK + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Initiate agent setup - tags: - - Elastic Agents - /api/fleet/agents/tags: - get: - operationId: get-agent-tags - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_agent_tags_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent tags - tags: - - Elastic Agents - /api/fleet/data_streams: - get: - operationId: data-streams-list - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - data_streams: - items: - $ref: '#/components/schemas/Fleet_data_stream' - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List data streams - tags: - - Data streams - parameters: [] - /api/fleet/enrollment_api_keys: - get: - operationId: get-enrollment-api-keys - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - responses: - '200': + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - page - - perPage - - total - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List enrollment API keys + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item already exists + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Create an endpoint exception list item tags: - - Fleet enrollment API keys - post: - operationId: create-enrollment-api-keys - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - Security Endpoint Exceptions API + put: + description: >- + Update an endpoint exception list item using the `id` or `item_id` + field. + operationId: UpdateEndpointListItem requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - name: - description: The name of the enrollment API key. Must be unique. - type: string - policy_id: - description: >- - The ID of the agent policy the Elastic Agent will be - enrolled in. + _version: type: string + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType required: - - policy_id + - type + - name + - description + - entries + description: Exception list item's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - description: OK + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Create enrollment API key - tags: - - Fleet enrollment API keys - /api/fleet/enrollment_api_keys/{keyId}: - delete: - operationId: delete-enrollment-api-key - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Revoke enrollment API key by ID by marking it as inactive - tags: - - Fleet enrollment API keys - get: - operationId: get-enrollment-api-key - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get enrollment API key by ID + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Update an endpoint exception list item tags: - - Fleet enrollment API keys - parameters: - - in: path - name: keyId - required: true - schema: - type: string - /api/fleet/enrollment-api-keys: + - Security Endpoint Exceptions API + /api/endpoint_list/items/_find: get: - deprecated: true - operationId: get-enrollment-api-keys-deprecated - parameters: [] + description: Get a list of all endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string responses: '200': content: @@ -10207,206 +10829,203 @@ paths: schema: type: object properties: - items: - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - list: - deprecated: true + data: items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem type: array page: - type: number - perPage: - type: number + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + pit: + type: string total: - type: number + minimum: 0 + type: integer required: - - items + - data - page - - perPage + - per_page - total - description: OK + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: List enrollment API keys + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Get endpoint exception list items tags: - - Fleet enrollment API keys - post: - deprecated: true - operationId: create-enrollment-api-keys-deprecated + - Security Endpoint Exceptions API + /api/endpoint/action: + get: + description: Get a list of all response actions. + operationId: EndpointGetActionsList parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create enrollment API key + summary: Get response actions tags: - - Fleet enrollment API keys - /api/fleet/enrollment-api-keys/{keyId}: - delete: + - Security Endpoint Management API + /api/endpoint/action_log/{agent_id}: + get: deprecated: true - operationId: delete-enrollment-api-key-deprecated + description: Get an action request log for the specified agent ID. + operationId: EndpointGetActionLog parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: agent_id + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionLogRequestQuery responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete enrollment API key by ID + summary: Get an action request log tags: - - Fleet enrollment API keys + - Security Endpoint Management API + /api/endpoint/action_status: get: - deprecated: true - operationId: get-enrollment-api-key-deprecated + description: Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agent_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - required: - - item + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get enrollment API key by ID + summary: Get response actions status tags: - - Fleet enrollment API keys - parameters: - - in: path - name: keyId - required: true - schema: - type: string - /api/fleet/epm/bulk_assets: - post: - operationId: bulk-get-assets - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - assetIds: - description: list of items necessary to fetch assets - items: - type: object - properties: - id: - type: string - type: - type: string - type: array - required: - - assetIds + - Security Endpoint Management API + /api/endpoint/action/{action_id}: + get: + description: Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_bulk_assets_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get assets + summary: Get action details tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/categories: + - Security Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}: get: - operationId: get-package-categories + description: Get information for the specified file using the file ID. + operationId: EndpointFileInfo + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_categories_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List package categories + summary: Get file information tags: - - Elastic Package Manager (EPM) - parameters: - - description: >- - Whether to include prerelease packages in categories count (e.g. beta, - rc, preview) - in: query - name: prerelease - schema: - default: false - type: boolean - - deprecated: true - in: query - name: experimental - schema: - default: false - type: boolean - - in: query - name: include_policy_templates - schema: - default: false - type: boolean - /api/fleet/epm/packages: + - Security Endpoint Management API + /api/endpoint/action/{action_id}/file/{file_id}/download: get: - operationId: list-all-packages + description: Download a file from an endpoint. + operationId: EndpointFileDownload parameters: - - description: >- - Whether to exclude the install status of each package. Enabling this - option will opt in to caching for the response via `cache-control` - headers. If you don't need up-to-date installation info for a - package, and are querying for a list of available packages, - providing this flag can improve performance substantially. - in: query - name: excludeInstallStatus - schema: - default: false - type: boolean - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - - deprecated: true - in: query - name: experimental + - in: path + name: action_id + required: true schema: - default: false - type: boolean - - in: query - name: category + type: string + - in: path + name: file_id + required: true schema: type: string responses: @@ -10414,966 +11033,536 @@ paths: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_get_packages_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List packages + summary: Download a file tags: - - Elastic Package Manager (EPM) + - Security Endpoint Management API + /api/endpoint/action/execute: post: - description: '' - operationId: install-package-by-upload - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean + description: Run a shell command on an endpoint. + operationId: EndpointExecuteAction requestBody: content: - application/gzip; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string - application/zip; Elastic-Api-Version=2023-10-31: + application/json; Elastic-Api-Version=2023-10-31: schema: - format: binary - type: string + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - _meta: - type: object - properties: - install_source: - enum: - - upload - - registry - - bundled - type: string - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '429': - $ref: '#/components/responses/Fleet_error' - summary: Install by package by direct upload + summary: Run a command tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk: + - Security Endpoint Management API + /api/endpoint/action/get_file: post: - operationId: bulk-install-packages - parameters: - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean + description: Get a file from an endpoint. + operationId: EndpointGetFileAction requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - force: - description: force install to ignore package verification errors - type: boolean - packages: - description: list of packages to install - items: - oneOf: - - description: package name - type: string - - type: object - properties: - name: - description: package name - type: string - version: - description: package version - type: string - type: array - required: - - packages + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_bulk_install_packages_response' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk install packages + summary: Get a file tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgkey}: - delete: - deprecated: true - operationId: delete-package-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgkey - required: true - schema: - type: string + - Security Endpoint Management API + /api/endpoint/action/isolate: + post: + description: >- + Isolate an endpoint from the network. The endpoint remains isolated + until it's released. + operationId: EndpointIsolateAction requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - force: - type: boolean + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - response: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - response + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete ackage + summary: Isolate an endpoint tags: - - Elastic Package Manager (EPM) - get: - deprecated: true - operationId: get-package-deprecated - parameters: - - in: path - name: pkgkey - required: true - schema: - type: string - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean + - Security Endpoint Management API + /api/endpoint/action/kill_process: + post: + description: Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - allOf: - - properties: - response: - $ref: '#/components/schemas/Fleet_package_info' - - properties: - savedObject: - type: string - status: - enum: - - installed - - installing - - install_failed - - not_installed - type: string - required: - - status - - savedObject - type: object + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package + summary: Terminate a process tags: - - Elastic Package Manager (EPM) + - Security Endpoint Management API + /api/endpoint/action/running_procs: post: - deprecated: true - description: '' - operationId: install-package-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgkey - required: true - schema: - type: string - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean + description: Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - force: - type: boolean + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - response: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - response + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Install package + summary: Get running processes tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}: - delete: - operationId: delete-package - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: delete package even if policies used by agents - in: query - name: force - schema: - type: boolean + - Security Endpoint Management API + /api/endpoint/action/scan: + post: + description: Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - deprecated: true - type: object - properties: - force: - type: boolean + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package + summary: Scan a file or directory tags: - - Elastic Package Manager (EPM) + - Security Endpoint Management API + /api/endpoint/action/state: get: - operationId: get-package + description: >- + Get a response actions state, which reports whether encryption is + enabled. + operationId: EndpointGetActionsState responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - allOf: - - properties: - item: - $ref: '#/components/schemas/Fleet_package_info' - - properties: - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - licensePath: - type: string - notice: - type: string - savedObject: - deprecated: true - type: object - status: - enum: - - installed - - installing - - install_failed - - not_installed - type: string - required: - - status - - savedObject - type: object + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package + summary: Get actions state tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion + - Security Endpoint Management API + /api/endpoint/action/suspend_process: + post: + description: Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody required: true - schema: - type: string - - description: Ignore if the package is fails signature verification - in: query - name: ignoreUnverified - schema: - type: boolean - - description: >- - Return all fields from the package manifest, not just those supported - by the Elastic Package Registry - in: query - name: full - schema: - type: boolean - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse + description: OK + summary: Suspend a process + tags: + - Security Endpoint Management API + /api/endpoint/action/unisolate: post: - description: '' - operationId: install-package - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean + description: Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - force: - type: boolean - ignore_constraints: - type: boolean + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - _meta: - type: object - properties: - install_source: - enum: - - registry - - upload - - bundled - type: string - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Install package + summary: Release an isolated endpoint tags: - - Elastic Package Manager (EPM) - put: - description: '' - operationId: update-package + - Security Endpoint Management API + /api/endpoint/action/upload: + post: + description: Upload a file to an endpoint. + operationId: EndpointUploadAction requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - keepPoliciesUpToDate: - type: boolean + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: - get: - operationId: packages-get-file - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - headers: - type: object - statusCode: - type: number + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package file + summary: Upload a file tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: path - name: filePath - required: true - schema: - type: string - /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + - Security Endpoint Management API + /api/endpoint/isolate: post: - description: '' - operationId: reauthorize-transforms - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: >- - Whether to include prerelease packages in categories count (e.g. - beta, rc, preview) - in: query - name: prerelease - schema: - default: false - type: boolean + deprecated: true + description: > + Isolate an endpoint from the network. + + > info + + > This URL will return a 308 permanent redirect to `POST :/api/endpoint/action/isolate`. + operationId: EndpointIsolateRedirect requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - transforms: - items: - type: object - properties: - transformId: - type: string - type: array + agent_type: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - type: object - properties: - error: - type: string - success: - type: boolean - transformId: - type: string - required: - - transformId - - error - type: array - required: - - items + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Authorize transforms + '308': + description: Permanent Redirect + headers: + Location: + description: Permanently redirects to "/api/endpoint/action/isolate" + schema: + example: /api/endpoint/action/isolate + type: string + summary: Isolate an endpoint tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/{pkgName}/stats: + - Security Endpoint Management API + /api/endpoint/metadata: get: - operationId: get-package-stats + operationId: GetEndpointMetadataList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ListRequestQuery responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - response: - $ref: '#/components/schemas/Fleet_package_usage_stats' - required: - - response + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package stats + summary: Get a metadata list tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - /api/fleet/epm/packages/limited: + - Security Endpoint Management API + /api/endpoint/metadata/{id}: get: - operationId: list-limited-packages + operationId: GetEndpointMetadata + parameters: + - in: path + name: id + required: true + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - type: string - type: array + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get limited package list + summary: Get metadata tags: - - Elastic Package Manager (EPM) - parameters: [] - /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + - Security Endpoint Management API + /api/endpoint/metadata/transforms: get: - operationId: get-inputs-template + operationId: GetEndpointMetadataTransform responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get inputs template + summary: Get metadata transforms tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: Format of response - json or yaml - in: query - name: format - schema: - enum: - - json - - yaml - - yml - type: string - - description: Specify if version is prerelease - in: query - name: prerelease - schema: - type: boolean - - description: Ignore if the package is fails signature verification - in: query - name: ignoreUnverified - schema: - type: boolean - /api/fleet/epm/verification_key_id: + - Security Endpoint Management API + /api/endpoint/policy_response: get: - operationId: packages-get-verification-key-id + operationId: GetPolicyResponse + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agentId: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - body: - type: object - properties: - id: - description: >- - the key ID of the GPG key used to verify package - signatures - nullable: true - type: string - headers: - type: object - statusCode: - type: number + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package signature verification key ID + summary: Get a policy response tags: - - Elastic Package Manager (EPM) - parameters: [] - /api/fleet/fleet_server_hosts: + - Security Endpoint Management API + /api/endpoint/policy/summaries: get: - operationId: get-fleet-server-hosts + deprecated: true + operationId: GetAgentPolicySummary + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + package_name: + type: string + policy_id: + nullable: true + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_fleet_server_host' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List Fleet Server hosts - tags: - - Fleet Server hosts - post: - operationId: post-fleet-server-hosts - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host_urls: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this fleet server host. See - the proxies API for more information. - type: string - required: - - name - - host_urls - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create Fleet Server host + summary: Get an agent policy summary tags: - - Fleet Server hosts - /api/fleet/fleet_server_hosts/{itemId}: - delete: - operationId: delete-fleet-server-hosts + - Security Endpoint Management API + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + operationId: GetProtectionUpdatesNote parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: package_policy_id + required: true + schema: + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - id: - type: string - required: - - id + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete Fleet Server host by ID + summary: Get a protection updates note tags: - - Fleet Server hosts - get: - operationId: get-one-fleet-server-hosts + - Security Endpoint Management API + post: + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + note: + type: string + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - required: - - item + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get Fleet Server host by ID + summary: Create or update a protection updates note tags: - - Fleet Server hosts - parameters: - - in: path - name: itemId - required: true - schema: - type: string - put: - operationId: update-fleet-server-hosts + - Security Endpoint Management API + /api/endpoint/suggestions/{suggestion_type}: + post: + operationId: GetEndpointSuggestions parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: suggestion_type + required: true + schema: + enum: + - eventFilters + type: string requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - host_urls: - items: - type: string - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: + field: type: string - proxy_id: - description: >- - The ID of the proxy to use for this fleet server host. See - the proxies API for more information. - nullable: true + fieldMeta: {} + filters: {} + query: type: string + required: + - parameters + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - required: - - item + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update Fleet Server host by ID + summary: Get suggestions tags: - - Fleet Server hosts - /api/fleet/health_check: + - Security Endpoint Management API + /api/endpoint/unisolate: post: - operationId: fleet-server-health-check - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + deprecated: true + description: > + Release an isolated endpoint, allowing it to rejoin a network. + + > info + + > This URL will return a 308 permanent redirect to `POST :/api/endpoint/action/unisolate`. + operationId: EndpointUnisolateRedirect requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - host: - deprecated: true - type: string - id: - type: string + agent_type: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Parameters required: - - id + - endpoint_ids required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - host: - deprecated: true - type: string - id: - description: Fleet Server host id - type: string - status: - type: string + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_SuccessResponse description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Fleet Server health check + '308': + description: Permanent Redirect + headers: + Location: + description: Permanently redirects to "/api/endpoint/action/unisolate" + schema: + example: /api/endpoint/action/unisolate + type: string + summary: Release an isolated endpoint tags: - - Fleet internals - /api/fleet/kubernetes: + - Security Endpoint Management API + /api/entity_store/engines: get: - operationId: get-full-k8s-manifest - parameters: - - in: query - name: download - required: false - schema: - type: boolean - - in: query - name: fleetServer - required: false - schema: - type: string - - in: query - name: enrolToken - required: false - schema: - type: string + operationId: ListEntityEngines responses: '200': content: @@ -11381,19 +11570,33 @@ paths: schema: type: object properties: - item: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get full K8s agent manifest + count: + type: integer + engines: + items: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + type: array + description: Successful response + summary: List the Entity Engines tags: - - Fleet Kubernetes - /api/fleet/logstash_api_keys: - post: - operationId: generate-logstash-api-key + - Security Entity Analytics API + /api/entity_store/engines/{entityType}: + delete: + operationId: DeleteEntityEngine parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean responses: '200': content: @@ -11401,87 +11604,76 @@ paths: schema: type: object properties: - api_key: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Generate Logstash API key + deleted: + type: boolean + description: Successful response + summary: Delete the Entity Engine tags: - - Fleet outputs - /api/fleet/outputs: + - Security Entity Analytics API get: - operationId: get-outputs + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_output_create_request' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List outputs + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Get an Entity Engine tags: - - Fleet outputs + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/init: post: - operationId: post-outputs + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_output_create_request' + type: object + properties: + filter: + type: string + indexPattern: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern + description: Schema for the engine initialization required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_create_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create output + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor + description: Successful response + summary: Initialize an Entity Engine tags: - - Fleet outputs - /api/fleet/outputs/{outputId}: - delete: - operationId: delete-output + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/start: + post: + operationId: StartEntityEngine parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete output by ID - tags: - - Fleet outputs - get: - operationId: get-output + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: @@ -11489,29 +11681,22 @@ paths: schema: type: object properties: - item: - $ref: '#/components/schemas/Fleet_output_create_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get output by ID + started: + type: boolean + description: Successful response + summary: Start an Entity Engine tags: - - Fleet outputs - parameters: - - in: path - name: outputId - required: true - schema: - type: string - put: - operationId: update-output + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/stats: + post: + operationId: GetEntityEngineStats parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_output_update_request' + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: @@ -11519,17 +11704,37 @@ paths: schema: type: object properties: - item: - $ref: '#/components/schemas/Fleet_output_update_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update output by ID + indexPattern: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_IndexPattern + indices: + items: + type: object + type: array + status: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EngineStatus + transforms: + items: + type: object + type: array + type: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityType + description: Successful response + summary: Get Entity Engine stats tags: - - Fleet outputs - /api/fleet/outputs/{outputId}/health: - get: - operationId: get-output-health + - Security Entity Analytics API + /api/entity_store/engines/{entityType}/stop: + post: + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: @@ -11537,35 +11742,56 @@ paths: schema: type: object properties: - message: - description: long message if unhealthy - type: string - state: - description: state of output, HEALTHY or DEGRADED - type: string - timestamp: - description: timestamp of reported state - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get latest output health + stopped: + type: boolean + description: Successful response + summary: Stop an Entity Engine tags: - - Fleet outputs - parameters: - - in: path - name: outputId - required: true - schema: - type: string - /api/fleet/package_policies: + - Security Entity Analytics API + /api/entity_store/entities/list: get: - operationId: get-package-policies + description: List entities records, paging, sorting and filtering as needed. + operationId: ListEntities parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_format' + - in: query + name: sort_field + required: false + schema: + type: string + - in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - in: query + name: entities_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array responses: '200': content: @@ -11573,584 +11799,596 @@ paths: schema: type: object properties: - items: + inspect: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_InspectQuery + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: items: - $ref: '#/components/schemas/Fleet_package_policy' + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_Entity type: array - page: - type: number - perPage: - type: number total: - type: number + minimum: 0 + type: integer required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List package policies + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities tags: - - Fleet package policies - parameters: [] - post: - operationId: create-package-policy + - Security Entity Analytics API + /api/exception_lists: + delete: + description: Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_package_policy_request' - description: >- - You should use inputs as an object and not use the deprecated inputs - array. + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - '409': - $ref: '#/components/responses/Fleet_error' - summary: Create package policy - tags: - - Fleet package policies - /api/fleet/package_policies/_bulk_get: - post: - operationId: bulk-get-package-policies - parameters: - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get package policies + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list tags: - - Fleet package policies - /api/fleet/package_policies/{packagePolicyId}: - delete: - operationId: delete-package-policy + - Security Exceptions API + get: + description: Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - in: query - name: force + name: namespace_type + required: false schema: - type: boolean + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - id: - type: string - required: - - id - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package policy by ID - tags: - - Fleet package policies - get: - operationId: get-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_format' - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package policy by ID - tags: - - Fleet package policies - parameters: - - in: path - name: packagePolicyId - required: true - schema: - type: string - put: - operationId: update-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_package_policy_request' - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update package policy by ID - tags: - - Fleet package policies - /api/fleet/package_policies/delete: - post: - operationId: post-delete-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - type: array - required: - - packagePolicyIds - responses: - '200': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - items: - type: object - properties: - id: - type: string - name: - type: string - success: - type: boolean - required: - - id - - success - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package policy + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details tags: - - Fleet package policies - /api/fleet/package_policies/upgrade: + - Security Exceptions API post: - operationId: upgrade-package-policy + description: > + An exception list groups exception items and can be associated with + detection rules. You can assign detection rules with multiple exception + lists. + + > info + + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - packagePolicyIds: - items: - type: string - type: array + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion + default: 1 required: - - packagePolicyIds + - name + - description + - type + description: Exception list's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - items: - type: object - properties: - id: - type: string - name: - type: string - success: - type: boolean - required: - - id - - success - type: array - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response '409': - $ref: '#/components/responses/Fleet_error' - summary: Upgrade package policy to a newer package version + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list tags: - - Fleet package policies - /api/fleet/package_policies/upgrade/dryrun: - post: - operationId: upgrade-package-policy-dry-run + - Security Exceptions API + put: + description: Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - packagePolicyIds: - items: - type: string - type: array - packageVersion: + _version: type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListTags + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListVersion required: - - packagePolicyIds + - name + - description + - type + description: Exception list's properties + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - items: - type: object - properties: - agent_diff: - $ref: '#/components/schemas/Fleet_upgrade_agent_diff' - diff: - $ref: '#/components/schemas/Fleet_upgrade_diff' - hasErrors: - type: boolean - required: - - hasErrors - type: array - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Dry run package policy upgrade - tags: - - Fleet package policies - /api/fleet/proxies: - get: - operationId: get-fleet-proxies - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_proxies' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List proxies - tags: - - Fleet proxies - post: - operationId: post-fleet-proxies - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - id: - type: string - name: - type: string - proxy_headers: - type: object - url: - type: string - required: - - name - - url - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create proxy - tags: - - Fleet proxies - /api/fleet/proxies/{itemId}: - delete: - operationId: delete-fleet-proxies - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete proxy by ID - tags: - - Fleet proxies - get: - operationId: get-one-fleet-proxies - responses: - '200': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get proxy by ID - tags: - - Fleet proxies - parameters: - - in: path - name: itemId - required: true - schema: - type: string - put: - operationId: update-fleet-proxies - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - name: - type: string - proxy_headers: - type: object - url: - type: string - responses: - '200': + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update proxy by ID + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list tags: - - Fleet proxies - /api/fleet/service_tokens: + - Security Exceptions API + /api/exception_lists/_duplicate: post: - operationId: generate-service-token + description: Duplicate an existing exception list. + operationId: DuplicateExceptionList parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - name: - type: string - value: - type: string - description: OK + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Create service token + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list tags: - - Fleet service tokens - /api/fleet/service-tokens: + - Security Exceptions API + /api/exception_lists/_export: post: - deprecated: true - operationId: generate-service-token-deprecated + description: Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: Exception list's identifier + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string responses: '200': content: - application/json; Elastic-Api-Version=2023-10-31: + application/ndjson; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - name: - type: string - value: - type: string - description: OK + description: >- + A `.ndjson` file containing specified exception list and its + items + format: binary + type: string + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: Create service token - tags: - - Fleet service tokens - /api/fleet/settings: - get: - operationId: get-settings - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_settings_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get settings - tags: - - Fleet internals - put: - operationId: update-settings - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - additional_yaml_config: - type: string - fleet_server_hosts: - description: Protocol and path must be the same for each URL - items: - type: string - type: array - has_seen_add_data_notice: - type: boolean - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_settings_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update settings - tags: - - Fleet internals - /api/fleet/setup: - post: - operationId: setup - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Fleet_fleet_setup_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response '500': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - message: - type: string - description: Internal Server Error - summary: Initiate Fleet setup + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list tags: - - Fleet internals - /api/fleet/uninstall_tokens: + - Security Exceptions API + /api/exception_lists/_find: get: - operationId: get-uninstall-tokens + description: Get a list of all exception lists. + operationId: FindExceptionLists parameters: - - description: The number of items to return + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: + + + - `exception-list`: Specify a space-aware exception list. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. in: query - name: perPage + name: filter required: false schema: - default: 20 - minimum: 5 + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 1 type: integer - - $ref: '#/components/parameters/Fleet_page_index' - - description: Partial match filtering for policy IDs + - description: The number of exception lists to return per page in: query - name: policyId + name: per_page + required: false + schema: + minimum: 1 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order required: false schema: + enum: + - desc + - asc type: string responses: '200': @@ -12159,126 +12397,112 @@ paths: schema: type: object properties: - items: + data: items: - type: object - properties: - created_at: - type: string - id: - type: string - policy_id: - type: string - required: - - id - - policy_id - - created_at + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionList type: array page: - type: number - perPage: - type: number + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer total: - type: number + minimum: 0 + type: integer required: - - items - - total + - data - page - - perPage - description: OK + - per_page + - total + description: Successful response '400': - $ref: '#/components/responses/Fleet_error' - summary: List metadata for latest uninstall tokens per agent policy - tags: - - Fleet uninstall tokens - /api/fleet/uninstall_tokens/{uninstallTokenId}: - get: - operationId: get-uninstall-token - parameters: - - in: path - name: uninstallTokenId - required: true - schema: - type: string - responses: - '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - item: - type: object - properties: - created_at: - type: string - id: - type: string - policy_id: - type: string - token: - type: string - required: - - id - - token - - policy_id - - created_at - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get one decrypted uninstall token by its ID - tags: - - Fleet uninstall tokens - /api/ml/saved_objects/sync: - get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models in the default space. You must have `all` privileges for the - **Machine Learning** feature in the **Analytics** section of the Kibana - feature privileges. This API runs automatically when you start Kibana - and periodically thereafter. - operationId: mlSync - parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync saved objects in the default space + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists tags: - - ml - /api/saved_objects/_bulk_create: + - Security Exceptions API + /api/exception_lists/_import: post: - deprecated: true - operationId: bulkCreateSavedObjects + description: Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: When true, overwrites the document with the same identifier. + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. in: query name: overwrite + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + + list and its items are overwritten. + in: query + name: as_new_list + required: false schema: + default: false type: boolean requestBody: content: - application/json; Elastic-Api-Version=2023-10-31: + multipart/form-data; Elastic-Api-Version=2023-10-31: schema: - items: - type: object - type: array + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + format: binary + type: string required: true responses: '200': @@ -12286,2486 +12510,10179 @@ paths: application/json; Elastic-Api-Version=2023-10-31: schema: type: object - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Create saved objects - tags: - - saved objects - /api/saved_objects/_bulk_delete: - post: - deprecated: true - description: | - WARNING: When you delete a saved object, it cannot be recovered. - operationId: bulkDeleteSavedObjects + properties: + errors: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Import an exception list + tags: + - Security Exceptions API + /api/exception_lists/items: + delete: + description: Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: > - When true, force delete objects that exist in multiple namespaces. - Note that the option applies to the whole request. Use the delete - object API to specify per-object deletion behavior. TIP: Use this if - you attempted to delete objects and received an HTTP 400 error with - the following message: "Unable to delete saved object that exists in - multiple namespaces, use the force option to delete it anyway". - WARNING: When you bulk delete objects that exist in multiple - namespaces, the API also deletes legacy url aliases that reference - the object. These requests are batched to minimise the impact but - they can place a heavy load on Kibana. Make sure you limit the - number of objects that exist in multiple namespaces in a single bulk - delete operation. + - description: Either `id` or `item_id` must be specified in: query - name: force + name: id + required: false schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - type: array - required: true + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Delete saved objects + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item tags: - - saved objects - /api/saved_objects/_bulk_get: - post: - deprecated: true - operationId: bulkGetSavedObjects + - Security Exceptions API + get: + description: >- + Get the details of an exception list item using the `id` or `item_id` + field. + operationId: ReadExceptionListItem parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - type: array - required: true + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Get saved objects + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item tags: - - saved objects - /api/saved_objects/_bulk_resolve: + - Security Exceptions API post: - deprecated: true description: > - Retrieve multiple Kibana saved objects by identifier using any legacy - URL aliases if they exist. Under certain circumstances when Kibana is - upgraded, saved object migrations may necessitate regenerating some - object IDs to enable new features. When an object's ID is regenerated, a - legacy URL alias is created for that object, preserving its old ID. In - such a scenario, that object can be retrieved by the bulk resolve API - using either its new ID or its old ID. - operationId: bulkResolveSavedObjects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + Create an exception item and associate it with the specified exception + list. + + > info + + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - items: - type: object - type: array + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemType + required: + - list_id + - type + - name + - description + - entries + description: Exception list item's properties required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Resolve saved objects - tags: - - saved objects - /api/saved_objects/_bulk_update: - post: - deprecated: true - description: Update the attributes for multiple Kibana saved objects. - operationId: bulkUpdateSavedObjects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - type: array - required: true - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. - '400': + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Update saved objects + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item tags: - - saved objects - /api/saved_objects/_export: - post: - description: > - Retrieve sets of saved objects that you want to import into Kibana. - - You must include `type` or `objects` in the request body. - - - Exported saved objects are not backwards compatible and cannot be - imported into an older version of Kibana. - - - NOTE: The `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be exported. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: exportSavedObjectsDefault - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - Security Exceptions API + put: + description: Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem requestBody: content: application/json; Elastic-Api-Version=2023-10-31: - examples: - exportSavedObjectsRequest: - $ref: '#/components/examples/Saved_objects_export_objects_request' schema: type: object properties: - excludeExportDetails: - default: false - description: Do not add export details entry at the end of the stream. - type: boolean - includeReferencesDeep: - description: >- - Includes all of the referenced objects in the exported - objects. - type: boolean - objects: - description: A list of objects to export. - items: - type: object - type: array + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + list_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemTags type: - description: >- - The saved object types to include in the export. Use `*` to - export all the types. - oneOf: - - type: string - - items: - type: string - type: array + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties required: true responses: '200': content: - application/x-ndjson; Elastic-Api-Version=2023-10-31: - examples: - exportSavedObjectsResponse: - $ref: '#/components/examples/Saved_objects_export_objects_response' + application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: true - type: object - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Export saved objects + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item tags: - - saved objects - /api/saved_objects/_find: + - Security Exceptions API + /api/exception_lists/items/_find: get: - deprecated: true - description: Retrieve a paginated set of Kibana saved objects. - operationId: findSavedObjects + description: Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems parameters: - - description: > - An aggregation structure, serialized as a string. The field format - is similar to filter, meaning that to use a saved object type - attribute in the aggregation, the `savedObjectType.attributes.title: - "myTitle"` format must be used. For root fields, the syntax is - `savedObjectType.rootField`. NOTE: As objects change in Kibana, the - results on each page of the response also change. Use the find API - for traditional paginated results, but avoid using it to export - large amounts of data. - in: query - name: aggs - schema: - type: string - - description: The default operator to use for the `simple_query_string`. - in: query - name: default_search_operator - schema: - type: string - - description: The fields to return in the attributes key of the response. + - description: List's id in: query - name: fields + name: list_id + required: true schema: - oneOf: - - type: string - - type: array + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListHumanId + type: array - description: > - The filter is a KQL string with the caveat that if you filter with - an attribute from your saved object type, it should look like that: - `savedObjectType.attributes.title: "myTitle"`. However, if you use a - root attribute of a saved object such as `updated_at`, you will have - to define your filter like that: `savedObjectType.updated_at > - 2018-12-22`. + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. in: query name: filter + required: false schema: - type: string - - description: >- - Filters to objects that do not have a relationship with the type and - identifier combination. - in: query - name: has_no_reference - schema: - type: object - - description: >- - The operator to use for the `has_no_reference` parameter. Either - `OR` or `AND`. Defaults to `OR`. - in: query - name: has_no_reference_operator - schema: - type: string - - description: >- - Filters to objects that have a relationship with the type and ID - combination. + default: [] + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter + type: array + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) in: query - name: has_reference + name: namespace_type + required: false schema: - type: object - - description: >- - The operator to use for the `has_reference` parameter. Either `OR` - or `AND`. Defaults to `OR`. - in: query - name: has_reference_operator + default: + - single + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + type: array + - in: query + name: search + required: false schema: type: string - - description: The page of objects to return. + - description: The page number to return in: query name: page + required: false schema: + minimum: 0 type: integer - - description: The number of objects to return per page. + - description: The number of exception list items to return per page in: query name: per_page + required: false schema: + minimum: 0 type: integer - - description: >- - An Elasticsearch `simple_query_string` query that filters the - objects in the response. - in: query - name: search - schema: - type: string - - description: >- - The fields to perform the `simple_query_string` parsed query - against. - in: query - name: search_fields - schema: - oneOf: - - type: string - - type: array - - description: > - Sorts the response. Includes "root" and "type" fields. "root" fields - exist for all saved objects, such as "updated_at". "type" fields are - specific to an object type, such as fields returned in the - attributes key of the response. When a single type is defined in the - type parameter, the "root" and "type" fields are allowed, and - validity checks are made in that order. When multiple types are - defined in the type parameter, only "root" fields are allowed. + - description: Determines which field is used to sort the results in: query name: sort_field + required: false schema: - type: string - - description: The saved object types to include. + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` in: query - name: type - required: true + name: sort_order + required: false schema: - oneOf: - - type: string - - type: array + enum: + - desc + - asc + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object - description: Indicates a successful call. + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItem + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request - summary: Search for saved objects - tags: - - saved objects - /api/saved_objects/_import: - post: - description: > - Create sets of Kibana saved objects from a file created by the export - API. - - Saved objects can be imported only into the same version, a newer minor - on the same major, or the next major. Exported saved objects are not - backwards compatible and cannot be imported into an older version of - Kibana. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: importSavedObjectsDefault + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items + tags: + - Security Exceptions API + /api/exception_lists/summary: + get: + description: Get a summary of the specified exception list. + operationId: ReadExceptionListSummary parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: > - Creates copies of saved objects, regenerates each object ID, and - resets the origin. When used, potential conflict errors are avoided. - NOTE: This option cannot be used with the `overwrite` and - `compatibilityMode` options. + - description: Exception list's identifier generated upon creation in: query - name: createNewCopies + name: id required: false schema: - type: boolean - - description: > - Overwrites saved objects when they already exist. When used, - potential conflict errors are automatically resolved by overwriting - the destination object. NOTE: This option cannot be used with the - `createNewCopies` option. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier in: query - name: overwrite + name: list_id required: false schema: - type: boolean - - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. Use this option only if you encounter issues with imported - saved objects. NOTE: This option cannot be used with the - `createNewCopies` option. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType + default: single + - description: Search filter clause in: query - name: compatibilityMode + name: filter required: false schema: - type: boolean - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - examples: - importObjectsRequest: - $ref: '#/components/examples/Saved_objects_import_objects_request' - schema: - type: object - properties: - file: - description: > - A file exported using the export API. NOTE: The - `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be included in - this file. Similarly, the - `savedObjects.maxImportPayloadBytes` setting limits the - overall size of the file that can be imported. - required: true + type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: - examples: - importObjectsResponse: - $ref: '#/components/examples/Saved_objects_import_objects_response' schema: type: object properties: - errors: - description: > - Indicates the import was unsuccessful and specifies the - objects that failed to import. - - - NOTE: One object may result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and conflict error. - items: - type: object - type: array - success: - description: > - Indicates when the import was successfully completed. When - set to false, some objects may not have been created. For - additional information, refer to the `errors` and - `successResults` properties. - type: boolean - successCount: - description: Indicates the number of successfully imported records. + linux: + minimum: 0 type: integer - successResults: - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. - - - NOTE: Objects are created only when all resolvable errors - are addressed, including conflicts and missing references. - If objects are created as new copies, each entry in the - `successResults` array includes a `destinationId` - attribute. - items: - type: object - type: array - description: Indicates a successful call. + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Import saved objects + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary tags: - - saved objects - x-codeSamples: - - label: Import with createNewCopies - lang: cURL - source: | - curl \ - -X POST api/saved_objects/_import?createNewCopies=true - -H "kbn-xsrf: true" - --form file=@file.ndjson - /api/saved_objects/_resolve_import_errors: + - Security Exceptions API + /api/exceptions/shared: post: description: > - To resolve errors from the Import objects API, you can: - - - * Retry certain saved objects - - * Overwrite specific saved objects - - * Change references to different saved objects + An exception list groups exception items and can be associated with + detection rules. A shared exception list can apply to multiple detection + rules. + > info - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: resolveImportErrors - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. When enabled during the initial import, also enable when - resolving import errors. This option cannot be used with the - `createNewCopies` option. - in: query - name: compatibilityMode - required: false - schema: - type: boolean - - description: > - Creates copies of the saved objects, regenerates each object ID, and - resets the origin. When enabled during the initial import, also - enable when resolving import errors. - in: query - name: createNewCopies - required: false - schema: - type: boolean + > All exception items added to the same list are evaluated using `OR` + logic. That is, if any of the items in a list evaluate to `true`, the + exception prevents the rule from generating an alert. Likewise, `OR` + logic is used for evaluating exceptions when more than one exception + list is assigned to a rule. To use the `AND` operator, you can define + multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList requestBody: content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - examples: - resolveImportErrorsRequest: - $ref: >- - #/components/examples/Saved_objects_resolve_missing_reference_request + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - file: - description: The same file given to the import API. - format: binary - type: string - retries: - description: >- - The retry operations, which can specify how to resolve - different types of errors. - items: - type: object - properties: - destinationId: - description: >- - Specifies the destination ID that the imported object - should have, if different from the current ID. - type: string - id: - description: The saved object ID. - type: string - ignoreMissingReferences: - description: >- - When set to `true`, ignores missing reference errors. - When set to `false`, does nothing. - type: boolean - overwrite: - description: >- - When set to `true`, the source object overwrites the - conflicting destination object. When set to `false`, - does nothing. - type: boolean - replaceReferences: - description: >- - A list of `type`, `from`, and `to` used to change the - object references. - items: - type: object - properties: - from: - type: string - to: - type: string - type: - type: string - type: array - type: - description: The saved object type. - type: string - required: - - type - - id - type: array + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + name: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListName required: - - retries + - name + - description required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: - examples: - resolveImportErrorsResponse: - $ref: >- - #/components/examples/Saved_objects_resolve_missing_reference_response schema: - type: object - properties: - errors: - description: > - Specifies the objects that failed to resolve. - - - NOTE: One object can result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and a `conflict` error. - items: - type: object - type: array - success: - description: > - Indicates a successful import. When set to `false`, some - objects may not have been created. For additional - information, refer to the `errors` and `successResults` - properties. - type: boolean - successCount: - description: | - Indicates the number of successfully resolved records. - type: number - successResults: - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. - - - NOTE: Objects are only created when all resolvable errors - are addressed, including conflict and missing references. - items: - type: object - type: array - description: Indicates a successful call. + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Resolve import errors - tags: - - saved objects - /api/saved_objects/{type}: - post: - deprecated: true - description: Create a Kibana saved object with a randomly generated identifier. - operationId: createSavedObject - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - description: If true, overwrites the document with the same identifier. - in: query - name: overwrite - schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - attributes: - $ref: '#/components/schemas/Saved_objects_attributes' - initialNamespaces: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' - references: - $ref: '#/components/schemas/Saved_objects_references' - required: - - attributes - required: true - responses: - '200': + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: Indicates a successful call. + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response '409': content: application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - description: Indicates a conflict error. - summary: Create a saved object + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list tags: - - saved objects - /api/saved_objects/{type}/{id}: + - Security Exceptions API + /api/fleet/agent_download_sources: get: - deprecated: true - description: Retrieve a single Kibana saved object by identifier. - operationId: getSavedObject - parameters: - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' + operationId: get-download-sources responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object - description: Indicates a successful call. + properties: + items: + items: + $ref: '#/components/schemas/Fleet_download_sources' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Get a saved object + $ref: '#/components/responses/Fleet_error' + summary: List agent binary download sources tags: - - saved objects + - Elastic Agent binary download sources post: - deprecated: true - description: >- - Create a Kibana saved object and specify its identifier instead of using - a randomly generated ID. - operationId: createSavedObjectId - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - description: If true, overwrites the document with the same identifier. - in: query - name: overwrite - schema: - type: boolean + operationId: post-download-sources requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - attributes: - $ref: '#/components/schemas/Saved_objects_attributes' - initialNamespaces: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' - references: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' + host: + type: string + id: + type: string + is_default: + type: boolean + name: + type: string required: - - attributes - required: true + - name + - host + - is_default responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object - description: Indicates a successful call. - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: Indicates a conflict error. - summary: Create a saved object + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent binary download source tags: - - saved objects - put: - deprecated: true - description: Update the attributes for Kibana saved objects. - operationId: updateSavedObject + - Elastic Agent binary download sources + /api/fleet/agent_download_sources/{sourceId}: + delete: + operationId: delete-download-source parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - required: true + - $ref: '#/components/parameters/Fleet_kbn_xsrf' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: Indicates the object was not found. - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: Indicates a conflict error. - summary: Update a saved object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent binary download source by ID tags: - - saved objects - /api/saved_objects/resolve/{type}/{id}: + - Elastic Agent binary download sources get: - deprecated: true - description: > - Retrieve a single Kibana saved object by identifier using any legacy URL - alias if it exists. Under certain circumstances, when Kibana is - upgraded, saved object migrations may necessitate regenerating some - object IDs to enable new features. When an object's ID is regenerated, a - legacy URL alias is created for that object, preserving its old ID. In - such a scenario, that object can be retrieved using either its new ID or - its old ID. - operationId: resolveSavedObject - parameters: - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' + operationId: get-one-download-source responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: type: object - description: Indicates a successful call. + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + required: + - item + description: OK '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Saved_objects_400_response' - description: Bad request. - summary: Resolve a saved object - tags: - - saved objects - /api/security/role: - get: - operationId: '%2Fapi%2Fsecurity%2Frole#0' - parameters: [] - responses: {} - summary: Get all roles + $ref: '#/components/responses/Fleet_error' + summary: Get agent binary download source by ID tags: - - roles - /api/security/role/{name}: - delete: - operationId: '%2Fapi%2Fsecurity%2Frole%2F%7Bname%7D#1' + - Elastic Agent binary download sources + parameters: + - in: path + name: sourceId + required: true + schema: + type: string + put: + operationId: update-download-source parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - minLength: 1 - type: string - responses: {} - summary: Delete a role + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + type: string + is_default: + type: boolean + name: + type: string + required: + - name + - is_default + - host + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_download_sources' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent binary download source by ID tags: - - roles + - Elastic Agent binary download sources + /api/fleet/agent_policies: get: - operationId: '%2Fapi%2Fsecurity%2Frole%2F%7Bname%7D#0' + description: '' + operationId: agent-policy-list parameters: - - description: The version of the API to use - in: header - name: elastic-api-version + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_format' + - description: >- + When set to true, retrieve the related package policies for each + agent policy. + in: query + name: full schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - in: path - name: name - required: true + type: boolean + - description: >- + When set to true, do not count how many agents are in the agent + policy, this can improve performance if you are searching over a + large number of agent policies. The "agents" property will always be + 0 if set to true. + in: query + name: noAgentCount schema: - minLength: 1 - type: string - responses: {} - summary: Get a role + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent policies tags: - - roles - put: - operationId: '%2Fapi%2Fsecurity%2Frole%2F%7Bname%7D#2' + - Elastic Agent policies + post: + operationId: create-agent-policy parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: name - required: true - schema: - maxLength: 1024 - minLength: 1 - type: string - - in: query - name: createOnly - required: false - schema: - default: false - type: boolean + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_policy_create_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent policy + tags: + - Elastic Agent policies + /api/fleet/agent_policies/_bulk_get: + post: + operationId: bulk-get-agent-policies + parameters: + - $ref: '#/components/parameters/Fleet_format' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - description: - maxLength: 2048 - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - cluster: - items: - type: string - type: array - indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - type: boolean - field_security: - additionalProperties: - items: - type: string - type: array - type: object - names: - items: - type: string - minItems: 1 - type: array - privileges: - items: - type: string - minItems: 1 - type: array - query: - type: string - required: - - names - - privileges - type: array - remote_cluster: - items: - additionalProperties: false - type: object - properties: - clusters: - items: - type: string - minItems: 1 - type: array - privileges: - items: - type: string - minItems: 1 - type: array - required: - - privileges - - clusters - type: array - remote_indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - type: boolean - clusters: - items: - type: string - minItems: 1 - type: array - field_security: - additionalProperties: - items: - type: string - type: array - type: object - names: - items: - type: string - minItems: 1 - type: array - privileges: - items: - type: string - minItems: 1 - type: array - query: - type: string - required: - - clusters - - names - - privileges - type: array - run_as: - items: - type: string - type: array - kibana: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of agent policy ids items: - additionalProperties: false - type: object - properties: - base: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - items: - type: string - type: array - - items: - type: string - type: array - feature: - additionalProperties: - items: - type: string - type: array - type: object - spaces: - anyOf: - - items: - enum: - - '*' - type: string - maxItems: 1 - minItems: 1 - type: array - - items: - type: string - type: array - default: - - '*' - required: - - base + type: string type: array - metadata: - additionalProperties: {} - type: object + ignoreMissing: + type: boolean required: - - elasticsearch - responses: {} - summary: Create or update a role + - ids + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_agent_policy' + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get agent policies tags: - - roles - /api/security/roles: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: Get one agent policy + operationId: agent-policy-info + parameters: [] + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - $ref: '#/components/parameters/Fleet_format' + put: + operationId: update-agent-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_policy_update_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/copy: + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - $ref: '#/components/parameters/Fleet_format' post: - operationId: '%2Fapi%2Fsecurity%2Froles#0' + operationId: agent-policy-copy parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - roles: - additionalProperties: - additionalProperties: false - type: object - properties: - description: - maxLength: 2048 - type: string - elasticsearch: - additionalProperties: false - type: object - properties: - cluster: - items: - type: string - type: array - indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - type: boolean - field_security: - additionalProperties: - items: - type: string - type: array - type: object - names: - items: - type: string - minItems: 1 - type: array - privileges: - items: - type: string - minItems: 1 - type: array - query: - type: string - required: - - names - - privileges - type: array - remote_cluster: - items: - additionalProperties: false - type: object - properties: - clusters: - items: - type: string - minItems: 1 - type: array - privileges: - items: - type: string - minItems: 1 - type: array - required: - - privileges - - clusters - type: array - remote_indices: - items: - additionalProperties: false - type: object - properties: - allow_restricted_indices: - type: boolean - clusters: - items: - type: string - minItems: 1 - type: array - field_security: - additionalProperties: - items: - type: string - type: array - type: object - names: - items: - type: string - minItems: 1 - type: array - privileges: - items: - type: string - minItems: 1 - type: array - query: - type: string - required: - - clusters - - names - - privileges - type: array - run_as: - items: - type: string - type: array - kibana: - items: - additionalProperties: false - type: object - properties: - base: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - items: - type: string - type: array - - items: - type: string - type: array - feature: - additionalProperties: - items: - type: string - type: array - type: object - spaces: - anyOf: - - items: - enum: - - '*' - type: string - maxItems: 1 - minItems: 1 - type: array - - items: - type: string - type: array - default: - - '*' - required: - - base - type: array - metadata: - additionalProperties: {} - type: object - required: - - elasticsearch - type: object + description: + type: string + name: + type: string required: - - roles - responses: {} - summary: Create or update roles + - name + description: '' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Copy agent policy by ID tags: - - roles - /api/spaces/_copy_saved_objects: + - Elastic Agent policies + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + operationId: agent-policy-download + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Download agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: string + - in: query + name: standalone + required: false + schema: + type: string + - in: query + name: kubernetes + required: false + schema: + type: string + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + operationId: agent-policy-full + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + oneOf: + - type: string + - $ref: '#/components/schemas/Fleet_agent_policy_full' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get full agent policy by ID + tags: + - Elastic Agent policies + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: string + - in: query + name: standalone + required: false + schema: + type: string + - in: query + name: kubernetes + required: false + schema: + type: string + /api/fleet/agent_policies/delete: + parameters: [] post: - description: Copy saved objects to spaces - operationId: '%2Fapi%2Fspaces%2F_copy_saved_objects#0' + operationId: delete-agent-policy parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - compatibilityMode: - default: false - type: boolean - createNewCopies: - default: true - type: boolean - includeReferences: - default: false - type: boolean - objects: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - type: array - overwrite: - default: false + agentPolicyId: + type: string + force: + description: >- + bypass validation checks that can prevent agent policy + deletion type: boolean - spaces: - items: - type: string - type: array required: - - spaces - - objects - responses: {} - summary: '' - tags: [] - /api/spaces/_disable_legacy_url_aliases: - post: - description: Disable legacy URL aliases - operationId: '%2Fapi%2Fspaces%2F_disable_legacy_url_aliases#0' + - agentPolicyId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + success: + type: boolean + required: + - id + - success + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent policy by ID + tags: + - Elastic Agent policies + /api/fleet/agent_status: + get: + operationId: get-agent-status parameters: - - description: The version of the API to use - in: header - name: elastic-api-version + - in: query + name: policyId + required: false schema: - default: '2023-10-31' - enum: - - '2023-10-31' type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + - deprecated: true + in: query + name: kuery + required: false schema: - example: 'true' type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - aliases: + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + active: + type: integer + all: + type: integer + error: + type: integer + events: + type: integer + inactive: + type: integer + offline: + type: integer + online: + type: integer + other: + type: integer + total: + deprecated: true + type: integer + unenrolled: + type: integer + updating: + type: integer + required: + - active + - all + - error + - events + - inactive + - offline + - online + - other + - total + - updating + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent status summary + tags: + - Elastic Agent status + /api/fleet/agent_status/data: + get: + operationId: get-agent-data + parameters: + - in: query + name: agentsIds + required: true + schema: + items: + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: items: - additionalProperties: false - type: object - properties: - sourceId: - type: string - targetSpace: - type: string - targetType: - type: string - required: - - targetSpace - - targetType - - sourceId - type: array - required: - - aliases - responses: {} - summary: '' - tags: [] - /api/spaces/_get_shareable_references: - post: - description: Get shareable references - operationId: '%2Fapi%2Fspaces%2F_get_shareable_references#0' + items: + additionalProperties: + type: object + properties: + data: + type: boolean + type: object + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get incoming agent data + tags: + - Elastic Agent status + /api/fleet/agent-status: + get: + deprecated: true + operationId: get-agent-status-deprecated parameters: - - description: The version of the API to use - in: header - name: elastic-api-version + - in: query + name: policyId + required: false schema: - default: '2023-10-31' - enum: - - '2023-10-31' type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: integer + events: + type: integer + inactive: + type: integer + offline: + type: integer + online: + type: integer + other: + type: integer + total: + type: integer + updating: + type: integer + required: + - error + - events + - inactive + - offline + - online + - other + - total + - updating + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent status summary + tags: + - Elastic Agent status + /api/fleet/agents: + get: + operationId: get-agents + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_show_inactive' + - $ref: '#/components/parameters/Fleet_show_upgradeable' + - $ref: '#/components/parameters/Fleet_sort_field' + - $ref: '#/components/parameters/Fleet_sort_order' + - $ref: '#/components/parameters/Fleet_with_metrics' + - in: query + name: getStatusSummary + required: false schema: - example: 'true' - type: string + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_agents_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agents + tags: + - Elastic Agents + post: + operationId: get-agents-by-actions + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - objects: + actionIds: items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id + type: string type: array required: - - objects - responses: {} - summary: '' - tags: [] - /api/spaces/_resolve_copy_saved_objects_errors: - post: - description: Resolve conflicts copying saved objects - operationId: '%2Fapi%2Fspaces%2F_resolve_copy_saved_objects_errors#0' + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_agent_get_by_actions' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agents by action ids + tags: + - Elastic Agents + /api/fleet/agents/{agentId}: + delete: + operationId: delete-agent parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete agent by ID + tags: + - Elastic Agents + get: + operationId: get-agent + parameters: + - $ref: '#/components/parameters/Fleet_with_metrics' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent by ID + tags: + - Elastic Agents + parameters: + - in: path + name: agentId + required: true + schema: + type: string + put: + operationId: update-agent + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - compatibilityMode: - default: false - type: boolean - createNewCopies: - default: true - type: boolean - includeReferences: - default: false - type: boolean - objects: + tags: items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id + type: string type: array - retries: - additionalProperties: - items: - additionalProperties: false - type: object - properties: - createNewCopy: - type: boolean - destinationId: - type: string - id: - type: string - ignoreMissingReferences: - type: boolean - overwrite: - default: false - type: boolean - type: - type: string - required: - - type - - id - type: array + user_provided_metadata: type: object - required: - - retries - - objects - responses: {} - summary: '' - tags: [] - /api/spaces/_update_objects_spaces: + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update agent by ID + tags: + - Elastic Agents + /api/fleet/agents/{agentId}/actions: + parameters: + - in: path + name: agentId + required: true + schema: + type: string post: - description: Update saved objects in spaces - operationId: '%2Fapi%2Fspaces%2F_update_objects_spaces#0' + operationId: new-agent-action parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - objects: - items: - additionalProperties: false - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - type: array - spacesToAdd: - items: - type: string - type: array - spacesToRemove: - items: + action: + $ref: '#/components/schemas/Fleet_agent_action' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + items: + type: number + type: array + headers: type: string - type: array - required: - - objects - - spacesToAdd - - spacesToRemove - responses: {} - summary: '' - tags: [] - /api/spaces/space: - get: - description: Get all spaces - operationId: '%2Fapi%2Fspaces%2Fspace#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - in: query - name: purpose - required: false - schema: - enum: - - any - - copySavedObjectsIntoSpace - - shareSavedObjectsIntoSpace - type: string - - in: query - name: include_authorized_purposes - required: true - schema: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - enum: - - false - type: boolean - x-oas-optional: true - - type: boolean - x-oas-optional: true - responses: {} - summary: '' + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create agent action tags: - - spaces + - Elastic Agent actions + /api/fleet/agents/{agentId}/reassign: + parameters: + - in: path + name: agentId + required: true + schema: + type: string post: - description: Create a space - operationId: '%2Fapi%2Fspaces%2Fspace#1' + operationId: reassign-agent parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - _reserved: - type: boolean - color: - type: string - description: - type: string - disabledFeatures: - default: [] - items: - type: string - type: array - id: - type: string - imageUrl: - type: string - initials: - maxLength: 2 - type: string - name: - minLength: 1 - type: string - solution: - enum: - - security - - oblt - - es - - classic + policy_id: type: string required: - - id - - name - responses: {} - summary: '' - tags: - - spaces - /api/spaces/space/{id}: - delete: - description: Delete a space - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#2' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: id - required: true - schema: - type: string - responses: {} - summary: '' - tags: - - spaces - get: - description: Get a space - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - in: path - name: id - required: true - schema: - type: string - responses: {} - summary: '' + - policy_id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Reassign agent tags: - - spaces + - Elastic Agents put: - description: Update a space - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#1' + deprecated: true + operationId: reassign-agent-deprecated parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - in: path - name: id - required: true - schema: - type: string + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - additionalProperties: false type: object properties: - _reserved: - type: boolean - color: - type: string - description: - type: string - disabledFeatures: - default: [] - items: - type: string - type: array - id: - type: string - imageUrl: - type: string - initials: - maxLength: 2 - type: string - name: - minLength: 1 - type: string - solution: - enum: - - security - - oblt - - es - - classic + policy_id: type: string required: - - id - - name - responses: {} - summary: '' - tags: - - spaces - /api/status: - get: - operationId: '%2Fapi%2Fstatus#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: Set to "true" to get the response in v7 format. - in: query - name: v7format - required: false - schema: - type: boolean - - description: Set to "true" to get the response in v8 format. - in: query - name: v8format - required: false - schema: - type: boolean + - policy_id + required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: Overall status is OK and Kibana should be functioning normally. - '503': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: >- - Kibana or some of it's essential services are unavailable. Kibana - may be degraded or unavailable. - summary: Get Kibana's current status + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Reassign agent tags: - - system - /s/{spaceId}/api/observability/slos: - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: findSlosOp + - Elastic Agents + /api/fleet/agents/{agentId}/request_diagnostics: + parameters: + - in: path + name: agentId + required: true + schema: + type: string + post: + operationId: request-diagnostics-agent parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: - type: string - - description: The page to use for pagination, must be greater or equal than 1 - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining - type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc - type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings - in: query - name: hideStale - schema: - type: boolean + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + additional_metrics: + items: + oneOf: + - enum: + - CPU + type: string + type: array responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request + type: object + properties: + actionId: + type: string + description: OK '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs + $ref: '#/components/responses/Fleet_error' + summary: Request agent diagnostics tags: - - slo + - Elastic Agents + /api/fleet/agents/{agentId}/unenroll: + parameters: + - in: path + name: agentId + required: true + schema: + type: string post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: createSloOp + operationId: unenroll-agent parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true + type: object + properties: + force: + type: boolean + revoke: + type: boolean responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request + type: object + description: OK '400': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - summary: Create an SLO + type: object + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: number + description: BAD REQUEST + summary: Unenroll agent tags: - - slo - /s/{spaceId}/api/observability/slos/_delete_instances: + - Elastic Agents + /api/fleet/agents/{agentId}/upgrade: + parameters: + - in: path + name: agentId + required: true + schema: + type: string post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp + operationId: upgrade-agent parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + $ref: '#/components/schemas/Fleet_upgrade_agent' required: true responses: - '204': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - summary: Batch delete rollup and summary data + $ref: '#/components/schemas/Fleet_upgrade_agent' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Upgrade agent tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}: - delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - Elastic Agents + /api/fleet/agents/{agentId}/uploads: + get: + operationId: list-agent-uploads responses: - '204': - description: Successful request - '400': + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO + type: object + properties: + body: + type: object + properties: + item: + items: + $ref: '#/components/schemas/Fleet_agent_diagnostics' + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent uploads tags: - - slo + - Elastic Agents + parameters: + - in: path + name: agentId + required: true + schema: + type: string + /api/fleet/agents/action_status: get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getSloOp + operationId: agents-action-status parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - in: query + name: errorSize schema: - type: string + default: 5 + type: integer responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request + type: object + properties: + items: + items: + type: object + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + latestErrors: + description: >- + latest errors that happened when the agents executed + the action + items: + type: object + properties: + agentId: + type: string + error: + type: string + timestamp: + type: string + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: string + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - POLICY_REASSIGN + - UPGRADE + - UNENROLL + - FORCE_UNENROLL + - UPDATE_TAGS + - CANCEL + - REQUEST_DIAGNOSTICS + - SETTINGS + - POLICY_CHANGE + - INPUT_ACTION + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - complete + - nbAgentsActioned + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - status + - creationTime + - type + type: array + required: + - items + description: OK '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent action status + tags: + - Elastic Agent actions + /api/fleet/agents/actions/{actionId}/cancel: + parameters: + - in: path + name: actionId + required: true + schema: + type: string + post: + operationId: agent-action-cancel + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_agent_action' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Cancel agent action tags: - - slo - put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: updateSloOp + - Elastic Agent actions + /api/fleet/agents/bulk_reassign: + post: + operationId: bulk-reassign-agents parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' requestBody: content: application/json; Elastic-Api-Version=2023-10-31: + example: + agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' + policy_id: policy_id schema: - $ref: '#/components/schemas/SLOs_update_slo_request' - required: true + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + policy_id: + description: new agent policy id + type: string + required: + - policy_id + - agents responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request + type: object + properties: + actionId: + type: string + description: OK '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO + $ref: '#/components/responses/Fleet_error' + summary: Bulk reassign agents tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/_reset: + - Elastic Agents + /api/fleet/agents/bulk_request_diagnostics: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: resetSloOp + operationId: bulk-request-diagnostics parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' + schema: + type: object + properties: + additional_metrics: + items: + oneOf: + - enum: + - CPU + type: string + type: array + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + batchSize: + type: number + required: + - agents responses: - '204': + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request + type: object + properties: + actionId: + type: string + description: OK '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO + $ref: '#/components/responses/Fleet_error' + summary: Bulk request diagnostics from agents tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/disable: + - Elastic Agents + /api/fleet/agents/bulk_unenroll: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: disableSloOp + operationId: bulk-unenroll-agents parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + force: false + revoke: true + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: >- + When passing agents by KQL query, unenrolls inactive agents + too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents responses: '200': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk unenroll agents tags: - - slo - /s/{spaceId}/api/observability/slos/{sloId}/enable: + - Elastic Agents + /api/fleet/agents/bulk_update_agent_tags: post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: enableSloOp + operationId: bulk-update-agent-tags parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + tagsToAdd: + - newTag + tagsToRemove: + - existingTag + schema: + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + batchSize: + type: number + tagsToAdd: + items: + type: string + type: array + tagsToRemove: + items: + type: string + type: array + required: + - agents responses: - '204': - description: Successful request - '400': + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk update agent tags + tags: + - Elastic Agents + /api/fleet/agents/bulk_upgrade: + post: + operationId: bulk-upgrade-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + example: + agents: + - agent1 + - agent2 + rollout_duration_seconds: 3600 + source_uri: https://artifacts.elastic.co/downloads/beats/elastic-agent + start_time: '2022-08-03T14:00:00.000Z' + version: 8.4.0 + schema: + $ref: '#/components/schemas/Fleet_bulk_upgrade_agents' + required: true + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': + type: object + properties: + actionId: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk upgrade agents + tags: + - Elastic Agents + /api/fleet/agents/files/{fileId}: + delete: + operationId: delete-agent-upload-file + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': + type: object + properties: + body: + type: object + properties: + deleted: + type: boolean + id: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete file uploaded by agent + tags: + - Elastic Agents + parameters: + - in: path + name: fileId + required: true + schema: + type: string + /api/fleet/agents/files/{fileId}/{fileName}: + get: + operationId: get-agent-upload-file + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO + type: object + properties: + body: + type: object + properties: + items: + type: object + properties: + body: {} + headers: {} + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get file uploaded by agent tags: - - slo -components: - examples: - Alerting_get_health_response: - summary: Retrieve information about the health of the alerting framework. - value: - alerting_framework_health: - decryption_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - execution_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - read_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - has_permanent_encryption_key: true - is_sufficiently_secure: true - Alerting_get_rule_types_response: - summary: Retrieve rule types associated with Kibana machine learning features - value: - - action_groups: - - id: anomaly_score_match - name: Anomaly score matched the condition - - id: recovered - name: Recovered - action_variables: - context: - - description: The bucket timestamp of the anomaly - name: timestamp - - description: The bucket time of the anomaly in ISO8601 format - name: timestampIso8601 - - description: List of job IDs that triggered the alert - name: jobIds - - description: Alert info message - name: message - - description: Indicate if top hits contain interim results - name: isInterim - - description: Anomaly score at the time of the notification action - name: score - - description: Top records - name: topRecords - - description: Top influencers - name: topInfluencers - - description: URL to open in the Anomaly Explorer - name: anomalyExplorerUrl - useWithTripleBracesInTemplates: true - params: [] - state: [] - alerts: - context: ml.anomaly-detection - mappings: - fieldMap: - kibana.alert.anomaly_score: - array: false - type: double - required: false - kibana.alert.anomaly_timestamp: - array: false - type: date - required: false - kibana.alert.is_interim: - array: false - type: boolean - required: false - kibana.alert.job_id: - array: false - type: keyword - required: true - kibana.alert.top_influencers: - array: true - dynamic: false - type: object - properties: - influencer_field_name: - type: keyword - influencer_field_value: - type: keyword - influencer_score: - type: double - initial_influencer_score: - type: double - is_interim: - type: boolean - job_id: - type: keyword - timestamp: - type: date - required: false - kibana.alert.top_records: - array: true - dynamic: false - type: object - properties: - actual: - type: double - by_field_name: - type: keyword - by_field_value: - type: keyword - detector_index: - type: integer - field_name: - type: keyword - function: - type: keyword - initial_record_score: - type: double - is_interim: - type: boolean - job_id: - type: keyword - over_field_name: - type: keyword - over_field_value: - type: keyword - partition_field_name: - type: keyword - partition_field_value: - type: keyword - record_score: - type: double - timestamp: - type: date - typical: - type: double - required: false - shouldWrite: true - authorized_consumers: - alerts: - all: true - read: true - apm: - all: true - read: true - discover: - all: true - read: true - infrastructure: - all: true - read: true - logs: - all: true - read: true - ml: - all: true - read: true - monitoring: - all: true - read: true - siem: - all: true - read: true - slo: - all: true - read: true - stackAlerts: - all: true - read: true - uptime: - all: true - read: true - category: management - default_action_group_id: anomaly_score_match - does_set_recovery_context: true - enabled_in_license: true - has_alerts_mappings: true - has_fields_for_a_a_d: false - id: xpack.ml.anomaly_detection_alert - is_exportable: true - minimum_license_required: platinum - name: Anomaly detection alert - producer: ml - recovery_action_group: - id: recovered - name: Recovered - rule_task_timeout: 5m - - action_groups: - - id: anomaly_detection_realtime_issue - name: Issue detected - - id: recovered - name: Recovered - action_variables: - context: - - description: Results of the rule execution - name: results - - description: Alert info message - name: message - params: [] - state: [] - authorized_consumers: - alerts: - all: true - read: true - apm: + - Elastic Agents + parameters: + - in: path + name: fileId + required: true + schema: + type: string + - in: path + name: fileName + required: true + schema: + type: string + /api/fleet/agents/setup: + get: + operationId: get-agents-setup-status + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_status_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get agent setup info + tags: + - Elastic Agents + post: + operationId: setup-agents + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + admin_password: + type: string + admin_username: + type: string + required: + - admin_username + - admin_password + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_setup_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Initiate agent setup + tags: + - Elastic Agents + /api/fleet/agents/tags: + get: + operationId: get-agent-tags + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_agent_tags_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List agent tags + tags: + - Elastic Agents + /api/fleet/data_streams: + get: + operationId: data-streams-list + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data_streams: + items: + $ref: '#/components/schemas/Fleet_data_stream' + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List data streams + tags: + - Data streams + parameters: [] + /api/fleet/enrollment_api_keys: + get: + operationId: get-enrollment-api-keys + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - page + - perPage + - total + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List enrollment API keys + tags: + - Fleet enrollment API keys + post: + operationId: create-enrollment-api-keys + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + description: The name of the enrollment API key. Must be unique. + type: string + policy_id: + description: >- + The ID of the agent policy the Elastic Agent will be + enrolled in. + type: string + required: + - policy_id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create enrollment API key + tags: + - Fleet enrollment API keys + /api/fleet/enrollment_api_keys/{keyId}: + delete: + operationId: delete-enrollment-api-key + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Revoke enrollment API key by ID by marking it as inactive + tags: + - Fleet enrollment API keys + get: + operationId: get-enrollment-api-key + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get enrollment API key by ID + tags: + - Fleet enrollment API keys + parameters: + - in: path + name: keyId + required: true + schema: + type: string + /api/fleet/enrollment-api-keys: + get: + deprecated: true + operationId: get-enrollment-api-keys-deprecated + parameters: [] + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - page + - perPage + - total + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List enrollment API keys + tags: + - Fleet enrollment API keys + post: + deprecated: true + operationId: create-enrollment-api-keys-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - created + type: string + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create enrollment API key + tags: + - Fleet enrollment API keys + /api/fleet/enrollment-api-keys/{keyId}: + delete: + deprecated: true + operationId: delete-enrollment-api-key-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + action: + enum: + - deleted + type: string + required: + - action + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete enrollment API key by ID + tags: + - Fleet enrollment API keys + get: + deprecated: true + operationId: get-enrollment-api-key-deprecated + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_enrollment_api_key' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get enrollment API key by ID + tags: + - Fleet enrollment API keys + parameters: + - in: path + name: keyId + required: true + schema: + type: string + /api/fleet/epm/bulk_assets: + post: + operationId: bulk-get-assets + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + assetIds: + description: list of items necessary to fetch assets + items: + type: object + properties: + id: + type: string + type: + type: string + type: array + required: + - assetIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_bulk_assets_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get assets + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/categories: + get: + operationId: get-package-categories + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_categories_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List package categories + tags: + - Elastic Package Manager (EPM) + parameters: + - description: >- + Whether to include prerelease packages in categories count (e.g. beta, + rc, preview) + in: query + name: prerelease + schema: + default: false + type: boolean + - deprecated: true + in: query + name: experimental + schema: + default: false + type: boolean + - in: query + name: include_policy_templates + schema: + default: false + type: boolean + /api/fleet/epm/packages: + get: + operationId: list-all-packages + parameters: + - description: >- + Whether to exclude the install status of each package. Enabling this + option will opt in to caching for the response via `cache-control` + headers. If you don't need up-to-date installation info for a + package, and are querying for a list of available packages, + providing this flag can improve performance substantially. + in: query + name: excludeInstallStatus + schema: + default: false + type: boolean + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + - deprecated: true + in: query + name: experimental + schema: + default: false + type: boolean + - in: query + name: category + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_get_packages_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List packages + tags: + - Elastic Package Manager (EPM) + post: + description: '' + operationId: install-package-by-upload + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/gzip; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + application/zip; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _meta: + type: object + properties: + install_source: + enum: + - upload + - registry + - bundled + type: string + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '429': + $ref: '#/components/responses/Fleet_error' + summary: Install by package by direct upload + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/_bulk: + post: + operationId: bulk-install-packages + parameters: + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + description: force install to ignore package verification errors + type: boolean + packages: + description: list of packages to install + items: + oneOf: + - description: package name + type: string + - type: object + properties: + name: + description: package name + type: string + version: + description: package version + type: string + type: array + required: + - packages + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_bulk_install_packages_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk install packages + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgkey}: + delete: + deprecated: true + operationId: delete-package-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgkey + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete ackage + tags: + - Elastic Package Manager (EPM) + get: + deprecated: true + operationId: get-package-deprecated + parameters: + - in: path + name: pkgkey + required: true + schema: + type: string + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - properties: + response: + $ref: '#/components/schemas/Fleet_package_info' + - properties: + savedObject: + type: string + status: + enum: + - installed + - installing + - install_failed + - not_installed + type: string + required: + - status + - savedObject + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package + tags: + - Elastic Package Manager (EPM) + post: + deprecated: true + description: '' + operationId: install-package-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgkey + required: true + schema: + type: string + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Install package + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + delete: + operationId: delete-package + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: delete package even if policies used by agents + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + deprecated: true + type: object + properties: + force: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package + tags: + - Elastic Package Manager (EPM) + get: + operationId: get-package + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - properties: + item: + $ref: '#/components/schemas/Fleet_package_info' + - properties: + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + licensePath: + type: string + notice: + type: string + savedObject: + deprecated: true + type: object + status: + enum: + - installed + - installing + - install_failed + - not_installed + type: string + required: + - status + - savedObject + type: object + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: Ignore if the package is fails signature verification + in: query + name: ignoreUnverified + schema: + type: boolean + - description: >- + Return all fields from the package manifest, not just those supported + by the Elastic Package Registry + in: query + name: full + schema: + type: boolean + - description: >- + Whether to return prerelease versions of packages (e.g. beta, rc, + preview) + in: query + name: prerelease + schema: + default: false + type: boolean + post: + description: '' + operationId: install-package + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - description: avoid erroring out on unexpected mapping update errors + in: query + name: ignoreMappingUpdateErrors + schema: + default: false + type: boolean + - description: >- + Skip data stream rollover during index template mapping or settings + update + in: query + name: skipDataStreamRollover + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + ignore_constraints: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _meta: + type: object + properties: + install_source: + enum: + - registry + - upload + - bundled + type: string + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Install package + tags: + - Elastic Package Manager (EPM) + put: + description: '' + operationId: update-package + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + keepPoliciesUpToDate: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + id: + type: string + type: + oneOf: + - $ref: >- + #/components/schemas/Fleet_kibana_saved_object_type + - $ref: >- + #/components/schemas/Fleet_elasticsearch_asset_type + required: + - id + - type + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + operationId: packages-get-file + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + headers: + type: object + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package file + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: path + name: filePath + required: true + schema: + type: string + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: '' + operationId: reauthorize-transforms + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: >- + Whether to include prerelease packages in categories count (e.g. + beta, rc, preview) + in: query + name: prerelease + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + transforms: + items: + type: object + properties: + transformId: + type: string + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + error: + type: string + success: + type: boolean + transformId: + type: string + required: + - transformId + - error + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Authorize transforms + tags: + - Elastic Package Manager (EPM) + /api/fleet/epm/packages/{pkgName}/stats: + get: + operationId: get-package-stats + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + response: + $ref: '#/components/schemas/Fleet_package_usage_stats' + required: + - response + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package stats + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + /api/fleet/epm/packages/limited: + get: + operationId: list-limited-packages + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: string + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get limited package list + tags: + - Elastic Package Manager (EPM) + parameters: [] + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + operationId: get-inputs-template + responses: + '200': + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get inputs template + tags: + - Elastic Package Manager (EPM) + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - description: Format of response - json or yaml + in: query + name: format + schema: + enum: + - json + - yaml + - yml + type: string + - description: Specify if version is prerelease + in: query + name: prerelease + schema: + type: boolean + - description: Ignore if the package is fails signature verification + in: query + name: ignoreUnverified + schema: + type: boolean + /api/fleet/epm/verification_key_id: + get: + operationId: packages-get-verification-key-id + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: object + properties: + id: + description: >- + the key ID of the GPG key used to verify package + signatures + nullable: true + type: string + headers: + type: object + statusCode: + type: number + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package signature verification key ID + tags: + - Elastic Package Manager (EPM) + parameters: [] + /api/fleet/fleet_server_hosts: + get: + operationId: get-fleet-server-hosts + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_fleet_server_host' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List Fleet Server hosts + tags: + - Fleet Server hosts + post: + operationId: post-fleet-server-hosts + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host_urls: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this fleet server host. See + the proxies API for more information. + type: string + required: + - name + - host_urls + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create Fleet Server host + tags: + - Fleet Server hosts + /api/fleet/fleet_server_hosts/{itemId}: + delete: + operationId: delete-fleet-server-hosts + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete Fleet Server host by ID + tags: + - Fleet Server hosts + get: + operationId: get-one-fleet-server-hosts + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get Fleet Server host by ID + tags: + - Fleet Server hosts + parameters: + - in: path + name: itemId + required: true + schema: + type: string + put: + operationId: update-fleet-server-hosts + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host_urls: + items: + type: string + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this fleet server host. See + the proxies API for more information. + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_fleet_server_host' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update Fleet Server host by ID + tags: + - Fleet Server hosts + /api/fleet/health_check: + post: + operationId: fleet-server-health-check + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + deprecated: true + type: string + id: + type: string + required: + - id + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + host: + deprecated: true + type: string + id: + description: Fleet Server host id + type: string + status: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Fleet Server health check + tags: + - Fleet internals + /api/fleet/kubernetes: + get: + operationId: get-full-k8s-manifest + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get full K8s agent manifest + tags: + - Fleet Kubernetes + /api/fleet/logstash_api_keys: + post: + operationId: generate-logstash-api-key + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + api_key: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Generate Logstash API key + tags: + - Fleet outputs + /api/fleet/outputs: + get: + operationId: get-outputs + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_output_create_request' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List outputs + tags: + - Fleet outputs + post: + operationId: post-outputs + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_output_create_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_create_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create output + tags: + - Fleet outputs + /api/fleet/outputs/{outputId}: + delete: + operationId: delete-output + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete output by ID + tags: + - Fleet outputs + get: + operationId: get-output + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_create_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get output by ID + tags: + - Fleet outputs + parameters: + - in: path + name: outputId + required: true + schema: + type: string + put: + operationId: update-output + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_output_update_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_output_update_request' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update output by ID + tags: + - Fleet outputs + /api/fleet/outputs/{outputId}/health: + get: + operationId: get-output-health + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get latest output health + tags: + - Fleet outputs + parameters: + - in: path + name: outputId + required: true + schema: + type: string + /api/fleet/package_policies: + get: + operationId: get-package-policies + parameters: + - $ref: '#/components/parameters/Fleet_page_size' + - $ref: '#/components/parameters/Fleet_page_index' + - $ref: '#/components/parameters/Fleet_kuery' + - $ref: '#/components/parameters/Fleet_format' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List package policies + tags: + - Fleet package policies + parameters: [] + post: + operationId: create-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_package_policy_request' + description: >- + You should use inputs as an object and not use the deprecated inputs + array. + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '409': + $ref: '#/components/responses/Fleet_error' + summary: Create package policy + tags: + - Fleet package policies + /api/fleet/package_policies/_bulk_get: + post: + operationId: bulk-get-package-policies + parameters: + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + description: list of package policy ids + items: + type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + required: + - items + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Bulk get package policies + tags: + - Fleet package policies + /api/fleet/package_policies/{packagePolicyId}: + delete: + operationId: delete-package-policy + parameters: + - in: query + name: force + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package policy by ID + tags: + - Fleet package policies + get: + operationId: get-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_format' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get package policy by ID + tags: + - Fleet package policies + parameters: + - in: path + name: packagePolicyId + required: true + schema: + type: string + put: + operationId: update-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + - $ref: '#/components/parameters/Fleet_format' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_package_policy_request' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_package_policy' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update package policy by ID + tags: + - Fleet package policies + /api/fleet/package_policies/delete: + post: + operationId: post-delete-package-policy + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + type: string + name: + type: string + success: + type: boolean + required: + - id + - success + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete package policy + tags: + - Fleet package policies + /api/fleet/package_policies/upgrade: + post: + operationId: upgrade-package-policy + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + type: string + name: + type: string + success: + type: boolean + required: + - id + - success + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '409': + $ref: '#/components/responses/Fleet_error' + summary: Upgrade package policy to a newer package version + tags: + - Fleet package policies + /api/fleet/package_policies/upgrade/dryrun: + post: + operationId: upgrade-package-policy-dry-run + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + packagePolicyIds: + items: + type: string + type: array + packageVersion: + type: string + required: + - packagePolicyIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + agent_diff: + $ref: '#/components/schemas/Fleet_upgrade_agent_diff' + diff: + $ref: '#/components/schemas/Fleet_upgrade_diff' + hasErrors: + type: boolean + required: + - hasErrors + type: array + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Dry run package policy upgrade + tags: + - Fleet package policies + /api/fleet/proxies: + get: + operationId: get-fleet-proxies + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: '#/components/schemas/Fleet_proxies' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List proxies + tags: + - Fleet proxies + post: + operationId: post-fleet-proxies + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + id: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + required: + - name + - url + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create proxy + tags: + - Fleet proxies + /api/fleet/proxies/{itemId}: + delete: + operationId: delete-fleet-proxies + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + required: + - id + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Delete proxy by ID + tags: + - Fleet proxies + get: + operationId: get-one-fleet-proxies + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get proxy by ID + tags: + - Fleet proxies + parameters: + - in: path + name: itemId + required: true + schema: + type: string + put: + operationId: update-fleet-proxies + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_proxies' + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update proxy by ID + tags: + - Fleet proxies + /api/fleet/service_tokens: + post: + operationId: generate-service-token + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + value: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create service token + tags: + - Fleet service tokens + /api/fleet/service-tokens: + post: + deprecated: true + operationId: generate-service-token-deprecated + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + name: + type: string + value: + type: string + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Create service token + tags: + - Fleet service tokens + /api/fleet/settings: + get: + operationId: get-settings + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_settings_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get settings + tags: + - Fleet internals + put: + operationId: update-settings + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + additional_yaml_config: + type: string + fleet_server_hosts: + description: Protocol and path must be the same for each URL + items: + type: string + type: array + has_seen_add_data_notice: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_settings_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Update settings + tags: + - Fleet internals + /api/fleet/setup: + post: + operationId: setup + parameters: + - $ref: '#/components/parameters/Fleet_kbn_xsrf' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Fleet_fleet_setup_response' + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + description: Internal Server Error + summary: Initiate Fleet setup + tags: + - Fleet internals + /api/fleet/uninstall_tokens: + get: + operationId: get-uninstall-tokens + parameters: + - description: The number of items to return + in: query + name: perPage + required: false + schema: + default: 20 + minimum: 5 + type: integer + - $ref: '#/components/parameters/Fleet_page_index' + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + type: object + properties: + created_at: + type: string + id: + type: string + policy_id: + type: string + required: + - id + - policy_id + - created_at + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: List metadata for latest uninstall tokens per agent policy + tags: + - Fleet uninstall tokens + /api/fleet/uninstall_tokens/{uninstallTokenId}: + get: + operationId: get-uninstall-token + parameters: + - in: path + name: uninstallTokenId + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + item: + type: object + properties: + created_at: + type: string + id: + type: string + policy_id: + type: string + token: + type: string + required: + - id + - token + - policy_id + - created_at + required: + - item + description: OK + '400': + $ref: '#/components/responses/Fleet_error' + summary: Get one decrypted uninstall token by its ID + tags: + - Fleet uninstall tokens + /api/lists: + delete: + description: | + Delete a list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - in: query + name: deleteReferences + required: false + schema: + default: false + type: boolean + - in: query + name: ignoreReferences + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a list + tags: + - Security Lists API + get: + description: Get the details of a list using the list ID. + operationId: ReadList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get list details + tags: + - Security Lists API + patch: + description: Update specific fields of an existing list using the list ID. + operationId: PatchList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a list + tags: + - Security Lists API + post: + description: Create a new list. + operationId: CreateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + serializer: + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a list + tags: + - Security Lists API + put: + description: > + Update a list using the list ID. The original list is replaced, and all + unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + - name + - description + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a list + tags: + - Security Lists API + /api/lists/_find: + get: + description: >- + Get a paginated subset of lists. By default, the first page is returned, + with 20 results per page. + operationId: FindLists + parameters: + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of lists to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get lists + tags: + - Security Lists API + /api/lists/index: + delete: + description: Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete list data streams + tags: + - Security Lists API + get: + description: Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of list data streams + tags: + - Security Lists API + post: + description: Create `.lists` and `.items` data streams in the relevant space. + operationId: CreateListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams + tags: + - Security Lists API + /api/lists/items: + delete: + description: Delete a list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a list item + tags: + - Security Lists API + get: + description: Get the details of a list item. + operationId: ReadListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a list item + tags: + - Security Lists API + patch: + description: Update specific fields of an existing list item using the list item ID. + operationId: PatchListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a list item + tags: + - Security Lists API + post: + description: > + Create a list item and associate it with the specified list. + + + All list items in the same list must be the same type. For example, each + list item in an `ip` list must define a specific IP address. + + > info + + > Before creating a list item, you must create a list. + operationId: CreateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a list item + tags: + - Security Lists API + put: + description: > + Update a list item using the list item ID. The original list item is + replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a list item + tags: + - Security Lists API + /api/lists/items/_export: + post: + description: Export list item values from the specified list. + operationId: ExportListItems + parameters: + - description: List's id to export + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: A `.txt` file containing list items from the specified list + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export list items + tags: + - Security Lists API + /api/lists/items/_find: + get: + description: Get all list items in the specified list. + operationId: FindListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of list items to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Lists_API_FindListItemsCursor + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get list items + tags: + - Security Lists API + /api/lists/items/_import: + post: + description: > + Import list items from a TXT or CSV file. The maximum file size is 9 + million bytes. + + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: > + Type of the importing list. + + + Required when importing a new list that is `list_id` is not + specified. + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - in: query + name: serializer + required: false + schema: + type: string + - in: query + name: deserializer + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + type: string + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: >- + A `.txt` or `.csv` file containing newline separated list + items + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import list items + tags: + - Security Lists API + /api/lists/privileges: + get: + operationId: ReadListPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Lists_API_PlatformErrorResponse + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get list privileges + tags: + - Security Lists API + /api/ml/saved_objects/sync: + get: + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models in the default space. You must have `all` privileges for the + **Machine Learning** feature in the **Analytics** section of the Kibana + feature privileges. This API runs automatically when you start Kibana + and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space + tags: + - ml + /api/note: + delete: + description: Delete a note from a Timeline using the note ID. + operationId: DeleteNote + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + type: string + required: + - noteId + - nullable: true + type: object + properties: + noteIds: + items: + type: string + nullable: true + type: array + required: + - noteIds + description: The ID of the note to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + description: Indicates the note was successfully deleted. + summary: Delete a note + tags: + - Security Timeline API + - access:securitySolution + get: + description: Get all notes for a given document. + operationId: GetNotes + parameters: + - in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - in: query + name: page + schema: + nullable: true + type: string + - in: query + name: perPage + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: sortField + schema: + nullable: true + type: string + - in: query + name: sortOrder + schema: + nullable: true + type: string + - in: query + name: filter + schema: + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + - type: object + description: Indicates the requested notes were returned. + summary: Get notes + tags: + - Security Timeline API + - access:securitySolution + patch: + description: Add a note to a Timeline or update an existing note. + operationId: PersistNoteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventDataView: + nullable: true + type: string + eventIngested: + nullable: true + type: string + eventTimestamp: + nullable: true + type: string + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + noteId: + nullable: true + type: string + overrideOwner: + nullable: true + type: boolean + version: + nullable: true + type: string + required: + - note + description: The note to add or update, along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistNote: + $ref: >- + #/components/schemas/Security_Timeline_API_ResponseNote + required: + - persistNote + required: + - data + description: Indicates the note was successfully created. + summary: Add or update a note + tags: + - Security Timeline API + - access:securitySolution + /api/osquery/live_queries: + get: + description: Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live queries + tags: + - Security Osquery API + post: + description: Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a live query + tags: + - Security Osquery API + /api/osquery/live_queries/{id}: + get: + description: Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_Id' + - in: query + name: query + schema: + additionalProperties: true + type: object + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query details + tags: + - Security Osquery API + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_Id' + - in: path + name: actionId + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_Id' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query results + tags: + - Security Osquery API + /api/osquery/packs: + get: + description: Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - in: query + name: query + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get packs + tags: + - Security Osquery API + post: + description: Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a pack + tags: + - Security Osquery API + /api/osquery/packs/{id}: + delete: + description: Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete a pack + tags: + - Security Osquery API + get: + description: Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get pack details + tags: + - Security Osquery API + put: + description: | + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update a pack + tags: + - Security Osquery API + /api/osquery/saved_queries: + get: + description: Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved queries + tags: + - Security Osquery API + post: + description: Create and run a saved query. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a saved query + tags: + - Security Osquery API + /api/osquery/saved_queries/{id}: + delete: + description: Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete a saved query + tags: + - Security Osquery API + get: + description: Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved query details + tags: + - Security Osquery API + put: + description: | + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update a saved query + tags: + - Security Osquery API + /api/pinned_event: + patch: + description: Pin an event to an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventId: + type: string + pinnedEventId: + nullable: true + type: string + timelineId: + type: string + required: + - eventId + - timelineId + description: The pinned event to add or update, along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistPinnedEventOnTimeline: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse + required: + - persistPinnedEventOnTimeline + required: + - data + description: Indicates the event was successfully pinned to the Timeline. + summary: Pin an event + tags: + - Security Timeline API + - access:securitySolution + /api/risk_score/engine/dangerously_delete_data: + delete: + description: >- + Cleaning up the the Risk Engine by removing the indices, mapping and + transforms + operationId: CleanUpRiskEngine + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cleanup_successful: + type: boolean + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API + /api/risk_score/engine/schedule_now: + post: + description: >- + Schedule the risk scoring engine to run as soon as possible. You can use + this to recalculate entity risk scores after updating their asset + criticality. + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: {} + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse + description: Task manager is unavailable + default: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse + description: Unexpected error + summary: Run the risk scoring engine + tags: + - Security Entity Analytics API + /api/saved_objects/_bulk_create: + post: + deprecated: true + operationId: bulkCreateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: When true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Create saved objects + tags: + - saved objects + /api/saved_objects/_bulk_delete: + post: + deprecated: true + description: | + WARNING: When you delete a saved object, it cannot be recovered. + operationId: bulkDeleteSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + When true, force delete objects that exist in multiple namespaces. + Note that the option applies to the whole request. Use the delete + object API to specify per-object deletion behavior. TIP: Use this if + you attempted to delete objects and received an HTTP 400 error with + the following message: "Unable to delete saved object that exists in + multiple namespaces, use the force option to delete it anyway". + WARNING: When you bulk delete objects that exist in multiple + namespaces, the API also deletes legacy url aliases that reference + the object. These requests are batched to minimise the impact but + they can place a heavy load on Kibana. Make sure you limit the + number of objects that exist in multiple namespaces in a single bulk + delete operation. + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Delete saved objects + tags: + - saved objects + /api/saved_objects/_bulk_get: + post: + deprecated: true + operationId: bulkGetSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Get saved objects + tags: + - saved objects + /api/saved_objects/_bulk_resolve: + post: + deprecated: true + description: > + Retrieve multiple Kibana saved objects by identifier using any legacy + URL aliases if they exist. Under certain circumstances when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved by the bulk resolve API + using either its new ID or its old ID. + operationId: bulkResolveSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Resolve saved objects + tags: + - saved objects + /api/saved_objects/_bulk_update: + post: + deprecated: true + description: Update the attributes for multiple Kibana saved objects. + operationId: bulkUpdateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Update saved objects + tags: + - saved objects + /api/saved_objects/_export: + post: + description: > + Retrieve sets of saved objects that you want to import into Kibana. + + You must include `type` or `objects` in the request body. + + + Exported saved objects are not backwards compatible and cannot be + imported into an older version of Kibana. + + + NOTE: The `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be exported. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: exportSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsRequest: + $ref: '#/components/examples/Saved_objects_export_objects_request' + schema: + type: object + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + includeReferencesDeep: + description: >- + Includes all of the referenced objects in the exported + objects. + type: boolean + objects: + description: A list of objects to export. + items: + type: object + type: array + type: + description: >- + The saved object types to include in the export. Use `*` to + export all the types. + oneOf: + - type: string + - items: + type: string + type: array + required: true + responses: + '200': + content: + application/x-ndjson; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsResponse: + $ref: '#/components/examples/Saved_objects_export_objects_response' + schema: + additionalProperties: true + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Export saved objects + tags: + - saved objects + /api/saved_objects/_find: + get: + deprecated: true + description: Retrieve a paginated set of Kibana saved objects. + operationId: findSavedObjects + parameters: + - description: > + An aggregation structure, serialized as a string. The field format + is similar to filter, meaning that to use a saved object type + attribute in the aggregation, the `savedObjectType.attributes.title: + "myTitle"` format must be used. For root fields, the syntax is + `savedObjectType.rootField`. NOTE: As objects change in Kibana, the + results on each page of the response also change. Use the find API + for traditional paginated results, but avoid using it to export + large amounts of data. + in: query + name: aggs + schema: + type: string + - description: The default operator to use for the `simple_query_string`. + in: query + name: default_search_operator + schema: + type: string + - description: The fields to return in the attributes key of the response. + in: query + name: fields + schema: + oneOf: + - type: string + - type: array + - description: > + The filter is a KQL string with the caveat that if you filter with + an attribute from your saved object type, it should look like that: + `savedObjectType.attributes.title: "myTitle"`. However, if you use a + root attribute of a saved object such as `updated_at`, you will have + to define your filter like that: `savedObjectType.updated_at > + 2018-12-22`. + in: query + name: filter + schema: + type: string + - description: >- + Filters to objects that do not have a relationship with the type and + identifier combination. + in: query + name: has_no_reference + schema: + type: object + - description: >- + The operator to use for the `has_no_reference` parameter. Either + `OR` or `AND`. Defaults to `OR`. + in: query + name: has_no_reference_operator + schema: + type: string + - description: >- + Filters to objects that have a relationship with the type and ID + combination. + in: query + name: has_reference + schema: + type: object + - description: >- + The operator to use for the `has_reference` parameter. Either `OR` + or `AND`. Defaults to `OR`. + in: query + name: has_reference_operator + schema: + type: string + - description: The page of objects to return. + in: query + name: page + schema: + type: integer + - description: The number of objects to return per page. + in: query + name: per_page + schema: + type: integer + - description: >- + An Elasticsearch `simple_query_string` query that filters the + objects in the response. + in: query + name: search + schema: + type: string + - description: >- + The fields to perform the `simple_query_string` parsed query + against. + in: query + name: search_fields + schema: + oneOf: + - type: string + - type: array + - description: > + Sorts the response. Includes "root" and "type" fields. "root" fields + exist for all saved objects, such as "updated_at". "type" fields are + specific to an object type, such as fields returned in the + attributes key of the response. When a single type is defined in the + type parameter, the "root" and "type" fields are allowed, and + validity checks are made in that order. When multiple types are + defined in the type parameter, only "root" fields are allowed. + in: query + name: sort_field + schema: + type: string + - description: The saved object types to include. + in: query + name: type + required: true + schema: + oneOf: + - type: string + - type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Search for saved objects + tags: + - saved objects + /api/saved_objects/_import: + post: + description: > + Create sets of Kibana saved objects from a file created by the export + API. + + Saved objects can be imported only into the same version, a newer minor + on the same major, or the next major. Exported saved objects are not + backwards compatible and cannot be imported into an older version of + Kibana. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: importSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + Creates copies of saved objects, regenerates each object ID, and + resets the origin. When used, potential conflict errors are avoided. + NOTE: This option cannot be used with the `overwrite` and + `compatibilityMode` options. + in: query + name: createNewCopies + required: false + schema: + type: boolean + - description: > + Overwrites saved objects when they already exist. When used, + potential conflict errors are automatically resolved by overwriting + the destination object. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: overwrite + required: false + schema: + type: boolean + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. Use this option only if you encounter issues with imported + saved objects. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + importObjectsRequest: + $ref: '#/components/examples/Saved_objects_import_objects_request' + schema: + type: object + properties: + file: + description: > + A file exported using the export API. NOTE: The + `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be included in + this file. Similarly, the + `savedObjects.maxImportPayloadBytes` setting limits the + overall size of the file that can be imported. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + importObjectsResponse: + $ref: '#/components/examples/Saved_objects_import_objects_response' + schema: + type: object + properties: + errors: + description: > + Indicates the import was unsuccessful and specifies the + objects that failed to import. + + + NOTE: One object may result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and conflict error. + items: + type: object + type: array + success: + description: > + Indicates when the import was successfully completed. When + set to false, some objects may not have been created. For + additional information, refer to the `errors` and + `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: integer + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are created only when all resolvable errors + are addressed, including conflicts and missing references. + If objects are created as new copies, each entry in the + `successResults` array includes a `destinationId` + attribute. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Import saved objects + tags: + - saved objects + x-codeSamples: + - label: Import with createNewCopies + lang: cURL + source: | + curl \ + -X POST api/saved_objects/_import?createNewCopies=true + -H "kbn-xsrf: true" + --form file=@file.ndjson + /api/saved_objects/_resolve_import_errors: + post: + description: > + To resolve errors from the Import objects API, you can: + + + * Retry certain saved objects + + * Overwrite specific saved objects + + * Change references to different saved objects + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: resolveImportErrors + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. When enabled during the initial import, also enable when + resolving import errors. This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + - description: > + Creates copies of the saved objects, regenerates each object ID, and + resets the origin. When enabled during the initial import, also + enable when resolving import errors. + in: query + name: createNewCopies + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + resolveImportErrorsRequest: + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_request + schema: + type: object + properties: + file: + description: The same file given to the import API. + format: binary + type: string + retries: + description: >- + The retry operations, which can specify how to resolve + different types of errors. + items: + type: object + properties: + destinationId: + description: >- + Specifies the destination ID that the imported object + should have, if different from the current ID. + type: string + id: + description: The saved object ID. + type: string + ignoreMissingReferences: + description: >- + When set to `true`, ignores missing reference errors. + When set to `false`, does nothing. + type: boolean + overwrite: + description: >- + When set to `true`, the source object overwrites the + conflicting destination object. When set to `false`, + does nothing. + type: boolean + replaceReferences: + description: >- + A list of `type`, `from`, and `to` used to change the + object references. + items: + type: object + properties: + from: + type: string + to: + type: string + type: + type: string + type: array + type: + description: The saved object type. + type: string + required: + - type + - id + type: array + required: + - retries + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + resolveImportErrorsResponse: + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_response + schema: + type: object + properties: + errors: + description: > + Specifies the objects that failed to resolve. + + + NOTE: One object can result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and a `conflict` error. + items: + type: object + type: array + success: + description: > + Indicates a successful import. When set to `false`, some + objects may not have been created. For additional + information, refer to the `errors` and `successResults` + properties. + type: boolean + successCount: + description: | + Indicates the number of successfully resolved records. + type: number + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are only created when all resolvable errors + are addressed, including conflict and missing references. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve import errors + tags: + - saved objects + /api/saved_objects/{type}: + post: + deprecated: true + description: Create a Kibana saved object with a randomly generated identifier. + operationId: createSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_references' + required: + - attributes + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + /api/saved_objects/{type}/{id}: + get: + deprecated: true + description: Retrieve a single Kibana saved object by identifier. + operationId: getSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Get a saved object + tags: + - saved objects + post: + deprecated: true + description: >- + Create a Kibana saved object and specify its identifier instead of using + a randomly generated ID. + operationId: createSavedObjectId + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + required: + - attributes + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + put: + deprecated: true + description: Update the attributes for Kibana saved objects. + operationId: updateSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates the object was not found. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Update a saved object + tags: + - saved objects + /api/saved_objects/resolve/{type}/{id}: + get: + deprecated: true + description: > + Retrieve a single Kibana saved object by identifier using any legacy URL + alias if it exists. Under certain circumstances, when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved using either its new ID or + its old ID. + operationId: resolveSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve a saved object + tags: + - saved objects + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: >- + Apply a bulk action to multiple anonymization fields. The bulk action is + applied to all anonymization fields that match the filter or to the list + of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of anonymization fields IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter anonymization fields + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Apply a bulk action to anonymization fields + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get anonymization fields + tags: + - Security AI Assistant API + - AnonymizationFields API + /api/security_ai_assistant/chat/complete: + post: + description: Create a model response for the given chat conversation. + operationId: ChatComplete + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + '200': + content: + application/octet-stream; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a model response + tags: + - Security AI Assistant API + - Chat Complete API + /api/security_ai_assistant/current_user/conversations: + post: + description: Create a new Security AI Assistant conversation. + operationId: CreateConversation + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: Get a list of all conversations for the current user. + operationId: FindConversations + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Conversations per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get conversations + tags: + - Security AI Assistant API + - Conversations API + /api/security_ai_assistant/current_user/conversations/{id}: + delete: + description: Delete an existing conversation using the conversation ID. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Delete a conversation + tags: + - Security AI Assistant API + - Conversation API + get: + description: Get the details of an existing conversation using the conversation ID. + operationId: ReadConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get a conversation + tags: + - Security AI Assistant API + - Conversations API + put: + description: Update an existing conversation using the conversation ID. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Update a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: >- + Apply a bulk action to multiple prompts. The bulk action is applied to + all prompts that match the filter or to the list of prompts by their + IDs. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of prompts IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter promps + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Apply a bulk action to prompts + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/prompts/_find: + get: + description: Get a list of all prompts. + operationId: FindPrompts + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Prompts per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Get prompts + tags: + - Security AI Assistant API + - Prompts API + /api/security/role: + get: + operationId: '%2Fapi%2Fsecurity%2Frole#0' + parameters: [] + responses: {} + summary: Get all roles + tags: + - roles + /api/security/role/{name}: + delete: + operationId: '%2Fapi%2Fsecurity%2Frole%2F%7Bname%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + minLength: 1 + type: string + responses: {} + summary: Delete a role + tags: + - roles + get: + operationId: '%2Fapi%2Fsecurity%2Frole%2F%7Bname%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - in: path + name: name + required: true + schema: + minLength: 1 + type: string + responses: {} + summary: Get a role + tags: + - roles + put: + operationId: '%2Fapi%2Fsecurity%2Frole%2F%7Bname%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: name + required: true + schema: + maxLength: 1024 + minLength: 1 + type: string + - in: query + name: createOnly + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + description: + maxLength: 2048 + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + cluster: + items: + type: string + type: array + indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + type: boolean + field_security: + additionalProperties: + items: + type: string + type: array + type: object + names: + items: + type: string + minItems: 1 + type: array + privileges: + items: + type: string + minItems: 1 + type: array + query: + type: string + required: + - names + - privileges + type: array + remote_cluster: + items: + additionalProperties: false + type: object + properties: + clusters: + items: + type: string + minItems: 1 + type: array + privileges: + items: + type: string + minItems: 1 + type: array + required: + - privileges + - clusters + type: array + remote_indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + type: boolean + clusters: + items: + type: string + minItems: 1 + type: array + field_security: + additionalProperties: + items: + type: string + type: array + type: object + names: + items: + type: string + minItems: 1 + type: array + privileges: + items: + type: string + minItems: 1 + type: array + query: + type: string + required: + - clusters + - names + - privileges + type: array + run_as: + items: + type: string + type: array + kibana: + items: + additionalProperties: false + type: object + properties: + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + type: string + type: array + - items: + type: string + type: array + feature: + additionalProperties: + items: + type: string + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + type: string + type: array + default: + - '*' + required: + - base + type: array + metadata: + additionalProperties: {} + type: object + required: + - elasticsearch + responses: {} + summary: Create or update a role + tags: + - roles + /api/security/roles: + post: + operationId: '%2Fapi%2Fsecurity%2Froles#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + roles: + additionalProperties: + additionalProperties: false + type: object + properties: + description: + maxLength: 2048 + type: string + elasticsearch: + additionalProperties: false + type: object + properties: + cluster: + items: + type: string + type: array + indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + type: boolean + field_security: + additionalProperties: + items: + type: string + type: array + type: object + names: + items: + type: string + minItems: 1 + type: array + privileges: + items: + type: string + minItems: 1 + type: array + query: + type: string + required: + - names + - privileges + type: array + remote_cluster: + items: + additionalProperties: false + type: object + properties: + clusters: + items: + type: string + minItems: 1 + type: array + privileges: + items: + type: string + minItems: 1 + type: array + required: + - privileges + - clusters + type: array + remote_indices: + items: + additionalProperties: false + type: object + properties: + allow_restricted_indices: + type: boolean + clusters: + items: + type: string + minItems: 1 + type: array + field_security: + additionalProperties: + items: + type: string + type: array + type: object + names: + items: + type: string + minItems: 1 + type: array + privileges: + items: + type: string + minItems: 1 + type: array + query: + type: string + required: + - clusters + - names + - privileges + type: array + run_as: + items: + type: string + type: array + kibana: + items: + additionalProperties: false + type: object + properties: + base: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - items: + type: string + type: array + - items: + type: string + type: array + feature: + additionalProperties: + items: + type: string + type: array + type: object + spaces: + anyOf: + - items: + enum: + - '*' + type: string + maxItems: 1 + minItems: 1 + type: array + - items: + type: string + type: array + default: + - '*' + required: + - base + type: array + metadata: + additionalProperties: {} + type: object + required: + - elasticsearch + type: object + required: + - roles + responses: {} + summary: Create or update roles + tags: + - roles + /api/spaces/_copy_saved_objects: + post: + description: Copy saved objects to spaces + operationId: '%2Fapi%2Fspaces%2F_copy_saved_objects#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + compatibilityMode: + default: false + type: boolean + createNewCopies: + default: true + type: boolean + includeReferences: + default: false + type: boolean + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: array + overwrite: + default: false + type: boolean + spaces: + items: + type: string + type: array + required: + - spaces + - objects + responses: {} + summary: '' + tags: [] + /api/spaces/_disable_legacy_url_aliases: + post: + description: Disable legacy URL aliases + operationId: '%2Fapi%2Fspaces%2F_disable_legacy_url_aliases#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + aliases: + items: + additionalProperties: false + type: object + properties: + sourceId: + type: string + targetSpace: + type: string + targetType: + type: string + required: + - targetSpace + - targetType + - sourceId + type: array + required: + - aliases + responses: {} + summary: '' + tags: [] + /api/spaces/_get_shareable_references: + post: + description: Get shareable references + operationId: '%2Fapi%2Fspaces%2F_get_shareable_references#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: array + required: + - objects + responses: {} + summary: '' + tags: [] + /api/spaces/_resolve_copy_saved_objects_errors: + post: + description: Resolve conflicts copying saved objects + operationId: '%2Fapi%2Fspaces%2F_resolve_copy_saved_objects_errors#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + compatibilityMode: + default: false + type: boolean + createNewCopies: + default: true + type: boolean + includeReferences: + default: false + type: boolean + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: array + retries: + additionalProperties: + items: + additionalProperties: false + type: object + properties: + createNewCopy: + type: boolean + destinationId: + type: string + id: + type: string + ignoreMissingReferences: + type: boolean + overwrite: + default: false + type: boolean + type: + type: string + required: + - type + - id + type: array + type: object + required: + - retries + - objects + responses: {} + summary: '' + tags: [] + /api/spaces/_update_objects_spaces: + post: + description: Update saved objects in spaces + operationId: '%2Fapi%2Fspaces%2F_update_objects_spaces#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + objects: + items: + additionalProperties: false + type: object + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: array + spacesToAdd: + items: + type: string + type: array + spacesToRemove: + items: + type: string + type: array + required: + - objects + - spacesToAdd + - spacesToRemove + responses: {} + summary: '' + tags: [] + /api/spaces/space: + get: + description: Get all spaces + operationId: '%2Fapi%2Fspaces%2Fspace#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - in: query + name: purpose + required: false + schema: + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace + type: string + - in: query + name: include_authorized_purposes + required: true + schema: + anyOf: + - items: {} + type: array + - type: boolean + - type: number + - type: object + - type: string + nullable: true + oneOf: + - enum: + - false + type: boolean + x-oas-optional: true + - type: boolean + x-oas-optional: true + responses: {} + summary: '' + tags: + - spaces + post: + description: Create a space + operationId: '%2Fapi%2Fspaces%2Fspace#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + type: string + description: + type: string + disabledFeatures: + default: [] + items: + type: string + type: array + id: + type: string + imageUrl: + type: string + initials: + maxLength: 2 + type: string + name: + minLength: 1 + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + responses: {} + summary: '' + tags: + - spaces + /api/spaces/space/{id}: + delete: + description: Delete a space + operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#2' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: id + required: true + schema: + type: string + responses: {} + summary: '' + tags: + - spaces + get: + description: Get a space + operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - in: path + name: id + required: true + schema: + type: string + responses: {} + summary: '' + tags: + - spaces + put: + description: Update a space + operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#1' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: A required header to protect against CSRF attacks + in: header + name: kbn-xsrf + required: true + schema: + example: 'true' + type: string + - in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + _reserved: + type: boolean + color: + type: string + description: + type: string + disabledFeatures: + default: [] + items: + type: string + type: array + id: + type: string + imageUrl: + type: string + initials: + maxLength: 2 + type: string + name: + minLength: 1 + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + responses: {} + summary: '' + tags: + - spaces + /api/status: + get: + operationId: '%2Fapi%2Fstatus#0' + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: >- + Kibana or some of it's essential services are unavailable. Kibana + may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + /api/timeline: + delete: + description: Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + savedObjectIds: + items: + type: string + type: array + searchIds: + description: >- + Saved search ids that should be deleted alongside the + timelines + items: + type: string + type: array + required: + - savedObjectIds + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + deleteTimeline: + type: boolean + required: + - deleteTimeline + required: + - data + description: Indicates the Timeline was successfully deleted. + summary: Delete Timelines or Timeline templates + tags: + - Security Timeline API + - access:securitySolution + get: + description: Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The ID of the template timeline to retrieve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineResponse + required: + - getOneTimeline + required: + - data + - additionalProperties: false + type: object + description: Indicates that the (template) Timeline was found and returned. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + - access:securitySolution + patch: + description: >- + Update an existing Timeline. You can update the title, description, date + range, pinned events, pinned queries, and/or pinned saved queries of an + existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates that the user does not have the required access to create + a draft Timeline. + summary: Update a Timeline + tags: + - Security Timeline API + - access:securitySolution + post: + description: Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + version: + nullable: true + type: string + required: + - timeline + description: >- + The required Timeline fields used to create a new Timeline, along with + optional fields that will be created if not provided. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates the Timeline was successfully created. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_copy: + get: + description: | + Copies and returns a timeline or timeline template. + operationId: CopyTimeline + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + type: string + required: + - timeline + - timelineIdToCopy + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates that the timeline has been successfully copied. + summary: Copies timeline or timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_draft: + get: + description: >- + Get the details of the draft Timeline or Timeline template for the + current user. If the user doesn't have a draft Timeline, an empty + Timeline is returned. + operationId: GetDraftTimelines + parameters: + - in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: Indicates that the draft Timeline was successfully retrieved. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + If a draft Timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + This should never happen, but if a draft Timeline was not found and + we attempted to create one, it indicates that there is already a + draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Timeline API + - access:securitySolution + post: + description: > + Create a clean draft Timeline or Timeline template for the current user. + + > info + + > If the user already has a draft Timeline, the existing draft Timeline + is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + required: + - timelineType + description: >- + The type of Timeline to create. Valid values are `default` and + `template`. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_PersistTimelineResponse + description: >- + Indicates that the draft Timeline was successfully created. In the + event the user already has a draft Timeline, the existing draft + Timeline is cleared and returned. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that the user does not have the required permissions to + create a draft Timeline. + '409': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that there is already a draft Timeline with the given + `timelineId`. + summary: Create a clean draft Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_export: + post: + description: Export Timelines as an NDJSON file. + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + items: + type: string + nullable: true + type: array + description: The IDs of the Timelines to export. + required: true + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates the Timelines were successfully exported. + '400': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that the export size limit was exceeded. + summary: Export Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_favorite: + patch: + description: Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true + type: string + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistFavorite: + $ref: >- + #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse + required: + - persistFavorite + required: + - data + description: Indicates the favorite status was successfully updated. + '403': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the user does not have the required permissions to persist + the favorite status. + summary: Favorite a Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_import: + post: + description: Import Timelines. + operationId: ImportTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: {} + isImmutable: + enum: + - 'true' + - 'false' + type: string + required: + - file + description: The Timelines to import as a readable stream. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult + description: Indicates the import of Timelines was successful. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: >- + Indicates the import of Timelines was unsuccessful because of an + invalid file extension. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + statusCode: + type: number + description: >- + Indicates that we were unable to locate the saved object client + necessary to handle the import. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/_prepackaged: + post: + description: Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + prepackagedTimelines: + items: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject + nullable: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + type: array + required: + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The Timelines to install or update. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Timeline_API_ImportTimelineResult + description: Indicates the installation of prepackaged Timelines was successful. + '500': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the installation of prepackaged Timelines was + unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Timeline API + - access:securitySolution + /api/timeline/resolve: + get: + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Timeline_API_ResolvedTimeline + required: + - data + - additionalProperties: false + type: object + description: The (template) Timeline has been found + '400': + description: The request is missing parameters + '404': + description: The (template) Timeline was not found + summary: Get an existing saved Timeline or Timeline template + tags: + - Security Timeline API + - access:securitySolution + /api/timelines: + get: + description: Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: >- + If true, only timelines that are marked as favorites by the user are + returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - in: query + name: page_size + schema: + nullable: true + type: string + - in: query + name: page_index + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + customTemplateTimelineCount: + type: number + defaultTimelineCount: + type: number + elasticTemplateTimelineCount: + type: number + favoriteCount: + type: number + templateTimelineCount: + type: number + timeline: + items: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineResponse + type: array + totalCount: + type: number + required: + - timeline + - totalCount + description: Indicates that the (template) Timelines were found and returned. + '400': + content: + application:json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad request. The user supplied invalid data. + summary: Get Timelines or Timeline templates + tags: + - Security Timeline API + - access:securitySolution + /s/{spaceId}/api/observability/slos: + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: The page to use for pagination, must be greater or equal than 1 + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + post: + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Batch delete rollup and summary data + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}: + delete: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + put: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '200': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo +components: + examples: + Alerting_get_health_response: + summary: Retrieve information about the health of the alerting framework. + value: + alerting_framework_health: + decryption_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + execution_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + read_health: + status: ok + timestamp: '2023-01-13T01:28:00.280Z' + has_permanent_encryption_key: true + is_sufficiently_secure: true + Alerting_get_rule_types_response: + summary: Retrieve rule types associated with Kibana machine learning features + value: + - action_groups: + - id: anomaly_score_match + name: Anomaly score matched the condition + - id: recovered + name: Recovered + action_variables: + context: + - description: The bucket timestamp of the anomaly + name: timestamp + - description: The bucket time of the anomaly in ISO8601 format + name: timestampIso8601 + - description: List of job IDs that triggered the alert + name: jobIds + - description: Alert info message + name: message + - description: Indicate if top hits contain interim results + name: isInterim + - description: Anomaly score at the time of the notification action + name: score + - description: Top records + name: topRecords + - description: Top influencers + name: topInfluencers + - description: URL to open in the Anomaly Explorer + name: anomalyExplorerUrl + useWithTripleBracesInTemplates: true + params: [] + state: [] + alerts: + context: ml.anomaly-detection + mappings: + fieldMap: + kibana.alert.anomaly_score: + array: false + type: double + required: false + kibana.alert.anomaly_timestamp: + array: false + type: date + required: false + kibana.alert.is_interim: + array: false + type: boolean + required: false + kibana.alert.job_id: + array: false + type: keyword + required: true + kibana.alert.top_influencers: + array: true + dynamic: false + type: object + properties: + influencer_field_name: + type: keyword + influencer_field_value: + type: keyword + influencer_score: + type: double + initial_influencer_score: + type: double + is_interim: + type: boolean + job_id: + type: keyword + timestamp: + type: date + required: false + kibana.alert.top_records: + array: true + dynamic: false + type: object + properties: + actual: + type: double + by_field_name: + type: keyword + by_field_value: + type: keyword + detector_index: + type: integer + field_name: + type: keyword + function: + type: keyword + initial_record_score: + type: double + is_interim: + type: boolean + job_id: + type: keyword + over_field_name: + type: keyword + over_field_value: + type: keyword + partition_field_name: + type: keyword + partition_field_value: + type: keyword + record_score: + type: double + timestamp: + type: date + typical: + type: double + required: false + shouldWrite: true + authorized_consumers: + alerts: + all: true + read: true + apm: + all: true + read: true + discover: + all: true + read: true + infrastructure: + all: true + read: true + logs: + all: true + read: true + ml: + all: true + read: true + monitoring: + all: true + read: true + siem: + all: true + read: true + slo: + all: true + read: true + stackAlerts: + all: true + read: true + uptime: + all: true + read: true + category: management + default_action_group_id: anomaly_score_match + does_set_recovery_context: true + enabled_in_license: true + has_alerts_mappings: true + has_fields_for_a_a_d: false + id: xpack.ml.anomaly_detection_alert + is_exportable: true + minimum_license_required: platinum + name: Anomaly detection alert + producer: ml + recovery_action_group: + id: recovered + name: Recovered + rule_task_timeout: 5m + - action_groups: + - id: anomaly_detection_realtime_issue + name: Issue detected + - id: recovered + name: Recovered + action_variables: + context: + - description: Results of the rule execution + name: results + - description: Alert info message + name: message + params: [] + state: [] + authorized_consumers: + alerts: + all: true + read: true + apm: all: true read: true discover: @@ -15706,140 +23623,1365 @@ components: summary: Create a data view with runtime fields. value: data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: emit(doc['shape_name'].value) - type: keyword - title: logstash-* - Data_views_create_runtime_field_request: - summary: Create a runtime field. + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: emit(doc['shape_name'].value) + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: emit(doc["foo"].value) + type: long + Data_views_get_data_view_response: + summary: >- + The get data view API returns a JSON object that contains information + about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: $0,0.00 + products.base_unit_price: + id: number + params: + pattern: $0,0.00 + products.min_price: + id: number + params: + pattern: $0,0.00 + products.price: + id: number + params: + pattern: $0,0.00 + products.taxful_price: + id: number + params: + pattern: $0,0.00 + products.taxless_price: + id: number + params: + pattern: $0,0.00 + taxful_total_price: + id: number + params: + pattern: $0,0.[00] + taxless_total_price: + id: number + params: + pattern: $0,0.00 + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: $0,0.00 + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. value: - name: runtimeFoo - runtimeField: - script: - source: emit(doc["foo"].value) - type: long - Data_views_get_data_view_response: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: summary: >- - The get data view API returns a JSON object that contains information - about the data view. + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 + fieldAttrs: {} fieldFormats: - products.base_price: - id: number - params: - pattern: $0,0.00 - products.base_unit_price: - id: number - params: - pattern: $0,0.00 - products.min_price: - id: number - params: - pattern: $0,0.00 - products.price: - id: number - params: - pattern: $0,0.00 - products.taxful_price: - id: number - params: - pattern: $0,0.00 - products.taxless_price: - id: number - params: - pattern: $0,0.00 - taxful_total_price: + AvgTicketPrice: id: number params: pattern: $0,0.[00] - taxless_total_price: + hour_of_day: id: number params: - pattern: $0,0.00 + pattern: '00' fields: _id: aggregatable: false count: 0 esTypes: - - _id + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: $0,0.[00] + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword format: id: string isMapped: true - name: _id - readFromDocValues: false + name: FlightDelayType + readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string - _index: + FlightNum: aggregatable: true count: 0 esTypes: - - _index + - keyword format: id: string isMapped: true - name: _index - readFromDocValues: false + name: FlightNum + readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string - _score: - aggregatable: false + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true count: 0 + esTypes: + - float format: id: number isMapped: true - name: _score + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long scripted: false - searchable: false + searchable: true shortDotsEnable: false type: number - _source: - aggregatable: false + Origin: + aggregatable: true count: 0 esTypes: - - _source + - keyword format: - id: _source + id: string isMapped: true - name: _source - readFromDocValues: false + name: Origin + readFromDocValues: true scripted: false - searchable: false + searchable: true shortDotsEnable: false - type: _source - category: - aggregatable: false + type: string + OriginAirportID: + aggregatable: true count: 0 esTypes: - - text + - keyword format: id: string isMapped: true - name: category - readFromDocValues: false + name: OriginAirportID + readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string - category.keyword: + OriginCityName: aggregatable: true count: 0 esTypes: @@ -15847,16 +24989,13 @@ components: format: id: string isMapped: true - name: category.keyword + name: OriginCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false - subType: - multi: - parent: category type: string - currency: + OriginCountry: aggregatable: true count: 0 esTypes: @@ -15864,7283 +25003,15966 @@ components: format: id: string isMapped: true - name: currency + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp readFromDocValues: true scripted: false searchable: true shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: emit(doc['timestamp'].value.getHour()); + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: + summary: >- + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: emit(doc["bar"].value) + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Saved_objects_export_objects_request: + summary: Export a specific saved object. + value: + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + type: map + Saved_objects_export_objects_response: + summary: >- + The export objects API response contains a JSON record for each exported + object. + value: + attributes: + description: '' + layerListJSON: >- + [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total + Requests by + Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web + logs + count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual + Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total + Requests and + Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web + logs + count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] + mapStateJSON: >- + {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} + title: '[Logs] Total Requests and Bytes' + uiStateJSON: '{"isDarkMode":false}' + coreMigrationVersion: 8.8.0 + created_at: '2023-08-23T20:03:32.204Z' + id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + managed: false + references: + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_1_join_0_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_2_source_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_3_source_index_pattern + type: index-pattern + type: map + typeMigrationVersion: 8.4.0 + updated_at: '2023-08-23T20:03:32.204Z' + version: WzEzLDFd + Saved_objects_import_objects_request: + value: + file: file.ndjson + Saved_objects_import_objects_response: + summary: >- + The import objects API response indicates a successful import and the + objects are created. Since these objects are created as new copies, each + entry in the successResults array includes a destinationId attribute. + value: + success: true + successCount: 1 + successResults: + - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + managed: false + meta: + icon: indexPatternApp + title: Kibana Sample Data Logs + type: index-pattern + Saved_objects_key_rotation_response: + summary: Encryption key rotation using default parameters. + value: + failed: 0 + successful: 300 + total: 1000 + Saved_objects_resolve_missing_reference_request: + value: + file: file.ndjson + retries: + - id: my-pattern + overwrite: true + type: index-pattern + - destinationId: another-vis + id: my-vis + overwrite: true + type: visualization + - destinationId: yet-another-canvas + id: my-canvas + overwrite: true + type: canvas + - id: my-dashboard + type: dashboard + Saved_objects_resolve_missing_reference_response: + summary: Resolve missing reference errors. + value: + success: true + successCount: 3 + successResults: + - id: my-vis + meta: + icon: visualizeApp + title: Look at my visualization + type: visualization + - id: my-search + meta: + icon: searchApp + title: Look at my search + type: search + - id: my-dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + type: dashboard + parameters: + Alerting_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Cases_alert_id: + description: An identifier for the alert. + in: path + name: alertId + required: true + schema: + example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 + type: string + Cases_assignees_filter: + description: > + Filters the returned cases by assignees. Valid values are `none` or + unique identifiers for the user profiles. These identifiers can be found + by using the suggest user profile API. + in: query + name: assignees + schema: + oneOf: + - type: string + - items: type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_first_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + maxItems: 100 + type: array + Cases_case_id: + description: >- + The identifier for the case. To retrieve case IDs, use the find cases + API. All non-ASCII characters must be URL encoded. + in: path + name: caseId + required: true + schema: + example: 9c235210-6834-11ea-a78c-6ffb38a34414 + type: string + Cases_category: + description: Filters the returned cases by category. + in: query + name: category + schema: + oneOf: + - example: my-category + type: string + - items: type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name + maxItems: 100 + type: array + Cases_comment_id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + case or find cases APIs. + in: path + name: commentId + required: true + schema: + example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 + type: string + Cases_configuration_id: + description: An identifier for the configuration. + in: path + name: configurationId + required: true + schema: + example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 + type: string + Cases_connector_id: + description: >- + An identifier for the connector. To retrieve connector IDs, use the find + connectors API. + in: path + name: connectorId + required: true + schema: + example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 + type: string + Cases_defaultSearchOperator: + description: he default operator to use for the simple_query_string. + example: OR + in: query + name: defaultSearchOperator + schema: + default: OR + type: string + Cases_from: + description: > + Returns only cases that were created after a specific date. The date + must be specified as a KQL data range or date match expression. + in: query + name: from + schema: + example: now-1d + type: string + Cases_ids: + description: > + The cases that you want to removed. All non-ASCII characters must be URL + encoded. + example: d4e7abb0-b462-11ec-9a8d-698504725a43 + in: query + name: ids + required: true + schema: + items: + maxItems: 100 + minItems: 1 + type: string + type: array + Cases_includeComments: + deprecated: true + description: >- + Deprecated in 8.1.0. This parameter is deprecated and will be removed in + a future release. It determines whether case comments are returned. + in: query + name: includeComments + schema: + default: true + type: boolean + Cases_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Cases_owner: + description: > + A filter to limit the response to a specific set of applications. If + this parameter is omitted, the response contains information about all + the cases that the user has access to read. + example: cases + in: query + name: owner + schema: + oneOf: + - $ref: '#/components/schemas/Cases_owners' + - items: + $ref: '#/components/schemas/Cases_owners' + type: array + Cases_page_index: + description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + type: integer + Cases_page_size: + description: The number of items to return. Limited to 100 items. + in: query + name: perPage + required: false + schema: + default: 20 + maximum: 100 + type: integer + Cases_reporters: + description: Filters the returned cases by the user name of the reporter. + example: elastic + in: query + name: reporters + schema: + oneOf: + - type: string + - items: type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + maxItems: 100 + type: array + Cases_search: + description: >- + An Elasticsearch simple_query_string query that filters the objects in + the response. + in: query + name: search + schema: + type: string + Cases_searchFields: + description: The fields to perform the simple_query_string parsed query against. + in: query + name: searchFields + schema: + oneOf: + - $ref: '#/components/schemas/Cases_searchFieldsType' + - items: + $ref: '#/components/schemas/Cases_searchFieldsType' + type: array + Cases_severity: + description: The severity of the case. + in: query + name: severity + schema: + enum: + - critical + - high + - low + - medium + type: string + Cases_sort_order: + description: Determines the sort order. + in: query + name: sortOrder + required: false + schema: + default: desc + enum: + - asc + - desc + type: string + Cases_sortField: + description: Determines which field is used to sort the results. + example: updatedAt + in: query + name: sortField + schema: + default: createdAt + enum: + - createdAt + - updatedAt + - closedAt + - title + - category + - status + - severity + type: string + Cases_status: + description: Filters the returned cases by state. + example: open + in: query + name: status + schema: + enum: + - closed + - in-progress + - open + type: string + Cases_tags: + description: Filters the returned cases by tags. + example: tag-1 + in: query + name: tags + schema: + oneOf: + - type: string + - items: type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name + maxItems: 100 + type: array + Cases_to: + description: > + Returns only cases that were created before a specific date. The date + must be specified as a KQL data range or date match expression. + example: now+1d + in: query + name: to + schema: + type: string + Cases_user_action_types: + description: Determines the types of user actions to return. + example: create_case + in: query + name: types + schema: + items: + enum: + - action + - alert + - assignees + - attachment + - comment + - connector + - create_case + - description + - pushed + - settings + - severity + - status + - tags + - title + - user + type: string + type: array + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Fleet_format: + description: Simplified or legacy format for package inputs + in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + Fleet_kbn_xsrf: + description: Kibana's anti Cross-Site Request Forgery token. Can be any string value. + in: header + name: kbn-xsrf + required: true + schema: + type: string + Fleet_kuery: + in: query + name: kuery + required: false + schema: + type: string + Fleet_page_index: + in: query + name: page + required: false + schema: + default: 1 + type: integer + Fleet_page_size: + description: The number of items to return + in: query + name: perPage + required: false + schema: + default: 20 + type: integer + Fleet_show_inactive: + in: query + name: showInactive + required: false + schema: + type: boolean + Fleet_show_upgradeable: + in: query + name: showUpgradeable + required: false + schema: + type: boolean + Fleet_sort_field: + in: query + name: sortField + required: false + schema: + deprecated: true + type: string + Fleet_sort_order: + in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + Fleet_with_metrics: + description: Return agent metrics, false by default + in: query + name: withMetrics + required: false + schema: + type: boolean + Machine_learning_APIs_simulateParam: + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Saved_objects_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Saved_objects_saved_object_id: + description: An identifier for the saved object. + in: path + name: id + required: true + schema: + type: string + Saved_objects_saved_object_type: + description: >- + Valid options include `visualization`, `dashboard`, `search`, + `index-pattern`, `config`. + in: path + name: type + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + responses: + Fleet_error: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + schemas: + Alerting_401_response: + properties: + error: + enum: + - Unauthorized + example: Unauthorized + type: string + message: + type: string + statusCode: + enum: + - 401 + example: 401 + type: integer + title: Unsuccessful rule API response + type: object + Alerting_alert_response_properties: + title: Legacy alert response properties + type: object + properties: + actions: + items: + type: object + type: array + alertTypeId: + example: .index-threshold + type: string + apiKeyOwner: + example: elastic + nullable: true + type: string + createdAt: + description: The date and time that the alert was created. + example: '2022-12-05T23:36:58.284Z' + format: date-time + type: string + createdBy: + description: The identifier for the user that created the alert. + example: elastic + type: string + enabled: + description: Indicates whether the alert is currently enabled. + example: true + type: boolean + executionStatus: + type: object + properties: + lastExecutionDate: + example: '2022-12-06T00:13:43.890Z' + format: date-time type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + status: + example: ok type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + id: + description: The identifier for the alert. + example: b530fed0-74f5-11ed-9801-35303b735aef + type: string + muteAll: + example: false + type: boolean + mutedInstanceIds: + items: + type: string + nullable: true + type: array + name: + description: The name of the alert. + example: my alert + type: string + notifyWhen: + example: onActionGroupChange + type: string + params: + additionalProperties: true + type: object + schedule: + type: object + properties: + interval: type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + scheduledTaskId: + example: b530fed0-74f5-11ed-9801-35303b735aef + type: string + tags: + items: + type: string + type: array + throttle: + nullable: true + type: string + updatedAt: + example: '2022-12-05T23:36:58.284Z' + type: string + updatedBy: + description: The identifier for the user that updated this alert most recently. + example: elastic + nullable: true + type: string + Alerting_fieldmap_properties: + title: Field map objects in the get rule types response + type: object + properties: + array: + description: Indicates whether the field is an array. + type: boolean + dynamic: + description: Indicates whether it is a dynamic field mapping. + type: boolean + format: + description: > + Indicates the format of the field. For example, if the `type` is + `date_range`, the `format` can be + `epoch_millis||strict_date_optional_time`. + type: string + ignore_above: + description: >- + Specifies the maximum length of a string field. Longer strings are + not indexed or stored. + type: integer + index: + description: Indicates whether field values are indexed. + type: boolean + path: + description: TBD + type: string + properties: + additionalProperties: + type: object + properties: + type: + description: The data type for each object property. + type: string + description: > + Details about the object properties. This property is applicable + when `type` is `object`. + type: object + required: + description: Indicates whether the field is required. + type: boolean + scaling_factor: + description: > + The scaling factor to use when encoding values. This property is + applicable when `type` is `scaled_float`. Values will be multiplied + by this factor at index time and rounded to the closest long value. + type: integer + type: + description: Specifies the data type for the field. + example: scaled_float + type: string + Cases_4xx_response: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful cases API response + type: object + Cases_action_types: + description: The type of action. + enum: + - assignees + - create_case + - comment + - connector + - delete_case + - description + - pushed + - tags + - title + - status + - settings + - severity + example: create_case + type: string + Cases_actions: + enum: + - add + - create + - delete + - push_to_service + - update + example: create + type: string + Cases_add_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owners' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + required: + - alertId + - index + - owner + - rule + - type + title: Add case comment request properties for alerts + Cases_add_case_comment_request: + description: >- + The add comment to case API request body varies depending on whether you + are adding an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_add_alert_comment_request_properties' + user: '#/components/schemas/Cases_add_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' + title: Add case comment request + Cases_add_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + type: + description: The type of comment. + enum: + - user + example: user + type: string + required: + - comment + - owner + - type + title: Add case comment request properties for user comments + type: object + Cases_alert_comment_response_properties: + title: Add case comment response properties for alerts + type: object + properties: + alertId: + items: + example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 + type: string + type: array + created_at: + example: '2023-11-06T19:29:38.424Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name + full_name: + example: null + nullable: true type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + username: + example: elastic + nullable: true type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number + required: + - email + - full_name + - username + id: + example: 73362370-ab1a-11ec-985f-97e55adae8b9 + type: string + index: + items: + example: .internal.alerts-security.alerts-default-000001 + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + nullable: true + type: object + properties: email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + example: null + nullable: true + type: string + full_name: + example: null + nullable: true type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + username: + example: elastic + nullable: true type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - email + - full_name + - username + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + name: + description: The rule name. + example: security_rule type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + type: + enum: + - alert + example: alert + type: string + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + full_name: + example: null + nullable: true type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + version: + example: WzMwNDgsMV0= + type: string + required: + - type + Cases_alert_identifiers: + description: > + The alert identifiers. It is required only when `type` is `alert`. You + can use an array of strings to add multiple alerts to a case, provided + that they all relate to the same rule; `index` must also be an array + with the same length or number of elements. Adding multiple alerts in + this manner is recommended rather than calling the API multiple times. + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert identifiers + x-technical-preview: true + Cases_alert_indices: + description: > + The alert indices. It is required only when `type` is `alert`. If you + are adding multiple alerts to a case, use an array of strings; the + position of each index name in the array must match the position of the + corresponding alert identifier in the `alertId` array. This + functionality is in technical preview and may be changed or removed in a + future release. Elastic will work to fix any issues, but features in + technical preview are not subject to the support SLA of official GA + features. + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert indices + x-technical-preview: true + Cases_alert_response_properties: + type: object + properties: + attached_at: + format: date-time + type: string + id: + description: The alert identifier. + type: string + index: + description: The alert index. + type: string + Cases_assignees: + description: An array containing users that are assigned to the case. + items: + type: object + properties: + uid: + description: >- + A unique identifier for the user profile. These identifiers can be + found by using the suggest user profile API. + example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 + type: string + required: + - uid + maxItems: 10 + nullable: true + type: array + Cases_case_category: + description: A word or phrase that categorizes the case. + maxLength: 50 + type: string + Cases_case_description: + description: The description for the case. + maxLength: 30000 + type: string + Cases_case_response_closed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for closed_by + type: object + Cases_case_response_created_by_properties: + title: Case response properties for created_by + type: object + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + Cases_case_response_properties: + title: Case response properties + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + closed_at: + format: date-time + nullable: true + type: string + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + comments: + description: An array of comment objects for the case. + items: + discriminator: + mapping: + alert: '#/components/schemas/Cases_alert_comment_response_properties' + user: '#/components/schemas/Cases_user_comment_response_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + maxItems: 10000 + title: Case response properties for comments + type: array + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified in the + case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + type: array + description: + example: A case description. + type: string + duration: + description: > + The elapsed time from the creation of the case to its closure (in + seconds). If the case has not been closed, the duration is set to + null. If the case was closed after less than half a second, the + duration is rounded down to zero. + example: 120 + nullable: true + type: integer + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + example: 66b9aa00-94fa-11ea-9f74-e7e108796192 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + example: + - tag-1 + items: + type: string + type: array + title: + example: Case title 1 + type: string + totalAlerts: + example: 0 + type: integer + totalComment: + example: 0 + type: integer + updated_at: + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzUzMiwxXQ== + type: string + required: + - closed_at + - closed_by + - comments + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - updated_at + - updated_by + - version + Cases_case_response_pushed_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for pushed_by + type: object + Cases_case_response_updated_by_properties: + nullable: true + properties: + email: + example: null + nullable: true + type: string + full_name: + example: null + nullable: true + type: string + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + type: string + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + title: Case response properties for updated_by + type: object + Cases_case_severity: + default: low + description: The severity of the case. + enum: + - critical + - high + - low + - medium + type: string + Cases_case_status: + description: The status of the case. + enum: + - closed + - in-progress + - open + type: string + Cases_case_tags: + description: > + The words and phrases that help categorize cases. It can be an empty + array. + items: + maxLength: 256 + type: string + maxItems: 200 + type: array + Cases_case_title: + description: A title for the case. + maxLength: 160 + type: string + Cases_closure_types: + description: >- + Indicates whether a case is automatically closed when it is pushed to + external systems (`close-by-pushing`) or not automatically closed + (`close-by-user`). + enum: + - close-by-pushing + - close-by-user + example: close-by-user + type: string + Cases_connector_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + fields: + example: null + nullable: true + type: string + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .cases-webhook + example: .cases-webhook + type: string + required: + - fields + - id + - name + - type + title: Create or upate case request properties for Cases Webhook connector + Cases_connector_properties_jira: + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + issueType: + description: The type of issue. + nullable: true type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + parent: + description: The key of the parent issue, when the issue type is sub-task. + nullable: true type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + priority: + description: The priority of the issue. + nullable: true type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id + required: + - issueType + - parent + - priority + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .jira + example: .jira + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for a Jira connector + Cases_connector_properties_none: + description: Defines properties for connectors when type is `.none`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a case without + a connector, specify null. To update a case to remove the connector, + specify null. + example: null + nullable: true + type: string + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. To update a case to remove the connector, + specify `none`. + example: none + type: string + name: + description: >- + The name of the connector. To create a case without a connector, use + `none`. To update a case to remove the connector, specify `none`. + example: none + type: string + type: + description: >- + The type of connector. To create a case without a connector, use + `.none`. To update a case to remove the connector, specify `.none`. + enum: + - .none + example: .none + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for no connector + Cases_connector_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + nullable: true + type: object + properties: + issueTypes: + description: The type of incident. + items: + type: string + type: array + severityCode: + description: The severity code of the incident. type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + required: + - issueTypes + - severityCode + id: + description: The identifier for the connector. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .resilient + example: .resilient + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a IBM Resilient connector + Cases_connector_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category + impact: + description: The effect an incident had on business. + nullable: true type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + severity: + description: The severity of the incident. + nullable: true type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer + subcategory: + description: The subcategory of the incident. + nullable: true type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + urgency: + description: The extent to which the incident resolution can be delayed. + nullable: true type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name + required: + - category + - impact + - severity + - subcategory + - urgency + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow + example: .servicenow + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow ITSM connector + Cases_connector_properties_servicenow_sir: + description: Defines properties for connectors when type is `.servicenow-sir`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + category: + description: The category of the incident. + nullable: true + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs. + nullable: true + type: boolean + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes. + nullable: true + type: boolean + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs. + nullable: true + type: boolean + priority: + description: The priority of the issue. + nullable: true type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs. + nullable: true + type: boolean + subcategory: + description: The subcategory of the incident. + nullable: true type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - category + - destIp + - malwareHash + - malwareUrl + - priority + - sourceIp + - subcategory + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow-sir + example: .servicenow-sir + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow SecOps connector + Cases_connector_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + fields: + description: >- + An object containing the connector fields. If you want to omit any + individual field, specify null as its value. + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + nullable: true + type: string + required: + - caseId + id: + description: >- + The identifier for the connector. To retrieve connector IDs, use the + find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .swimlane + example: .swimlane + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a Swimlane connector + Cases_connector_types: + description: The type of connector. + enum: + - .cases-webhook + - .jira + - .none + - .resilient + - .servicenow + - .servicenow-sir + - .swimlane + example: .none + type: string + Cases_create_case_request: + description: >- + The create case API request body varies depending on the type of + connector. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: > + Custom field values for a case. Any optional custom fields that are + not specified in the request are set to null. + items: + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key value must + exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified in the + case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, it + cannot be explicitly set to null. However, for cases that + existed when the required custom field was added, the default + value stored in Elasticsearch is `undefined`. The value + returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + owner: + $ref: '#/components/schemas/Cases_owners' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + required: + - connector + - description + - owner + - settings + - tags + - title + title: Create case request + type: object + Cases_external_service: + nullable: true + type: object + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + format: date-time + type: string + pushed_by: + nullable: true + type: object + properties: + email: + example: null + nullable: true type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: $0,0.00 - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + full_name: + example: null + nullable: true type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + username: + example: elastic + nullable: true type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false + Cases_owners: + description: > + The application that owns the cases: Stack Management, Observability, or + Elastic Security. + enum: + - cases + - observability + - securitySolution + example: cases + type: string + Cases_payload_alert_comment: + type: object + properties: + comment: + type: object + properties: + alertId: + oneOf: + - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d + type: string + - items: + type: string + type: array + index: + oneOf: + - example: .alerts-observability.logs.alerts-default + type: string + - items: + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + rule: + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + type: + enum: + - alert type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: $0,0.[00] - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + Cases_payload_assignees: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + Cases_payload_connector: + type: object + properties: + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a case + without a connector, specify null. If you want to omit any + individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: >- + The effect an incident had on business for ServiceNow ITSM + connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: >- + The key of the parent issue, when the issue type is sub-task + for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow SecOps + connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: string + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be delayed + for ServiceNow ITSM connectors. + type: string + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. + example: none type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + name: + description: >- + The name of the connector. To create a case without a connector, + use `none`. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + Cases_payload_create_case: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + connector: + type: object + properties: + fields: + description: >- + An object containing the connector fields. To create a case + without a connector, specify null. If you want to omit any + individual field, specify null as its value. + example: null + nullable: true + type: object + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + destIp: + description: >- + Indicates whether cases will send a comma-separated list of + destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + impact: + description: >- + The effect an incident had on business for ServiceNow ITSM + connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: >- + Indicates whether cases will send a comma-separated list of + malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + malwareUrl: + description: >- + Indicates whether cases will send a comma-separated list of + malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + parent: + description: >- + The key of the parent issue, when the issue type is sub-task + for Jira connectors. + type: string + priority: + description: >- + The priority of the issue for Jira and ServiceNow SecOps + connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: >- + The severity code of the incident for IBM Resilient + connectors. + type: string + sourceIp: + description: >- + Indicates whether cases will send a comma-separated list of + source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM + connectors. + type: string + urgency: + description: >- + The extent to which the incident resolution can be delayed + for ServiceNow ITSM connectors. + type: string + id: + description: >- + The identifier for the connector. To create a case without a + connector, use `none`. + example: none type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + name: + description: >- + The name of the connector. To create a case without a connector, + use `none`. + example: none type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + type: + $ref: '#/components/schemas/Cases_connector_types' + description: + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + items: + example: + - tag-1 + type: string + type: array + title: + type: string + Cases_payload_delete: + description: >- + If the `action` is `delete` and the `type` is `delete_case`, the payload + is nullable. + nullable: true + type: object + Cases_payload_description: + type: object + properties: + description: + type: string + Cases_payload_pushed: + type: object + properties: + externalService: + $ref: '#/components/schemas/Cases_external_service' + Cases_payload_settings: + type: object + properties: + settings: + $ref: '#/components/schemas/Cases_settings' + Cases_payload_severity: + type: object + properties: + severity: + $ref: '#/components/schemas/Cases_case_severity' + Cases_payload_status: + type: object + properties: + status: + $ref: '#/components/schemas/Cases_case_status' + Cases_payload_tags: + type: object + properties: + tags: + example: + - tag-1 + items: + type: string + type: array + Cases_payload_title: + type: object + properties: + title: + type: string + Cases_payload_user_comment: + type: object + properties: + comment: + type: object + properties: + comment: type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + owner: + $ref: '#/components/schemas/Cases_owners' + type: + enum: + - user type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + Cases_rule: + description: > + The rule that is associated with the alerts. It is required only when + `type` is `alert`. This functionality is in technical preview and may be + changed or removed in a future release. Elastic will work to fix any + issues, but features in technical preview are not subject to the support + SLA of official GA features. + title: Alerting rule + type: object + properties: + id: + description: The rule identifier. + example: 94d80550-aaf4-11ec-985f-97e55adae8b9 + type: string + name: + description: The rule name. + example: security_rule + type: string + x-technical-preview: true + Cases_searchFieldsType: + description: The fields to perform the `simple_query_string` parsed query against. + enum: + - description + - title + type: string + Cases_set_case_configuration_request: + description: >- + External connection details, such as the closure type and default + connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not used and + are not propagated to individual cases, therefore it is + recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a default + connector, use `none`. To retrieve connector IDs, use the find + connectors API. + example: none type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use the find + connectors API. + example: none type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` is `text`, + the default value must be a string. If the `type` is `toggle`, + the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower case and + composed only of a-z, 0-9, '_', and '-' characters. It is used + in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, the + custom field can be set to null or omitted when a case is + created or updated. + type: boolean + required: + - key + - label + - required + - type + maxItems: 10 + minItems: 0 + type: array + owner: + $ref: '#/components/schemas/Cases_owners' + templates: + $ref: '#/components/schemas/Cases_templates' + required: + - closure_type + - connector + - owner + title: Set case configuration request + type: object + Cases_settings: + description: An object that contains the case settings. + type: object + properties: + syncAlerts: + description: Turns alert syncing on or off. + example: true + type: boolean + required: + - syncAlerts + Cases_template_tags: + description: > + The words and phrases that help categorize templates. It can be an empty + array. + items: + maxLength: 256 + type: string + maxItems: 200 + type: array + Cases_templates: + items: + type: object + properties: + caseFields: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not + used and are not propagated to individual cases, therefore + it is recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a + default connector, use `none`. To retrieve connector IDs, + use the find connectors API. + example: none + type: string + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use + the find connectors API. + example: none + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + customFields: + description: Custom field values in the template. + items: + type: object + properties: + key: + description: The unique key for the custom field. + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + value: + description: > + The default value for the custom field when a case uses + the template. If the `type` is `text`, the default value + must be a string. If the `type` is `toggle`, the default + value must be boolean. + oneOf: + - type: string + - type: boolean + type: array + x-technical-preview: true + description: + $ref: '#/components/schemas/Cases_case_description' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + description: + description: A description for the template. + type: string + key: + description: > + A unique key for the template. Must be lower case and composed + only of a-z, 0-9, '_', and '-' characters. It is used in API calls + to refer to a specific template. + type: string + name: + description: The name of the template. + type: string + tags: + $ref: '#/components/schemas/Cases_template_tags' + type: array + x-technical-preview: true + Cases_update_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + type: object + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owners' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + example: alert + type: string + version: + description: > + The current comment version. To retrieve version values, use the get + comments API. + example: Wzk1LDFd + type: string + required: + - alertId + - id + - index + - owner + - rule + - type + - version + title: Update case comment request properties for alerts + Cases_update_case_comment_request: + description: >- + The update case comment API request body varies depending on whether you + are updating an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_update_alert_comment_request_properties' + user: '#/components/schemas/Cases_update_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' + title: Update case comment request + Cases_update_case_configuration_request: + description: > + You can update settings such as the closure type, custom fields, + templates, and the default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + type: object + properties: + fields: + description: >- + The fields specified in the case configuration are not used and + are not propagated to individual cases, therefore it is + recommended to set it to `null`. + nullable: true + type: object + id: + description: >- + The identifier for the connector. If you do not want a default + connector, use `none`. To retrieve connector IDs, use the find + connectors API. + example: none type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + name: + description: >- + The name of the connector. If you do not want a default + connector, use `none`. To retrieve connector names, use the find + connectors API. + example: none type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + customFields: + description: Custom fields case configuration. + items: + type: object + properties: + defaultValue: + description: > + A default value for the custom field. If the `type` is `text`, + the default value must be a string. If the `type` is `toggle`, + the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: > + A unique key for the custom field. Must be lower case and + composed only of a-z, 0-9, '_', and '-' characters. It is used + in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + description: > + Indicates whether the field is required. If `false`, the + custom field can be set to null or omitted when a case is + created or updated. + type: boolean + required: + - key + - label + - required + - type + type: array + templates: + $ref: '#/components/schemas/Cases_templates' + version: + description: > + The version of the connector. To retrieve the version value, use the + get configuration API. + example: WzIwMiwxXQ== + type: string + required: + - version + title: Update case configuration request + type: object + Cases_update_case_request: + description: >- + The update case API request body varies depending on the type of + connector. + properties: + cases: + description: An array containing one or more case objects. + items: + type: object + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: >- + #/components/schemas/Cases_connector_properties_cases_webhook + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: >- + #/components/schemas/Cases_connector_properties_servicenow_sir + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: > + Custom field values for a case. Any optional custom fields + that are not specified in the request are set to null. + items: + type: object + properties: + key: + description: > + The unique identifier for the custom field. The key + value must exist in the case configuration settings. + type: string + type: + description: > + The custom field type. It must match the type specified + in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: > + The custom field value. If the custom field is required, + it cannot be explicitly set to null. However, for cases + that existed when the required custom field was added, + the default value stored in Elasticsearch is + `undefined`. The value returned in the API and user + interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + - type: boolean + required: + - key + - type + - value + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + id: + description: The identifier for the case. + maxLength: 30000 + type: string + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + version: + description: >- + The current version of the case. To determine this value, use + the get case or find cases APIs. + type: string + required: + - id + - version + maxItems: 100 + minItems: 1 + type: array + required: + - cases + title: Update case request + type: object + Cases_update_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + example: A new comment. + maxLength: 30000 + type: string + id: + description: > + The identifier for the comment. To retrieve comment IDs, use the get + comments API. + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + type: + description: The type of comment. + enum: + - user + example: user + type: string + version: + description: > + The current comment version. To retrieve version values, use the get + comments API. + example: Wzk1LDFd + type: string + required: + - comment + - id + - owner + - type + - version + title: Update case comment request properties for user comments + type: object + Cases_user_actions_find_response_properties: + type: object + properties: + action: + $ref: '#/components/schemas/Cases_actions' + comment_id: + example: 578608d0-03b1-11ed-920c-974bfa104448 + nullable: true + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + full_name: + example: null + nullable: true type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + username: + example: elastic + nullable: true type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + required: + - email + - full_name + - username + id: + example: 22fd3e30-03b1-11ed-920c-974bfa104448 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + description: The type of action. + enum: + - assignees + - create_case + - comment + - connector + - description + - pushed + - tags + - title + - status + - settings + - severity + example: create_case + type: string + version: + example: WzM1ODg4LDFd + type: string + required: + - action + - comment_id + - created_at + - created_by + - id + - owner + - payload + - type + - version + Cases_user_actions_response_properties: + type: object + properties: + action: + $ref: '#/components/schemas/Cases_actions' + action_id: + example: 22fd3e30-03b1-11ed-920c-974bfa104448 + type: string + case_id: + example: 22df07d0-03b1-11ed-920c-974bfa104448 + type: string + comment_id: + example: 578608d0-03b1-11ed-920c-974bfa104448 + nullable: true + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + type: object + properties: + email: + example: null + nullable: true type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + full_name: + example: null + nullable: true type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false + profile_uid: + example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: emit(doc['timestamp'].value.getHour()); - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Saved_objects_export_objects_request: - summary: Export a specific saved object. - value: - excludeExportDetails: true - includeReferencesDeep: false - objects: - - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - type: map - Saved_objects_export_objects_response: - summary: >- - The export objects API response contains a JSON record for each exported - object. - value: - attributes: - description: '' - layerListJSON: >- - [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total - Requests by - Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web - logs - count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual - Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total - Requests and - Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web - logs - count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] - mapStateJSON: >- - {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} - title: '[Logs] Total Requests and Bytes' - uiStateJSON: '{"isDarkMode":false}' - coreMigrationVersion: 8.8.0 - created_at: '2023-08-23T20:03:32.204Z' - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - managed: false - references: - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_1_join_0_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_2_source_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_3_source_index_pattern - type: index-pattern - type: map - typeMigrationVersion: 8.4.0 - updated_at: '2023-08-23T20:03:32.204Z' - version: WzEzLDFd - Saved_objects_import_objects_request: - value: - file: file.ndjson - Saved_objects_import_objects_response: - summary: >- - The import objects API response indicates a successful import and the - objects are created. Since these objects are created as new copies, each - entry in the successResults array includes a destinationId attribute. - value: - success: true - successCount: 1 - successResults: - - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - managed: false - meta: - icon: indexPatternApp - title: Kibana Sample Data Logs - type: index-pattern - Saved_objects_key_rotation_response: - summary: Encryption key rotation using default parameters. - value: - failed: 0 - successful: 300 - total: 1000 - Saved_objects_resolve_missing_reference_request: - value: - file: file.ndjson - retries: - - id: my-pattern - overwrite: true - type: index-pattern - - destinationId: another-vis - id: my-vis - overwrite: true - type: visualization - - destinationId: yet-another-canvas - id: my-canvas - overwrite: true - type: canvas - - id: my-dashboard - type: dashboard - Saved_objects_resolve_missing_reference_response: - summary: Resolve missing reference errors. - value: - success: true - successCount: 3 - successResults: - - id: my-vis - meta: - icon: visualizeApp - title: Look at my visualization - type: visualization - - id: my-search - meta: - icon: searchApp - title: Look at my search - type: search - - id: my-dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - type: dashboard - parameters: - Alerting_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Cases_alert_id: - description: An identifier for the alert. - in: path - name: alertId - required: true - schema: - example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 + username: + example: elastic + nullable: true + type: string + required: + - email + - full_name + - username + owner: + $ref: '#/components/schemas/Cases_owners' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + $ref: '#/components/schemas/Cases_action_types' + required: + - action + - action_id + - case_id + - comment_id + - created_at + - created_by + - owner + - payload + - type + Cases_user_comment_response_properties: + title: Case response properties for user comments + type: object + properties: + comment: + example: A new comment. + type: string + created_at: + example: '2022-05-13T09:16:17.416Z' + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + type: string + owner: + $ref: '#/components/schemas/Cases_owners' + pushed_at: + example: null + format: date-time + nullable: true + type: string + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - user + example: user + type: string + updated_at: + example: null + format: date-time + nullable: true + type: string + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + example: WzIwNDMxLDFd + type: string + required: + - type + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + override: + default: false + description: >- + Override an existing data view if a data view with the provided + title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd + type: string + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. + items: + default: default type: string - Cases_assignees_filter: - description: > - Filters the returned cases by assignees. Valid values are `none` or - unique identifiers for the user profiles. These identifiers can be found - by using the suggest user profile API. - in: query - name: assignees - schema: - oneOf: - - type: string - - items: + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. type: string - maxItems: 100 - type: array - Cases_case_id: + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: description: >- - The identifier for the case. To retrieve case IDs, use the find cases - API. All non-ASCII characters must be URL encoded. - in: path - name: caseId - required: true - schema: - example: 9c235210-6834-11ea-a78c-6ffb38a34414 - type: string - Cases_category: - description: Filters the returned cases by category. - in: query - name: category - schema: - oneOf: - - example: my-category + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Fleet_agent: + title: Agent + type: object + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + components: + items: + $ref: '#/components/schemas/Fleet_agent_component' + type: array + default_api_key: + type: string + default_api_key_id: + type: string + enrolled_at: + type: string + id: + type: string + last_checkin: + type: string + local_metadata: + $ref: '#/components/schemas/Fleet_agent_metadata' + metrics: + type: object + properties: + cpu_avg: + description: >- + Average agent CPU usage during the last 5 minutes, number + between 0-1 + type: number + memory_size_byte_avg: + description: Average agent memory consumption during the last 5 minutes + type: number + policy_id: + type: string + policy_revision: + type: number + status: + $ref: '#/components/schemas/Fleet_agent_status' + type: + $ref: '#/components/schemas/Fleet_agent_type' + unenrolled_at: + type: string + unenrollment_started_at: + type: string + user_provided_metadata: + $ref: '#/components/schemas/Fleet_agent_metadata' + required: + - type + - active + - enrolled_at + - id + - status + Fleet_agent_action: + oneOf: + - properties: + ack_data: + type: string + data: + type: string + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + - properties: + data: + type: object + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + type: + type: string + title: Agent action + Fleet_agent_component: + title: Agent component + type: object + properties: + id: + type: string + message: + type: string + status: + $ref: '#/components/schemas/Fleet_agent_component_status' + type: + type: string + units: + items: + $ref: '#/components/schemas/Fleet_agent_component_unit' + type: array + Fleet_agent_component_status: + enum: + - starting + - configuring + - healthy + - degraded + - failed + - stopping + - stopped + title: Agent component status + type: string + Fleet_agent_component_unit: + title: Agent component unit + type: object + properties: + id: + type: string + message: + type: string + payload: + type: object + status: + $ref: '#/components/schemas/Fleet_agent_component_status' + type: + $ref: '#/components/schemas/Fleet_agent_component_unit_type' + Fleet_agent_component_unit_type: + enum: + - input + - output + title: Agent component unit type + type: string + Fleet_agent_diagnostics: + title: Agent diagnostics + type: object + properties: + actionId: + type: string + createTime: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - IN_PROGRESS + required: + - id + - name + - createTime + - filePath + - actionId + - status + Fleet_agent_get_by_actions: + items: + items: + type: string + type: array + title: Agents get by action ids + type: array + Fleet_agent_metadata: + title: Agent metadata + type: object + Fleet_agent_policy: + title: Agent Policy + type: object + properties: + advanced_settings: + description: >- + Advanced settings stored in the agent policy, e.g. + agent_limits_go_max_procs + nullable: true + type: object + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + agents: + type: number + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + id: + type: string + inactivity_timeout: + type: integer + is_protected: + description: >- + Indicates whether the agent policy has tamper protection enabled. + Default false. + type: boolean + keep_monitoring_alive: + description: >- + When set to true, monitoring will be enabled but logs/metrics + collection will be disabled + nullable: true + type: boolean + monitoring_diagnostics: + type: object + properties: + limit: + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + monitoring_enabled: + items: + enum: + - metrics + - logs type: string - - items: + type: array + monitoring_http: + type: object + properties: + enabled: + type: boolean + host: type: string - maxItems: 100 - type: array - Cases_comment_id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - case or find cases APIs. - in: path - name: commentId - required: true - schema: - example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 - type: string - Cases_configuration_id: - description: An identifier for the configuration. - in: path - name: configurationId - required: true - schema: - example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 - type: string - Cases_connector_id: - description: >- - An identifier for the connector. To retrieve connector IDs, use the find - connectors API. - in: path - name: connectorId - required: true - schema: - example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 - type: string - Cases_defaultSearchOperator: - description: he default operator to use for the simple_query_string. - example: OR - in: query - name: defaultSearchOperator - schema: - default: OR - type: string - Cases_from: - description: > - Returns only cases that were created after a specific date. The date - must be specified as a KQL data range or date match expression. - in: query - name: from - schema: - example: now-1d - type: string - Cases_ids: - description: > - The cases that you want to removed. All non-ASCII characters must be URL - encoded. - example: d4e7abb0-b462-11ec-9a8d-698504725a43 - in: query - name: ids - required: true - schema: - items: - maxItems: 100 - minItems: 1 + port: + type: number + required: + - enabled + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + type: string + namespace: + type: string + overrides: + description: >- + Override settings that are defined in the agent policy. Input + settings cannot be overridden. The override option should be used + only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_policies: + description: >- + This field is present only when retrieving a single agent policy, or + when retrieving a list of agent policies with the ?full=true + parameter + items: + $ref: '#/components/schemas/Fleet_package_policy' + type: array + revision: + type: number + supports_agentless: + description: >- + Indicates whether the agent policy supports agentless integrations. + Only allowed in a serverless environment. + type: boolean + unenroll_timeout: + type: integer + unprivileged_agents: + type: number + updated_by: + type: string + updated_on: + format: date-time + type: string + required: + - id + - status + - name + - namespace + Fleet_agent_policy_create_request: + title: Create agent policy request + type: object + properties: + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true type: string - type: array - Cases_includeComments: - deprecated: true - description: >- - Deprecated in 8.1.0. This parameter is deprecated and will be removed in - a future release. It determines whether case comments are returned. - in: query - name: includeComments - schema: - default: true - type: boolean - Cases_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Cases_owner: - description: > - A filter to limit the response to a specific set of applications. If - this parameter is omitted, the response contains information about all - the cases that the user has access to read. - example: cases - in: query - name: owner - schema: - oneOf: - - $ref: '#/components/schemas/Cases_owners' - - items: - $ref: '#/components/schemas/Cases_owners' - type: array - Cases_page_index: - description: The page number to return. - in: query - name: page - required: false - schema: - default: 1 - type: integer - Cases_page_size: - description: The number of items to return. Limited to 100 items. - in: query - name: perPage - required: false - schema: - default: 20 - maximum: 100 - type: integer - Cases_reporters: - description: Filters the returned cases by the user name of the reporter. - example: elastic - in: query - name: reporters - schema: - oneOf: - - type: string - - items: - type: string - maxItems: 100 - type: array - Cases_search: - description: >- - An Elasticsearch simple_query_string query that filters the objects in - the response. - in: query - name: search - schema: - type: string - Cases_searchFields: - description: The fields to perform the simple_query_string parsed query against. - in: query - name: searchFields - schema: - oneOf: - - $ref: '#/components/schemas/Cases_searchFieldsType' - - items: - $ref: '#/components/schemas/Cases_searchFieldsType' - type: array - Cases_severity: - description: The severity of the case. - in: query - name: severity - schema: - enum: - - critical - - high - - low - - medium - type: string - Cases_sort_order: - description: Determines the sort order. - in: query - name: sortOrder - required: false - schema: - default: desc - enum: - - asc - - desc - type: string - Cases_sortField: - description: Determines which field is used to sort the results. - example: updatedAt - in: query - name: sortField - schema: - default: createdAt - enum: - - createdAt - - updatedAt - - closedAt - - title - - category - - status - - severity - type: string - Cases_status: - description: Filters the returned cases by state. - example: open - in: query - name: status - schema: - enum: - - closed - - in-progress - - open - type: string - Cases_tags: - description: Filters the returned cases by tags. - example: tag-1 - in: query - name: tags - schema: - oneOf: - - type: string - - items: + force: + description: Force agent policy creation even if packages are not verified. + type: boolean + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + id: + type: string + inactivity_timeout: + type: integer + is_protected: + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + unenroll_timeout: + type: integer + required: + - name + - namespace + Fleet_agent_policy_full: + oneOf: + - type: object + properties: + item: type: string - maxItems: 100 - type: array - Cases_to: - description: > - Returns only cases that were created before a specific date. The date - must be specified as a KQL data range or date match expression. - example: now+1d - in: query - name: to - schema: - type: string - Cases_user_action_types: - description: Determines the types of user actions to return. - example: create_case - in: query - name: types - schema: + - type: object + properties: + item: + $ref: '#/components/schemas/Fleet_full_agent_policy' + title: Agent policy full response + type: object + Fleet_agent_policy_update_request: + title: Update agent policy request + type: object + properties: + agent_features: + items: + type: object + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: array + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fleet_server_host_id: + nullable: true + type: string + force: + description: Force agent policy creation even if packages are not verified. + type: boolean + global_data_tags: + items: + additionalProperties: + oneOf: + - type: string + - type: number + description: >- + User defined data tags that are added to all of the inputs. The + values can be strings or numbers. + type: object + type: array + inactivity_timeout: + type: integer + is_protected: + type: boolean + monitoring_enabled: + items: + enum: + - metrics + - logs + type: string + type: array + monitoring_output_id: + nullable: true + type: string + name: + type: string + namespace: + type: string + unenroll_timeout: + type: integer + required: + - name + - namespace + Fleet_agent_status: + enum: + - offline + - error + - online + - inactive + - warning + title: Elastic Agent status + type: string + Fleet_agent_type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + title: Agent type + type: string + Fleet_bulk_install_packages_response: + title: Bulk install packages response + type: object + properties: items: - enum: - - action - - alert - - assignees - - attachment - - comment - - connector - - create_case - - description - - pushed - - settings - - severity - - status - - tags - - title - - user + items: + type: object + properties: + name: + type: string + version: + type: string + type: array + response: + deprecated: true + items: + type: object + properties: + name: + type: string + version: + type: string + type: array + required: + - items + Fleet_bulk_upgrade_agents: + title: Bulk upgrade agents + type: object + properties: + agents: + oneOf: + - description: KQL query string, leave empty to action all agents + type: string + - description: list of agent IDs + items: + type: string + type: array + force: + description: Force upgrade, skipping validation (should be used with caution) + type: boolean + rollout_duration_seconds: + description: rolling upgrade window duration in seconds + type: number + skipRateLimitCheck: + description: Skip rate limit check for upgrade + type: boolean + source_uri: + description: alternative upgrade binary download url + type: string + start_time: + description: start time of upgrade in ISO 8601 format + type: string + version: + description: version to upgrade to + type: string + required: + - agents + - version + Fleet_data_stream: + title: Data stream + type: object + properties: + dashboard: + items: + type: object + properties: + id: + type: string + title: + type: string + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + size_in_bytes: + type: number + size_in_bytes_formatted: + type: string + type: + type: string + Fleet_download_sources: + title: Download Source + type: object + properties: + host: + type: string + id: + type: string + is_default: + type: boolean + name: + type: string + proxy_id: + description: >- + The ID of the proxy to use for this download source. See the proxies + API for more information. + nullable: true + type: string + required: + - is_default + - name + - host + Fleet_elasticsearch_asset_type: + enum: + - component_template + - ingest_pipeline + - index_template + - ilm_policy + - transform + - data_stream_ilm_policy + title: Elasticsearch asset type + type: string + Fleet_enrollment_api_key: + title: Enrollment API key + type: object + properties: + active: + description: >- + When false, the enrollment API key is revoked and cannot be used for + enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + Fleet_fleet_server_host: + title: Fleet Server Host + type: object + properties: + host_urls: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + proxy_id: + type: string + required: + - fleet_server_hosts + - id + - is_default + - is_preconfigured + - host_urls + Fleet_fleet_settings_response: + title: Fleet settings response + type: object + properties: + item: + $ref: '#/components/schemas/Fleet_settings' + required: + - item + Fleet_fleet_setup_response: + title: Fleet Setup response + type: object + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + type: object + properties: + message: + type: string + name: + type: string + required: + - name + - message + type: array + required: + - isInitialized + - nonFatalErrors + Fleet_fleet_status_response: + title: Fleet status response + type: object + properties: + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + type: array + missing_requirements: + items: + enum: + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + type: array + package_verification_key_id: type: string - type: array - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Fleet_format: - description: Simplified or legacy format for package inputs - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - Fleet_kbn_xsrf: - description: Kibana's anti Cross-Site Request Forgery token. Can be any string value. - in: header - name: kbn-xsrf - required: true - schema: - type: string - Fleet_kuery: - in: query - name: kuery - required: false - schema: - type: string - Fleet_page_index: - in: query - name: page - required: false - schema: - default: 1 - type: integer - Fleet_page_size: - description: The number of items to return - in: query - name: perPage - required: false - schema: - default: 20 - type: integer - Fleet_show_inactive: - in: query - name: showInactive - required: false - schema: - type: boolean - Fleet_show_upgradeable: - in: query - name: showUpgradeable - required: false - schema: - type: boolean - Fleet_sort_field: - in: query - name: sortField - required: false - schema: - deprecated: true - type: string - Fleet_sort_order: - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - Fleet_with_metrics: - description: Return agent metrics, false by default - in: query - name: withMetrics - required: false - schema: - type: boolean - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - Saved_objects_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Saved_objects_saved_object_id: - description: An identifier for the saved object. - in: path - name: id - required: true - schema: - type: string - Saved_objects_saved_object_type: - description: >- - Valid options include `visualization`, `dashboard`, `search`, - `index-pattern`, `config`. - in: path - name: type - required: true - schema: - type: string - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - responses: - Fleet_error: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: + required: + - isReady + - missing_requirements + - missing_optional_features + Fleet_full_agent_policy: + title: Full agent policy + type: object + properties: + agent: + nullable: true + type: string + fleet: + oneOf: + - type: object + properties: + hosts: + items: + type: string + type: array + proxy_headers: {} + proxy_url: + type: string + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + - type: object + properties: + kibana: + type: object + properties: + hosts: + items: + type: string + type: array + path: + type: string + protocol: + type: string + id: + type: string + inputs: + type: string + monitoring: + type: object + properties: + diagnostics: + type: object + properties: + limit: + type: object + properties: + burst: + type: number + interval: + type: string + uploader: + type: object + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + enabled: + type: boolean + http: + type: object + properties: + enabled: + type: boolean + host: + type: string + port: + type: number + required: + - enabled + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + pprof: + type: object + properties: + enabled: + type: boolean + required: + - enabled + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + output_permissions: + additionalProperties: type: object properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - schemas: - Alerting_401_response: - properties: - error: - enum: - - Unauthorized - example: Unauthorized - type: string - message: - type: string - statusCode: - enum: - - 401 - example: 401 - type: integer - title: Unsuccessful rule API response - type: object - Alerting_alert_response_properties: - title: Legacy alert response properties - type: object - properties: - actions: + data: + $ref: >- + #/components/schemas/Fleet_full_agent_policy_output_permissions + output: + type: integer + type: object + outputs: + additionalProperties: + $ref: '#/components/schemas/Fleet_full_agent_policy_output' + type: object + revision: + type: number + secret_references: items: type: object + properties: + id: + type: string type: array - alertTypeId: - example: .index-threshold - type: string - apiKeyOwner: - example: elastic - nullable: true - type: string - createdAt: - description: The date and time that the alert was created. - example: '2022-12-05T23:36:58.284Z' - format: date-time - type: string - createdBy: - description: The identifier for the user that created the alert. - example: elastic - type: string - enabled: - description: Indicates whether the alert is currently enabled. - example: true - type: boolean - executionStatus: + required: + - id + - outputs + - inputs + Fleet_full_agent_policy_input: + allOf: + - additionalProperties: true type: object properties: - lastExecutionDate: - example: '2022-12-06T00:13:43.890Z' - format: date-time + data_stream: + type: object + properties: + namespace: + type: string + required: + - namespace + id: type: string - status: - example: ok + meta: + additionalProperties: true + type: object + properties: + package: + type: object + properties: + name: + type: string + version: + type: string + required: + - name + - version + name: type: string - id: - description: The identifier for the alert. - example: b530fed0-74f5-11ed-9801-35303b735aef + revision: + type: number + streams: + $ref: '#/components/schemas/Fleet_full_agent_policy_input_stream' + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + title: Full agent policy input + Fleet_full_agent_policy_input_stream: + allOf: + - additionalProperties: true + type: object + properties: + data_stream: + type: object + properties: + dataset: + type: string + type: + type: string + required: + - dataset + - type + id: + type: string + required: + - id + - data_stream + title: Full agent policy input stream + Fleet_full_agent_policy_output: + title: Full agent policy + type: object + properties: + additionalProperties: + type: object + properties: + text: {} + ca_sha256: + nullable: true type: string - muteAll: - example: false - type: boolean - mutedInstanceIds: + hosts: items: type: string - nullable: true type: array - name: - description: The name of the alert. - example: my alert - type: string - notifyWhen: - example: onActionGroupChange - type: string - params: - additionalProperties: true - type: object - schedule: - type: object - properties: - interval: - type: string - scheduledTaskId: - example: b530fed0-74f5-11ed-9801-35303b735aef + proxy_headers: {} + proxy_url: type: string - tags: + type: {} + required: + - type + - hosts + - ca_sha256 + Fleet_full_agent_policy_output_permissions: + additionalProperties: + type: object + properties: + data: + type: object + properties: + cluster: + items: + type: string + type: array + indices: + items: + type: object + properties: + names: + items: + type: string + type: array + privileges: + items: + type: string + type: array + type: array + packagePolicyName: + type: string + title: Full agent policy output permissions + Fleet_get_agent_tags_response: + title: Get Agent Tags response + type: object + properties: + items: + items: + type: string + type: array + Fleet_get_agents_response: + title: Get Agent response + type: object + properties: + items: items: - type: string + $ref: '#/components/schemas/Fleet_agent' type: array - throttle: - nullable: true - type: string - updatedAt: - example: '2022-12-05T23:36:58.284Z' - type: string - updatedBy: - description: The identifier for the user that updated this alert most recently. - example: elastic - nullable: true - type: string - Alerting_fieldmap_properties: - title: Field map objects in the get rule types response - type: object + list: + deprecated: true + items: + $ref: '#/components/schemas/Fleet_agent' + type: array + page: + type: number + perPage: + type: number + statusSummary: + type: object + properties: + degraded': + type: number + enrolling: + type: number + error: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + unenrolled: + type: number + unenrolling: + type: number + updating: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + Fleet_get_bulk_assets_response: + deprecated: true properties: - array: - description: Indicates whether the field is an array. - type: boolean - dynamic: - description: Indicates whether it is a dynamic field mapping. - type: boolean - format: - description: > - Indicates the format of the field. For example, if the `type` is - `date_range`, the `format` can be - `epoch_millis||strict_date_optional_time`. - type: string - ignore_above: - description: >- - Specifies the maximum length of a string field. Longer strings are - not indexed or stored. - type: integer - index: - description: Indicates whether field values are indexed. - type: boolean - path: - description: TBD - type: string - properties: - additionalProperties: + items: + items: type: object properties: + appLink: + type: string + attributes: + type: object + properties: + description: + type: string + title: + type: string + id: + type: string type: - description: The data type for each object property. + $ref: '#/components/schemas/Fleet_saved_object_type' + updatedAt: type: string - description: > - Details about the object properties. This property is applicable - when `type` is `object`. - type: object - required: - description: Indicates whether the field is required. - type: boolean - scaling_factor: - description: > - The scaling factor to use when encoding values. This property is - applicable when `type` is `scaled_float`. Values will be multiplied - by this factor at index time and rounded to the closest long value. - type: integer - type: - description: Specifies the data type for the field. - example: scaled_float - type: string - Cases_4xx_response: - properties: - error: - example: Unauthorized - type: string - message: - type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful cases API response + type: array + required: + - items + title: Bulk get assets response type: object - Cases_action_types: - description: The type of action. - enum: - - assignees - - create_case - - comment - - connector - - delete_case - - description - - pushed - - tags - - title - - status - - settings - - severity - example: create_case - type: string - Cases_actions: - enum: - - add - - create - - delete - - push_to_service - - update - example: create - type: string - Cases_add_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. + Fleet_get_categories_response: + title: Get categories response type: object properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owners' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - enum: - - alert - example: alert - type: string - required: - - alertId - - index - - owner - - rule - - type - title: Add case comment request properties for alerts - Cases_add_case_comment_request: - description: >- - The add comment to case API request body varies depending on whether you - are adding an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_add_alert_comment_request_properties' - user: '#/components/schemas/Cases_add_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' - title: Add case comment request - Cases_add_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 - type: string - owner: - $ref: '#/components/schemas/Cases_owners' - type: - description: The type of comment. - enum: - - user - example: user - type: string + items: + items: + type: object + properties: + count: + type: number + id: + type: string + title: + type: string + required: + - id + - title + - count + type: array + response: + items: + deprecated: true + type: object + properties: + count: + type: number + id: + type: string + title: + type: string + required: + - id + - title + - count + type: array required: - - comment - - owner - - type - title: Add case comment request properties for user comments - type: object - Cases_alert_comment_response_properties: - title: Add case comment response properties for alerts + - items + Fleet_get_packages_response: + title: Get Packages response type: object properties: - alertId: + items: + items: + $ref: '#/components/schemas/Fleet_search_result' + type: array + response: + deprecated: true items: - example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 - type: string + $ref: '#/components/schemas/Fleet_search_result' type: array + required: + - items + Fleet_installation_info: + title: Installation info object + type: object + properties: created_at: - example: '2023-11-06T19:29:38.424Z' - format: date-time type: string - created_by: - type: object + experimental_data_stream_features: + type: array properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true + data_stream: type: string - required: - - email - - full_name - - username - id: - example: 73362370-ab1a-11ec-985f-97e55adae8b9 + features: + type: object + properties: + doc_value_only_numeric: + nullable: true + type: boolean + doc_value_only_other: + nullable: true + type: boolean + synthetic_source: + nullable: true + type: boolean + tsdb: + nullable: true + type: boolean + install_format_schema_version: type: string - index: - items: - example: .internal.alerts-security.alerts-default-000001 - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owners' - pushed_at: - example: null - format: date-time - nullable: true + install_kibana_space_id: type: string - pushed_by: - nullable: true + install_source: + enum: + - registry + - upload + - bundled + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true + deferred: + type: boolean + id: type: string - required: - - email - - full_name - - username - rule: + type: + $ref: '#/components/schemas/Fleet_elasticsearch_asset_type' + installed_kibana: type: object properties: id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - type: string - name: - description: The rule name. - example: security_rule type: string - type: - enum: - - alert - example: alert - type: string - updated_at: - format: date-time - nullable: true - type: string - updated_by: - nullable: true + type: + $ref: '#/components/schemas/Fleet_kibana_saved_object_type' + latest_executed_state: + description: Latest successfully executed state in package install state machine type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true + error: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + name: + enum: + - create_restart_installation + - install_kibana_assets + - install_ilm_policies + - install_ml_model + - install_index_template_pipelines + - remove_legacy_templates + - update_current_write_indices + - install_transforms + - delete_previous_pipelines + - save_archive_entries_from_assets_map + - update_so type: string - username: - example: elastic - nullable: true + started_at: type: string - required: - - email - - full_name - - username - version: - example: WzMwNDgsMV0= - type: string - required: - - type - Cases_alert_identifiers: - description: > - The alert identifiers. It is required only when `type` is `alert`. You - can use an array of strings to add multiple alerts to a case, provided - that they all relate to the same rule; `index` must also be an array - with the same length or number of elements. Adding multiple alerts in - this manner is recommended rather than calling the API multiple times. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 - oneOf: - - type: string - - items: - type: string - maxItems: 1000 - type: array - title: Alert identifiers - x-technical-preview: true - Cases_alert_indices: - description: > - The alert indices. It is required only when `type` is `alert`. If you - are adding multiple alerts to a case, use an array of strings; the - position of each index name in the array must match the position of the - corresponding alert identifier in the `alertId` array. This - functionality is in technical preview and may be changed or removed in a - future release. Elastic will work to fix any issues, but features in - technical preview are not subject to the support SLA of official GA - features. - oneOf: - - type: string - - items: - type: string - maxItems: 1000 - type: array - title: Alert indices - x-technical-preview: true - Cases_alert_response_properties: - type: object - properties: - attached_at: - format: date-time - type: string - id: - description: The alert identifier. - type: string - index: - description: The alert index. - type: string - Cases_assignees: - description: An array containing users that are assigned to the case. - items: - type: object - properties: - uid: - description: >- - A unique identifier for the user profile. These identifiers can be - found by using the suggest user profile API. - example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 - type: string - required: - - uid - maxItems: 10 - nullable: true - type: array - Cases_case_category: - description: A word or phrase that categorizes the case. - maxLength: 50 - type: string - Cases_case_description: - description: The description for the case. - maxLength: 30000 - type: string - Cases_case_response_closed_by_properties: - nullable: true - properties: - email: - example: null - nullable: true + latest_install_failed_attempts: + description: Latest failed install errors + items: + type: object + properties: + created_at: + type: string + error: + type: object + properties: + message: + type: string + name: + type: string + stack: + type: string + target_version: + type: string + type: array + name: type: string - full_name: - example: null - nullable: true + namespaces: + items: + type: string + type: array + type: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + updated_at: type: string - username: - example: elastic + verification_key_id: nullable: true type: string + verification_status: + enum: + - verified + - unverified + - unknown + type: string + version: + type: string required: - - email - - full_name - - username - title: Case response properties for closed_by - type: object - Cases_case_response_created_by_properties: - title: Case response properties for created_by - type: object + - installed_kibana + - installed_es + - name + - version + - install_status + - install_version + - install_started_at + - install_source + - verification_status + - latest_install_failed_attempts + Fleet_kibana_saved_object_type: + enum: + - dashboard + - visualization + - search + - index-pattern + - map + - lens + - ml-module + - security-rule + - csp_rule_template + title: Kibana saved object asset type + type: string + Fleet_new_package_policy: + description: '' properties: - email: - example: null - nullable: true + description: type: string - full_name: - example: null - nullable: true + enabled: + type: boolean + inputs: + items: + type: object + properties: + config: + type: object + enabled: + type: boolean + processors: + items: + type: string + type: array + streams: + items: {} + type: array + type: + type: string + vars: + type: object + required: + - type + - enabled + type: array + name: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + namespace: type: string - username: - example: elastic + output_id: + type: string + overrides: + type: object + package: + type: object + properties: + name: + type: string + requires_root: + type: boolean + title: + type: string + version: + type: string + required: + - name + - version + policy_id: + deprecated: true nullable: true type: string + policy_ids: + items: + type: string + type: array required: - - email - - full_name - - username - Cases_case_response_properties: - title: Case response properties + - inputs + - name + title: New package policy + type: object + Fleet_output_create_request: + discriminator: + mapping: + elasticsearch: '#/components/schemas/Fleet_output_create_request_elasticsearch' + kafka: '#/components/schemas/Fleet_output_create_request_kafka' + logstash: '#/components/schemas/Fleet_output_create_request_logstash' + remote_elasticsearch: >- + #/components/schemas/Fleet_output_create_request_remote_elasticsearch + propertyName: type + oneOf: + - $ref: '#/components/schemas/Fleet_output_create_request_elasticsearch' + - $ref: '#/components/schemas/Fleet_output_create_request_kafka' + - $ref: '#/components/schemas/Fleet_output_create_request_logstash' + - $ref: >- + #/components/schemas/Fleet_output_create_request_remote_elasticsearch + title: Output + Fleet_output_create_request_elasticsearch: + title: elasticsearch type: object properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - description: The case category. - nullable: true + ca_sha256: type: string - closed_at: - format: date-time - nullable: true + ca_trusted_fingerprint: type: string - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - comments: - description: An array of comment objects for the case. + config: + type: object + config_yaml: + type: string + hosts: items: - discriminator: - mapping: - alert: '#/components/schemas/Cases_alert_comment_response_properties' - user: '#/components/schemas/Cases_user_comment_response_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - - $ref: '#/components/schemas/Cases_user_comment_response_properties' - maxItems: 10000 - title: Case response properties for comments + type: string type: array - connector: - discriminator: - mapping: - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .none: '#/components/schemas/Cases_connector_properties_none' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - title: Case response properties for connectors - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - elasticsearch + type: string + required: + - name + Fleet_output_create_request_kafka: + title: kafka + type: object + properties: + auth_type: type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - description: Custom field values for the case. + broker_timeout: + type: number + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + client_id: + type: string + compression: + type: string + compression_level: + type: number + config: + type: object + config_yaml: + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + headers: items: type: object properties: key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle type: string value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean + type: string type: array - description: - example: A case description. - type: string - duration: - description: > - The elapsed time from the creation of the case to its closure (in - seconds). If the case has not been closed, the duration is set to - null. If the case was closed after less than half a second, the - duration is rounded down to zero. - example: 120 - nullable: true - type: integer - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 - type: string - owner: - $ref: '#/components/schemas/Cases_owners' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - example: - - tag-1 + hosts: items: type: string type: array - title: - example: Case title 1 - type: string - totalAlerts: - example: 0 - type: integer - totalComment: - example: 0 - type: integer - updated_at: - format: date-time - nullable: true - type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzUzMiwxXQ== + id: type: string - required: - - closed_at - - closed_by - - comments - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - updated_at - - updated_by - - version - Cases_case_response_pushed_by_properties: - nullable: true - properties: - email: - example: null - nullable: true + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + key: type: string - full_name: - example: null - nullable: true + name: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + partition: type: string - username: - example: elastic - nullable: true + password: type: string - required: - - email - - full_name - - username - title: Case response properties for pushed_by - type: object - Cases_case_response_updated_by_properties: - nullable: true - properties: - email: - example: null - nullable: true + proxy_id: type: string - full_name: - example: null - nullable: true + random: + type: object + properties: + group_events: + type: number + required_acks: + type: number + round_robin: + type: object + properties: + group_events: + type: number + sasl: + type: object + properties: + mechanism: + type: string + secrets: + type: object + properties: + password: + type: string + ssl: + type: object + properties: + key: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + verification_mode: + enum: + - none + - full + - certificate + - strict + type: string + timeout: + type: number + topic: type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 + topics: + deprecated: true + description: Use topic instead. + items: + type: object + properties: + topic: + type: string + when: + deprecated: true + description: >- + Deprecated, kafka output do not support conditionnal topics + anymore. + type: object + properties: + condition: + type: string + type: + type: string + type: array + type: + enum: + - kafka type: string username: - example: elastic - nullable: true + type: string + version: type: string required: - - email - - full_name - - username - title: Case response properties for updated_by - type: object - Cases_case_severity: - default: low - description: The severity of the case. - enum: - - critical - - high - - low - - medium - type: string - Cases_case_status: - description: The status of the case. - enum: - - closed - - in-progress - - open - type: string - Cases_case_tags: - description: > - The words and phrases that help categorize cases. It can be an empty - array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_case_title: - description: A title for the case. - maxLength: 160 - type: string - Cases_closure_types: - description: >- - Indicates whether a case is automatically closed when it is pushed to - external systems (`close-by-pushing`) or not automatically closed - (`close-by-user`). - enum: - - close-by-pushing - - close-by-user - example: close-by-user - type: string - Cases_connector_properties_cases_webhook: - description: Defines properties for connectors when type is `.cases-webhook`. + - name + - type + - topics + - auth_type + - hosts + Fleet_output_create_request_logstash: + title: logstash type: object properties: - fields: - example: null - nullable: true + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: type: string + hosts: + items: + type: string + type: array id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean name: - description: The name of the connector. type: string - type: - description: The type of connector. - enum: - - .cases-webhook - example: .cases-webhook + proxy_id: type: string - required: - - fields - - id - - name - - type - title: Create or upate case request properties for Cases Webhook connector - Cases_connector_properties_jira: - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + secrets: type: object properties: - issueType: - description: The type of issue. - nullable: true + ssl: + type: object + properties: + key: + type: string + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: type: string - parent: - description: The key of the parent issue, when the issue type is sub-task. - nullable: true + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: type: string - priority: - description: The priority of the issue. - nullable: true + certificate_authorities: + items: + type: string + type: array + key: type: string - required: - - issueType - - parent - - priority - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string type: - description: The type of connector. enum: - - .jira - example: .jira + - logstash type: string required: - - fields - - id - name + - hosts - type - title: Create or update case request properties for a Jira connector - Cases_connector_properties_none: - description: Defines properties for connectors when type is `.none`. + Fleet_output_create_request_remote_elasticsearch: + title: remote_elasticsearch type: object properties: - fields: - description: >- - An object containing the connector fields. To create a case without - a connector, specify null. To update a case to remove the connector, - specify null. - example: null - nullable: true - type: string + hosts: + items: + type: string + type: array id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. To update a case to remove the connector, - specify `none`. - example: none type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean name: - description: >- - The name of the connector. To create a case without a connector, use - `none`. To update a case to remove the connector, specify `none`. - example: none + type: string + secrets: + type: object + properties: + service_token: + type: string + service_token: type: string type: - description: >- - The type of connector. To create a case without a connector, use - `.none`. To update a case to remove the connector, specify `.none`. enum: - - .none - example: .none + - remote_elasticsearch type: string required: - - fields - - id - name - - type - title: Create or update case request properties for no connector - Cases_connector_properties_resilient: - description: Defines properties for connectors when type is `.resilient`. + Fleet_output_update_request: + discriminator: + mapping: + elasticsearch: '#/components/schemas/Fleet_output_update_request_elasticsearch' + kafka: '#/components/schemas/Fleet_output_update_request_kafka' + logstash: '#/components/schemas/Fleet_output_update_request_logstash' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Fleet_output_update_request_elasticsearch' + - $ref: '#/components/schemas/Fleet_output_update_request_kafka' + - $ref: '#/components/schemas/Fleet_output_update_request_logstash' + title: Output + Fleet_output_update_request_elasticsearch: + title: elasticsearch type: object properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - nullable: true + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + config: + type: object + config_yaml: + type: string + hosts: + items: + type: string + type: array + id: + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + type: string + shipper: type: object properties: - issueTypes: - description: The type of incident. + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: + type: string + loadbalance: + type: boolean + ssl: + type: object + properties: + certificate: + type: string + certificate_authorities: items: type: string type: array - severityCode: - description: The severity code of the incident. + key: type: string - required: - - issueTypes - - severityCode - id: - description: The identifier for the connector. - type: string - name: - description: The name of the connector. - type: string type: - description: The type of connector. enum: - - .resilient - example: .resilient + - elasticsearch type: string required: - - fields - - id - name + - hosts - type - title: Create case request properties for a IBM Resilient connector - Cases_connector_properties_servicenow: - description: Defines properties for connectors when type is `.servicenow`. + Fleet_output_update_request_kafka: + title: kafka type: object properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + auth_type: + type: string + broker_timeout: + type: number + ca_sha256: + type: string + ca_trusted_fingerprint: + type: string + client_id: + type: string + compression: + type: string + compression_level: + type: number + config: type: object - properties: - category: - description: The category of the incident. - nullable: true - type: string - impact: - description: The effect an incident had on business. - nullable: true - type: string - severity: - description: The severity of the incident. - nullable: true - type: string - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - urgency: - description: The extent to which the incident resolution can be delayed. - nullable: true - type: string - required: - - category - - impact - - severity - - subcategory - - urgency + config_yaml: + type: string + connection_type: + enum: + - plaintext + - encryption + type: string + headers: + items: + type: object + properties: + key: + type: string + value: + type: string + type: array + hosts: + items: + type: string + type: array id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. + type: string + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + key: type: string name: - description: The name of the connector. type: string - type: - description: The type of connector. - enum: - - .servicenow - example: .servicenow + partition: type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow ITSM connector - Cases_connector_properties_servicenow_sir: - description: Defines properties for connectors when type is `.servicenow-sir`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + password: + type: string + proxy_id: + type: string + random: type: object properties: - category: - description: The category of the incident. - nullable: true + group_events: + type: number + required_acks: + type: number + round_robin: + type: object + properties: + group_events: + type: number + sasl: + type: object + properties: + mechanism: type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs. - nullable: true + shipper: + type: object + properties: + compression_level: + type: number + disk_queue_compression_enabled: type: boolean - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes. - nullable: true + disk_queue_enabled: type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs. - nullable: true + disk_queue_encryption_enabled: type: boolean - priority: - description: The priority of the issue. - nullable: true + disk_queue_max_size: + type: number + disk_queue_path: type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs. - nullable: true + loadbalance: type: boolean - subcategory: - description: The subcategory of the incident. - nullable: true - type: string - required: - - category - - destIp - - malwareHash - - malwareUrl - - priority - - sourceIp - - subcategory - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .servicenow-sir - example: .servicenow-sir - type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a ServiceNow SecOps connector - Cases_connector_properties_swimlane: - description: Defines properties for connectors when type is `.swimlane`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. + ssl: type: object properties: - caseId: - description: The case identifier for Swimlane connectors. - nullable: true + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: type: string - required: - - caseId - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - enum: - - .swimlane - example: .swimlane + verification_mode: + enum: + - none + - full + - certificate + - strict + type: string + timeout: + type: number + topic: type: string - required: - - fields - - id - - name - - type - title: Create case request properties for a Swimlane connector - Cases_connector_types: - description: The type of connector. - enum: - - .cases-webhook - - .jira - - .none - - .resilient - - .servicenow - - .servicenow-sir - - .swimlane - example: .none - type: string - Cases_create_case_request: - description: >- - The create case API request body varies depending on the type of - connector. - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: > - Custom field values for a case. Any optional custom fields that are - not specified in the request are set to null. + topics: + deprecated: true + description: Use topic instead. items: type: object properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - enum: - - text - - toggle + topic: type: string - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true + when: + deprecated: true + description: >- + Deprecated, kafka output do not support conditionnal topics + anymore. + type: object + properties: + condition: + type: string + type: type: string - - type: boolean - required: - - key - - type - - value - maxItems: 10 - minItems: 0 type: array - description: - $ref: '#/components/schemas/Cases_case_description' - owner: - $ref: '#/components/schemas/Cases_owners' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string required: - - connector - - description - - owner - - settings - - tags - - title - title: Create case request - type: object - Cases_external_service: - nullable: true + - name + Fleet_output_update_request_logstash: + title: logstash type: object properties: - connector_id: + ca_sha256: type: string - connector_name: + ca_trusted_fingerprint: type: string - external_id: + config: + type: object + config_yaml: type: string - external_title: + hosts: + items: + type: string + type: array + id: type: string - external_url: + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + name: type: string - pushed_at: - format: date-time + proxy_id: type: string - pushed_by: - nullable: true + shipper: type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true + compression_level: + type: number + disk_queue_compression_enabled: + type: boolean + disk_queue_enabled: + type: boolean + disk_queue_encryption_enabled: + type: boolean + disk_queue_max_size: + type: number + disk_queue_path: type: string - Cases_owners: - description: > - The application that owns the cases: Stack Management, Observability, or - Elastic Security. - enum: - - cases - - observability - - securitySolution - example: cases - type: string - Cases_payload_alert_comment: - type: object - properties: - comment: + loadbalance: + type: boolean + ssl: type: object properties: - alertId: - oneOf: - - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d - type: string - - items: - type: string - type: array - index: - oneOf: - - example: .alerts-observability.logs.alerts-default - type: string - - items: - type: string - type: array - owner: - $ref: '#/components/schemas/Cases_owners' - rule: - type: object - properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - type: string - name: - description: The rule name. - example: security_rule - type: string - type: - enum: - - alert + certificate: type: string - Cases_payload_assignees: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - Cases_payload_connector: + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: + enum: + - logstash + type: string + required: + - name + Fleet_package_info: + title: Package information type: object properties: - connector: + assets: + items: + type: string + type: array + categories: + items: + type: string + type: array + conditions: type: object properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - example: null - nullable: true + elasticsearch: type: object properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. + subscription: + enum: + - basic + - gold + - platinum + - enterprise type: string - issueType: - description: The type of issue for Jira connectors. + kibana: + type: object + properties: + versions: type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. + data_streams: + items: + type: object + properties: + ingeset_pipeline: + type: string + name: + type: string + package: + type: string + release: + type: string + title: + type: string + type: + type: string + vars: + items: + type: object + properties: + default: + type: string + name: + type: string + required: + - name + - default + type: array + required: + - title + - name + - release + - ingeset_pipeline + - type + - package + type: array + description: + type: string + download: + type: string + elasticsearch: + type: object + properties: + privileges: + type: object + properties: + cluster: items: type: string type: array - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - example: none + format_version: + type: string + icons: + items: + type: string + type: array + internal: + type: boolean + name: + type: string + path: + type: string + readme: + type: string + release: + deprecated: true + description: >- + release label is deprecated, derive from the version instead + (packages follow semver) + enum: + - experimental + - beta + - ga + type: string + screenshots: + items: + type: object + properties: + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + - path + type: array + source: + type: object + properties: + license: + enum: + - Apache-2.0 + - Elastic-2.0 type: string - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - example: none + title: + type: string + type: + type: string + version: + type: string + required: + - name + - title + - version + - description + - type + - categories + - conditions + - assets + - format_version + - download + - path + Fleet_package_policy: + allOf: + - type: object + properties: + id: type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - Cases_payload_create_case: + inputs: + oneOf: + - items: {} + type: array + - type: object + revision: + type: number + required: + - id + - revision + - $ref: '#/components/schemas/Fleet_new_package_policy' + title: Package policy + Fleet_package_policy_request: + title: Package Policy Request type: object properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - connector: + description: + description: Package policy description + example: my description + type: string + force: + description: >- + Force package policy creation even if package is not verified, or if + the agent policy is managed. + type: boolean + id: + description: Package policy unique identifier + type: string + inputs: + additionalProperties: + type: object + properties: + enabled: + description: enable or disable that input, (default to true) + type: boolean + streams: + additionalProperties: + type: object + properties: + enabled: + description: enable or disable that stream, (default to true) + type: boolean + vars: + description: >- + Stream level variable (see integration documentation for + more information) + type: object + description: >- + Input streams (see integration documentation to know what + streams are available) + type: object + vars: + description: >- + Input level variable (see integration documentation for more + information) + type: object + description: >- + Package policy inputs (see integration documentation to know what + inputs are available) + example: + nginx-logfile: + enabled: true + streams: + nginx.access: + enabled: true + vars: + ignore_older: 72h + paths: + - /var/log/nginx/access.log* + preserve_original_event: false + tags: + - nginx-access + type: object + name: + description: Package policy name (should be unique) + example: nginx-123 + type: string + namespace: + description: >- + The package policy namespace. Leave blank to inherit the agent + policy's namespace. + example: customnamespace + type: string + output_id: + description: Output ID to send package data to + example: output-id + nullable: true + type: string + overrides: + description: >- + Override settings that are defined in the package policy. The + override option should be used only in unusual circumstances and not + as a routine procedure. + nullable: true type: object properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - example: null - nullable: true + inputs: type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. - items: - type: string - type: array - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - nullable: true - type: boolean - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - nullable: true - type: boolean - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - nullable: true - type: boolean - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - example: none - type: string + package: + type: object + properties: name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - example: none + description: Package name + example: nginx type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - description: + version: + description: Package version + example: 1.6.0 + type: string + required: + - name + - version + policy_id: + deprecated: true + description: Agent policy ID where that package policy will be added + example: agent-policy-id + nullable: true type: string - owner: - $ref: '#/components/schemas/Cases_owners' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: + policy_ids: + description: Agent policy IDs where that package policy will be added + example: + - agent-policy-id items: - example: - - tag-1 type: string type: array - title: + vars: + description: >- + Package root level variable (see integration documentation for more + information) + type: object + required: + - name + - package + Fleet_package_usage_stats: + title: Package usage stats + type: object + properties: + agent_policy_count: + type: integer + required: + - agent_policy_count + Fleet_proxies: + title: Fleet Proxy + type: object + properties: + certificate: + type: string + certificate_authorities: + type: string + certificate_key: + type: string + id: + type: string + name: + type: string + proxy_headers: + type: object + url: + type: string + required: + - name + - url + Fleet_saved_object_type: + oneOf: + - enum: + - dashboard + - visualization + - search + - index_pattern + - map + - lens + - security_rule + - csp_rule_template + - ml_module + - tag + - osquery_pack_asset + - osquery_saved_query + type: string + - enum: + - index + - component_template + - ingest_pipeline + - index_template + - ilm_policy + - transform + - data_stream_ilm_policy + - ml_model type: string - Cases_payload_delete: - description: >- - If the `action` is `delete` and the `type` is `delete_case`, the payload - is nullable. - nullable: true - type: object - Cases_payload_description: + title: Saved Object type + Fleet_search_result: + title: Search result type: object properties: description: type: string - Cases_payload_pushed: - type: object - properties: - externalService: - $ref: '#/components/schemas/Cases_external_service' - Cases_payload_settings: + download: + type: string + icons: + type: string + installationInfo: + $ref: '#/components/schemas/Fleet_installation_info' + name: + type: string + path: + type: string + savedObject: + deprecated: true + type: object + status: + type: string + title: + type: string + type: + type: string + version: + type: string + required: + - description + - download + - icons + - name + - path + - title + - type + - version + - status + Fleet_settings: + title: Settings type: object properties: - settings: - $ref: '#/components/schemas/Cases_settings' - Cases_payload_severity: + fleet_server_hosts: + deprecated: true + items: + type: string + type: array + has_seen_add_data_notice: + type: boolean + id: + type: string + prerelease_integrations_enabled: + type: boolean + required: + - fleet_server_hosts + - id + Fleet_upgrade_agent: + title: Upgrade agent type: object properties: - severity: - $ref: '#/components/schemas/Cases_case_severity' - Cases_payload_status: + force: + description: Force upgrade, skipping validation (should be used with caution) + type: boolean + skipRateLimitCheck: + description: Skip rate limit check for upgrade + type: boolean + source_uri: + type: string + version: + type: string + required: + - version + Fleet_upgrade_agent_diff: + items: + items: + $ref: '#/components/schemas/Fleet_full_agent_policy_input' + type: array + title: Package policy Upgrade dryrun + type: array + Fleet_upgrade_diff: + items: + allOf: + - $ref: '#/components/schemas/Fleet_package_policy' + - allOf: + - $ref: '#/components/schemas/Fleet_new_package_policy' + - type: object + properties: + errors: + items: + type: object + properties: + key: + type: string + message: + type: string + type: array + missingVars: + items: + type: string + type: array + type: object + title: Package policy Upgrade dryrun + type: array + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. type: object properties: status: - $ref: '#/components/schemas/Cases_case_status' - Cases_payload_tags: - type: object - properties: - tags: - example: - - tag-1 - items: - type: string - type: array - Cases_payload_title: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: >- + Kibana's operational status as well as a detailed breakdown of plugin + statuses indication of various loads (like event loop utilization and + network traffic) at time of request. type: object properties: - title: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: >- + Unique, generated Kibana instance UUID. This UUID should persist + even if the Kibana process restarts. type: string - Cases_payload_user_comment: - type: object - properties: - comment: + version: + additionalProperties: false type: object properties: - comment: + build_date: + description: The date and time of this build. type: string - owner: - $ref: '#/components/schemas/Cases_owners' - type: + build_flavor: + description: >- + The build flavour determines configuration and behavior of + Kibana. On premise users will almost always run the + "traditional" flavour, while other flavours are reserved for + Elastic-specific use cases. enum: - - user + - serverless + - traditional type: string - Cases_rule: - description: > - The rule that is associated with the alerts. It is required only when - `type` is `alert`. This functionality is in technical preview and may be - changed or removed in a future release. Elastic will work to fix any - issues, but features in technical preview are not subject to the support - SLA of official GA features. - title: Alerting rule - type: object - properties: - id: - description: The rule identifier. - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - type: string - name: - description: The rule name. - example: security_rule - type: string - x-technical-preview: true - Cases_searchFieldsType: - description: The fields to perform the `simple_query_string` parsed query against. - enum: - - description - - title - type: string - Cases_set_case_configuration_request: - description: >- - External connection details, such as the closure type and default - connector for cases. - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true - type: object - id: + build_hash: description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - example: none + A unique hash value representing the git commit of this Kibana + build. type: string - name: + build_number: description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - example: none + A monotonically increasing number, each subsequent build will + have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. type: string - type: - $ref: '#/components/schemas/Cases_connector_types' required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean - required: - - key - - label - - required - - type - maxItems: 10 - minItems: 0 - type: array - owner: - $ref: '#/components/schemas/Cases_owners' - templates: - $ref: '#/components/schemas/Cases_templates' + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date required: - - closure_type - - connector - - owner - title: Set case configuration request + - name + - uuid + - version + - status + - metrics + Machine_learning_APIs_mlSync200Response: + properties: + datafeedsAdded: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. + type: object + datafeedsRemoved: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. + type: object + savedObjectsCreated: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + savedObjectsDeleted: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + title: Successful sync API response type: object - Cases_settings: - description: An object that contains the case settings. + Machine_learning_APIs_mlSync4xxResponse: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful sync API response type: object + Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. properties: - syncAlerts: - description: Turns alert syncing on or off. - example: true - type: boolean - required: - - syncAlerts - Cases_template_tags: - description: > - The words and phrases that help categorize templates. It can be an empty - array. - items: - maxLength: 256 - type: string - maxItems: 200 - type: array - Cases_templates: - items: - type: object - properties: - caseFields: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, therefore - it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector IDs, - use the find connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use - the find connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - customFields: - description: Custom field values in the template. - items: - type: object - properties: - key: - description: The unique key for the custom field. - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - value: - description: > - The default value for the custom field when a case uses - the template. If the `type` is `text`, the default value - must be a string. If the `type` is `toggle`, the default - value must be boolean. - oneOf: - - type: string - - type: boolean - type: array - x-technical-preview: true - description: - $ref: '#/components/schemas/Cases_case_description' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - description: - description: A description for the template. - type: string - key: - description: > - A unique key for the template. Must be lower case and composed - only of a-z, 0-9, '_', and '-' characters. It is used in API calls - to refer to a specific template. - type: string - name: - description: The name of the template. - type: string - tags: - $ref: '#/components/schemas/Cases_template_tags' - type: array - x-technical-preview: true - Cases_update_alert_comment_request_properties: - description: Defines properties for case comment requests when type is alert. + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for anomaly detection jobs type: object + Machine_learning_APIs_mlSyncResponseDatafeeds: + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - type: string - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owners' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for datafeeds + type: object + Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for data frame analytics jobs + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: If saved objects are missing for trained models, they are created. + type: object + title: Sync API response for created saved objects + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. + type: object + title: Sync API response for deleted saved objects + type: object + Machine_learning_APIs_mlSyncResponseSuccess: + description: The success or failure of the synchronization. + type: boolean + Machine_learning_APIs_mlSyncResponseTrainedModels: + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for trained models + type: object + Saved_objects_400_response: + title: Bad request + type: object + properties: + error: enum: - - alert - example: alert + - Bad Request type: string - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - example: Wzk1LDFd + message: type: string + statusCode: + enum: + - 400 + type: integer required: - - alertId - - id - - index - - owner - - rule - - type - - version - title: Update case comment request properties for alerts - Cases_update_case_comment_request: - description: >- - The update case comment API request body varies depending on whether you - are updating an alert or a comment. - discriminator: - mapping: - alert: '#/components/schemas/Cases_update_alert_comment_request_properties' - user: '#/components/schemas/Cases_update_user_comment_request_properties' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' - title: Update case comment request - Cases_update_case_configuration_request: + - error + - message + - statusCode + Saved_objects_attributes: description: > - You can update settings such as the closure type, custom fields, - templates, and the default connector for cases. - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - example: none - type: string - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - example: none - type: string - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - description: Custom fields case configuration. - items: - type: object - properties: - defaultValue: - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - oneOf: - - type: string - - type: boolean - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - maxLength: 36 - minLength: 1 - type: string - label: - description: The custom field label that is displayed in the case. - maxLength: 50 - minLength: 1 - type: string - type: - description: The type of the custom field. - enum: - - text - - toggle - type: string - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean - required: - - key - - label - - required - - type - type: array - templates: - $ref: '#/components/schemas/Cases_templates' - version: - description: > - The version of the connector. To retrieve the version value, use the - get configuration API. - example: WzIwMiwxXQ== - type: string - required: - - version - title: Update case configuration request + The data that you want to create. WARNING: When you create saved + objects, attributes are not validated, which allows you to pass + arbitrary and ill-formed data into the API that can break Kibana. Make + sure any data that you send to the API is properly formed. type: object - Cases_update_case_request: - description: >- - The update case API request body varies depending on the type of - connector. - properties: - cases: - description: An array containing one or more case objects. - items: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: >- - #/components/schemas/Cases_connector_properties_cases_webhook - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: >- - #/components/schemas/Cases_connector_properties_servicenow_sir - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - description: > - Custom field values for a case. Any optional custom fields - that are not specified in the request are set to null. - items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key - value must exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified - in the case configuration settings. - enum: - - text - - toggle - type: string - value: - description: > - The custom field value. If the custom field is required, - it cannot be explicitly set to null. However, for cases - that existed when the required custom field was added, - the default value stored in Elasticsearch is - `undefined`. The value returned in the API and user - interface in this case is `null`. - oneOf: - - maxLength: 160 - minLength: 1 - nullable: true - type: string - - type: boolean - required: - - key - - type - - value - maxItems: 10 - minItems: 0 - type: array - description: - $ref: '#/components/schemas/Cases_case_description' - id: - description: The identifier for the case. - maxLength: 30000 - type: string - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - version: - description: >- - The current version of the case. To determine this value, use - the get case or find cases APIs. - type: string - required: - - id - - version - maxItems: 100 - minItems: 1 - type: array + Saved_objects_initial_namespaces: + description: > + Identifiers for the spaces in which this object is created. If this is + provided, the object is created only in the explicitly defined spaces. + If this is not provided, the object is created in the current space + (default behavior). For shareable object types (registered with + `namespaceType: 'multiple'`), this option can be used to specify one or + more spaces, including the "All spaces" identifier ('*'). For isolated + object types (registered with `namespaceType: 'single'` or + `namespaceType: 'multiple-isolated'`), this option can only be used to + specify a single space, and the "All spaces" identifier ('*') is not + allowed. For global object types (`registered with `namespaceType: + agnostic`), this option cannot be used. + type: array + Saved_objects_references: + description: > + Objects with `name`, `id`, and `type` properties that describe the other + saved objects that this object references. Use `name` in attributes to + refer to the other saved object, but never the `id`, which can update + automatically during migrations or import and export. + type: array + Security_AI_Assistant_API_AnonymizationFieldCreateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + field: + type: string required: - - cases - title: Update case request + - field + Security_AI_Assistant_API_AnonymizationFieldDetailsInError: type: object - Cases_update_user_comment_request_properties: - description: Defines properties for case comment requests when type is user. properties: - comment: - description: The new comment. It is required only when `type` is `user`. - example: A new comment. - maxLength: 30000 + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_AnonymizationFieldResponse: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + createdAt: + type: string + createdBy: + type: string + field: type: string id: - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + namespace: + description: Kibana space type: string - owner: - $ref: '#/components/schemas/Cases_owners' - type: - description: The type of comment. - enum: - - user - example: user + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: type: string - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - example: Wzk1LDFd + updatedBy: type: string required: - - comment - id - - owner - - type - - version - title: Update case comment request properties for user comments - type: object - Cases_user_actions_find_response_properties: + - field + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: + enum: + - ANONYMIZATION_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: type: object properties: - action: - $ref: '#/components/schemas/Cases_actions' - comment_id: - example: 578608d0-03b1-11ed-920c-974bfa104448 - nullable: true + id: type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + name: type: string - created_by: + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + type: object + properties: + anonymization_fields_count: + type: integer + attributes: type: object properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary required: - - email - - full_name - - username - id: - example: 22fd3e30-03b1-11ed-920c-974bfa104448 - type: string - owner: - $ref: '#/components/schemas/Cases_owners' - payload: - oneOf: - - $ref: '#/components/schemas/Cases_payload_alert_comment' - - $ref: '#/components/schemas/Cases_payload_assignees' - - $ref: '#/components/schemas/Cases_payload_connector' - - $ref: '#/components/schemas/Cases_payload_create_case' - - $ref: '#/components/schemas/Cases_payload_delete' - - $ref: '#/components/schemas/Cases_payload_description' - - $ref: '#/components/schemas/Cases_payload_pushed' - - $ref: '#/components/schemas/Cases_payload_settings' - - $ref: '#/components/schemas/Cases_payload_severity' - - $ref: '#/components/schemas/Cases_payload_status' - - $ref: '#/components/schemas/Cases_payload_tags' - - $ref: '#/components/schemas/Cases_payload_title' - - $ref: '#/components/schemas/Cases_payload_user_comment' - type: - description: The type of action. - enum: - - assignees - - create_case - - comment - - connector - - description - - pushed - - tags - - title - - status - - settings - - severity - example: create_case + - results + - summary + message: type: string - version: - example: WzM1ODg4LDFd + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + type: array + updated: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_AnonymizationFieldUpdateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + id: type: string required: - - action - - comment_id - - created_at - - created_by - id - - owner - - payload - - type - - version - Cases_user_actions_response_properties: + Security_AI_Assistant_API_ApiConfig: type: object properties: - action: - $ref: '#/components/schemas/Cases_actions' - action_id: - example: 22fd3e30-03b1-11ed-920c-974bfa104448 + actionTypeId: + description: action type id type: string - case_id: - example: 22df07d0-03b1-11ed-920c-974bfa104448 + connectorId: + description: connector id type: string - comment_id: - example: 578608d0-03b1-11ed-920c-974bfa104448 - nullable: true + defaultSystemPromptId: + description: defaultSystemPromptId type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + model: + description: model type: string - created_by: - type: object - properties: - email: - example: null - nullable: true - type: string - full_name: - example: null - nullable: true - type: string - profile_uid: - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - type: string - username: - example: elastic - nullable: true - type: string - required: - - email - - full_name - - username - owner: - $ref: '#/components/schemas/Cases_owners' - payload: - oneOf: - - $ref: '#/components/schemas/Cases_payload_alert_comment' - - $ref: '#/components/schemas/Cases_payload_assignees' - - $ref: '#/components/schemas/Cases_payload_connector' - - $ref: '#/components/schemas/Cases_payload_create_case' - - $ref: '#/components/schemas/Cases_payload_delete' - - $ref: '#/components/schemas/Cases_payload_description' - - $ref: '#/components/schemas/Cases_payload_pushed' - - $ref: '#/components/schemas/Cases_payload_settings' - - $ref: '#/components/schemas/Cases_payload_severity' - - $ref: '#/components/schemas/Cases_payload_status' - - $ref: '#/components/schemas/Cases_payload_tags' - - $ref: '#/components/schemas/Cases_payload_title' - - $ref: '#/components/schemas/Cases_payload_user_comment' - type: - $ref: '#/components/schemas/Cases_action_types' + provider: + $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' + description: Provider required: - - action - - action_id - - case_id - - comment_id - - created_at - - created_by - - owner - - payload - - type - Cases_user_comment_response_properties: - title: Case response properties for user comments + - connectorId + - actionTypeId + Security_AI_Assistant_API_BulkCrudActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_AI_Assistant_API_ChatCompleteProps: + type: object + properties: + connectorId: + type: string + conversationId: + type: string + isStream: + type: boolean + langSmithApiKey: + type: string + langSmithProject: + type: string + messages: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' + type: array + model: + type: string + persist: + type: boolean + promptId: + type: string + responseLanguage: + type: string + required: + - messages + - persist + - connectorId + Security_AI_Assistant_API_ChatMessage: + description: AI assistant message. type: object properties: - comment: - example: A new comment. + content: + description: Message content. type: string - created_at: - example: '2022-05-13T09:16:17.416Z' - format: date-time + data: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' + description: ECS object to attach to the context of the message. + fields_to_anonymize: + items: + type: string + type: array + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' + description: Message role. + required: + - role + Security_AI_Assistant_API_ChatMessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_ConversationCategory: + description: The conversation category. + enum: + - assistant + - insights + type: string + Security_AI_Assistant_API_ConversationConfidence: + description: The conversation confidence. + enum: + - low + - medium + - high + type: string + Security_AI_Assistant_API_ConversationCreateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + description: The conversation id. type: string - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + type: string + required: + - title + Security_AI_Assistant_API_ConversationResponse: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + createdAt: + description: The last time conversation was updated. + type: string + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean id: - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + namespace: + description: Kibana space type: string - owner: - $ref: '#/components/schemas/Cases_owners' - pushed_at: - example: null - format: date-time - nullable: true + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + title: + description: The conversation title. type: string - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: - enum: - - user - example: user + updatedAt: + description: The last time conversation was updated. type: string - updated_at: - example: null - format: date-time - nullable: true + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - title + - createdAt + - users + - namespace + - category + Security_AI_Assistant_API_ConversationSummary: + type: object + properties: + confidence: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationConfidence + description: >- + How confident you are about this being a correct and useful + learning. + content: + description: Summary text of the conversation over time. type: string - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - example: WzIwNDMxLDFd + public: + description: Define if summary is marked as publicly available. + type: boolean + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp summary was updated. + Security_AI_Assistant_API_ConversationUpdateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + title: + description: The conversation title. type: string required: - - type - Data_views_400_response: - title: Bad request + - id + Security_AI_Assistant_API_FindAnonymizationFieldsSortField: + enum: + - created_at + - anonymized + - allowed + - field + - updated_at + type: string + Security_AI_Assistant_API_FindConversationsSortField: + enum: + - created_at + - is_default + - title + - updated_at + type: string + Security_AI_Assistant_API_FindPromptsSortField: + enum: + - created_at + - is_default + - name + - updated_at + type: string + Security_AI_Assistant_API_Message: + description: AI assistant conversation message. type: object properties: - error: - example: Bad Request + content: + description: Message content. + type: string + isError: + description: Is error message. + type: boolean + reader: + $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' + description: Message content. + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' + description: Message role. + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp message was sent or received. + traceData: + $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' + description: trace Data + required: + - timestamp + - content + - role + Security_AI_Assistant_API_MessageData: + additionalProperties: true + type: object + Security_AI_Assistant_API_MessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_AI_Assistant_API_NormalizedAnonymizationFieldError: + type: object + properties: + anonymization_fields: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + type: array + err_code: type: string message: type: string - statusCode: - example: 400 - type: number + status_code: + type: integer required: - - statusCode - - error - message - Data_views_404_response: + - status_code + - anonymization_fields + Security_AI_Assistant_API_NormalizedPromptError: type: object properties: - error: - enum: - - Not Found - example: Not Found + err_code: type: string message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found type: string - statusCode: - enum: - - 404 - example: 404 + prompts: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + type: array + status_code: type: integer - Data_views_allownoindex: - description: Allows the data view saved object to exist before the data is available. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request + required: + - message + - status_code + - prompts + Security_AI_Assistant_API_PromptCreateProps: type: object properties: - data_view: - description: The data view object. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - required: - - title - override: - default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + required: + - name + - content + - promptType + Security_AI_Assistant_API_PromptDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_PromptResponse: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + createdAt: + type: string + createdBy: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + namespace: + description: Kibana space + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - name + - promptType + - content + Security_AI_Assistant_API_PromptsBulkActionSkipReason: + enum: + - PROMPT_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_PromptsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties + - id + - skip_reason + Security_AI_Assistant_API_PromptsBulkCrudActionResponse: type: object properties: - data_view: + attributes: type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + prompts_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_PromptsBulkCrudActionResults: type: object properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 + created: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_PromptType: + description: Prompt type + enum: + - system + - quick + type: string + Security_AI_Assistant_API_PromptUpdateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: type: string - customLabel: - description: Custom label for the field. + consumer: type: string - Data_views_fieldformats: - description: A map of field formats by field name. + content: + type: string + id: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + required: + - id + Security_AI_Assistant_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + type: string + Security_AI_Assistant_API_Reader: + additionalProperties: true type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default + Security_AI_Assistant_API_Replacements: + additionalProperties: type: string + description: Replacements object used to anonymize/deanomymize messsages + type: object + Security_AI_Assistant_API_SortOrder: + enum: + - asc + - desc + type: string + Security_AI_Assistant_API_TraceData: + description: trace Data + type: object + properties: + traceId: + description: Could be any string, not necessarily a UUID + type: string + transactionId: + description: Could be any string, not necessarily a UUID + type: string + Security_AI_Assistant_API_User: + description: Could be any string, not necessarily a UUID + type: object + properties: + id: + description: User id + type: string + name: + description: User name + type: string + Security_Detections_API_AlertAssignees: + type: object + properties: + add: + description: A list of users ids to assign. + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + remove: + description: A list of users ids to unassign. + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + required: + - add + - remove + Security_Detections_API_AlertIds: + description: A list of alerts ids. + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + minItems: 1 type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. + Security_Detections_API_AlertsIndex: + deprecated: true + description: (deprecated) Has no effect. + type: string + Security_Detections_API_AlertsIndexMigrationError: type: object properties: - script: + error: type: object properties: - source: - description: Script for the runtime field. + message: type: string - type: - description: Mapping type of the runtime field. + status_code: + type: string + required: + - message + - status_code + index: type: string required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request + - index + - error + Security_Detections_API_AlertsIndexMigrationSuccess: type: object properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string - type: array - forType: - description: Limit the affected saved objects by type. - type: string - fromId: - description: The saved object reference to change. + index: type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. + migration_id: type: string - toId: - description: New saved object reference value to replace the old value. + migration_index: type: string required: - - fromId - - toId - Data_views_timefieldname: - description: The timestamp field name, which you use for time-based data views. + - index + - migration_id + - migration_index + Security_Detections_API_AlertsIndexNamespace: + description: Has no effect. type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). + Security_Detections_API_AlertsReindexOptions: + type: object + properties: + requests_per_second: + minimum: 1 + type: integer + size: + minimum: 1 + type: integer + slices: + minimum: 1 + type: integer + Security_Detections_API_AlertsSort: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + - items: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsSortCombinations + type: array + Security_Detections_API_AlertsSortCombinations: + anyOf: + - type: string + - additionalProperties: true + type: object + Security_Detections_API_AlertStatus: + enum: + - open + - closed + - acknowledged + - in-progress type: string - Data_views_type: - description: When set to `rollup`, identifies the rollup data views. + Security_Detections_API_AlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration + group_by: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' + missing_fields_strategy: + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy + required: + - group_by + Security_Detections_API_AlertSuppressionDuration: + type: object + properties: + unit: + enum: + - s + - m + - h + type: string + value: + minimum: 1 + type: integer + required: + - value + - unit + Security_Detections_API_AlertSuppressionGroupBy: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_AlertSuppressionMissingFieldsStrategy: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + + doNotSuppress - per each document a separate alert will be created + + suppress - only alert will be created per suppress by bucket + enum: + - doNotSuppress + - suppress type: string - Data_views_typemeta: + Security_Detections_API_AlertTag: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + Security_Detections_API_AlertTags: + items: + $ref: '#/components/schemas/Security_Detections_API_AlertTag' + type: array + Security_Detections_API_AlertVersion: + type: object + properties: + count: + type: integer + version: + type: integer + required: + - version + - count + Security_Detections_API_AnomalyThreshold: + description: Anomaly threshold + minimum: 0 + type: integer + Security_Detections_API_BuildingBlockType: description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. + Determines if the rule acts as a building block. By default, + building-block alerts are not displayed in the UI. These rules are used + as a foundation for other rules that do generate alerts. Its value must + be default. + type: string + Security_Detections_API_BulkActionEditPayload: + anyOf: + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule + Security_Detections_API_BulkActionEditPayloadIndexPatterns: + type: object + properties: + overwrite_data_views: + type: boolean + type: + enum: + - add_index_patterns + - delete_index_patterns + - set_index_patterns + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadInvestigationFields: + type: object + properties: + type: + enum: + - add_investigation_fields + - delete_investigation_fields + - set_investigation_fields + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadRuleActions: type: object properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. + type: + enum: + - add_rule_actions + - set_rule_actions + type: string + value: type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleAction + type: array + throttle: + $ref: >- + #/components/schemas/Security_Detections_API_ThrottleForBulkActions + required: + - actions required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true + - type + - value + Security_Detections_API_BulkActionEditPayloadSchedule: type: object properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. + type: + enum: + - set_schedule + type: string + value: type: object - Data_views_update_data_view_request_object: - title: Update data view request + properties: + interval: + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + lookback: + description: Lookback time for the rule + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string + required: + - interval + - lookback + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadTags: type: object properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. + type: + enum: + - add_tags + - delete_tags + - set_tags + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + required: + - type + - value + Security_Detections_API_BulkActionEditPayloadTimeline: + type: object + properties: + type: + enum: + - set_timeline + type: string + value: type: object properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: - type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + required: + - timeline_id + - timeline_title required: - - data_view - Fleet_agent: - title: Agent + - type + - value + Security_Detections_API_BulkActionsDryRunErrCode: + enum: + - IMMUTABLE + - MACHINE_LEARNING_AUTH + - MACHINE_LEARNING_INDEX_PATTERN + - ESQL_INDEX_PATTERN + - MANUAL_RULE_RUN_FEATURE + - MANUAL_RULE_RUN_DISABLED_RULE + type: string + Security_Detections_API_BulkActionSkipResult: type: object properties: - access_api_key: + id: type: string - access_api_key_id: + name: type: string - active: - type: boolean - components: + skip_reason: + $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' + required: + - id + - skip_reason + Security_Detections_API_BulkCrudRulesResponse: + items: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + Security_Detections_API_BulkDeleteRules: + type: object + properties: + action: + enum: + - delete + type: string + ids: + description: Array of rule IDs items: - $ref: '#/components/schemas/Fleet_agent_component' + type: string + minItems: 1 type: array - default_api_key: - type: string - default_api_key_id: + query: + description: Query to filter rules type: string - enrolled_at: + required: + - action + Security_Detections_API_BulkDisableRules: + type: object + properties: + action: + enum: + - disable type: string - id: + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules type: string - last_checkin: + required: + - action + Security_Detections_API_BulkDuplicateRules: + type: object + properties: + action: + enum: + - duplicate type: string - local_metadata: - $ref: '#/components/schemas/Fleet_agent_metadata' - metrics: + duplicate: type: object properties: - cpu_avg: - description: >- - Average agent CPU usage during the last 5 minutes, number - between 0-1 - type: number - memory_size_byte_avg: - description: Average agent memory consumption during the last 5 minutes - type: number - policy_id: - type: string - policy_revision: - type: number - status: - $ref: '#/components/schemas/Fleet_agent_status' - type: - $ref: '#/components/schemas/Fleet_agent_type' - unenrolled_at: - type: string - unenrollment_started_at: + include_exceptions: + description: Whether to copy exceptions from the original rule + type: boolean + include_expired_exceptions: + description: Whether to copy expired exceptions from the original rule + type: boolean + required: + - include_exceptions + - include_expired_exceptions + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules type: string - user_provided_metadata: - $ref: '#/components/schemas/Fleet_agent_metadata' required: - - type - - active - - enrolled_at - - id - - status - Fleet_agent_action: - oneOf: - - properties: - ack_data: - type: string - data: - type: string - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - - properties: - data: - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - type: - type: string - title: Agent action - Fleet_agent_component: - title: Agent component + - action + Security_Detections_API_BulkEditActionResponse: type: object properties: - id: - type: string + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Detections_API_NormalizedRuleError + type: array + results: + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionResults + summary: + $ref: >- + #/components/schemas/Security_Detections_API_BulkEditActionSummary + required: + - results + - summary message: type: string - status: - $ref: '#/components/schemas/Fleet_agent_component_status' - type: - type: string - units: + rules_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_Detections_API_BulkEditActionResults: + type: object + properties: + created: items: - $ref: '#/components/schemas/Fleet_agent_component_unit' + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array - Fleet_agent_component_status: - enum: - - starting - - configuring - - healthy - - degraded - - failed - - stopping - - stopped - title: Agent component status - type: string - Fleet_agent_component_unit: - title: Agent component unit + deleted: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + skipped: + items: + $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' + type: array + updated: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_Detections_API_BulkEditActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_Detections_API_BulkEditRules: type: object properties: - id: + action: + enum: + - edit type: string - message: + edit: + description: Array of objects containing the edit operations + items: + $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' + minItems: 1 + type: array + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules type: string - payload: - type: object - status: - $ref: '#/components/schemas/Fleet_agent_component_status' - type: - $ref: '#/components/schemas/Fleet_agent_component_unit_type' - Fleet_agent_component_unit_type: + required: + - action + - edit + Security_Detections_API_BulkEditSkipReason: enum: - - input - - output - title: Agent component unit type + - RULE_NOT_MODIFIED type: string - Fleet_agent_diagnostics: - title: Agent diagnostics + Security_Detections_API_BulkEnableRules: type: object properties: - actionId: - type: string - createTime: + action: + enum: + - enable type: string - filePath: + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules type: string - id: + required: + - action + Security_Detections_API_BulkExportActionResponse: + type: string + Security_Detections_API_BulkExportRules: + type: object + properties: + action: + enum: + - export type: string - name: + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - IN_PROGRESS required: - - id - - name - - createTime - - filePath - - actionId - - status - Fleet_agent_get_by_actions: - items: - items: - type: string - type: array - title: Agents get by action ids - type: array - Fleet_agent_metadata: - title: Agent metadata - type: object - Fleet_agent_policy: - title: Agent Policy + - action + Security_Detections_API_BulkManualRuleRun: type: object properties: - advanced_settings: - description: >- - Advanced settings stored in the agent policy, e.g. - agent_limits_go_max_procs - nullable: true - type: object - agent_features: + action: + enum: + - run + type: string + ids: + description: Array of rule IDs items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled + type: string + minItems: 1 type: array - agents: - type: number - data_output_id: - nullable: true + query: + description: Query to filter rules type: string - description: + run: + type: object + properties: + end_date: + description: End date of the manual rule run + type: string + start_date: + description: Start date of the manual rule run + type: string + required: + - start_date + required: + - action + - run + Security_Detections_API_ConcurrentSearches: + minimum: 1 + type: integer + Security_Detections_API_DataViewId: + type: string + Security_Detections_API_DefaultParams: + type: object + properties: + command: + enum: + - isolate type: string - download_source_id: - nullable: true + comment: type: string - fleet_server_host_id: - nullable: true + required: + - command + Security_Detections_API_EcsMapping: + additionalProperties: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + type: object + Security_Detections_API_EndpointResponseAction: + type: object + properties: + action_type_id: + enum: + - .endpoint type: string - global_data_tags: + params: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' + - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' + required: + - action_type_id + - params + Security_Detections_API_EqlOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + event_category_override: + $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + response_actions: items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array - id: + tiebreaker_field: + $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' + timestamp_field: + $ref: '#/components/schemas/Security_Detections_API_TimestampField' + Security_Detections_API_EqlQueryLanguage: + enum: + - eql + type: string + Security_Detections_API_EqlRequiredFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' + description: Query language to use + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql type: string - inactivity_timeout: - type: integer - is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. - type: boolean - keep_monitoring_alive: - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true - type: boolean - monitoring_diagnostics: - type: object + required: + - type + - query + - language + Security_Detections_API_EqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' + Security_Detections_API_EqlRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_EqlRulePatchFields: + allOf: + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' + description: Query language to use + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' + Security_Detections_API_EqlRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRuleUpdateProps: + allOf: + - type: object properties: - limit: - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - metrics - - logs - type: string - type: array - monitoring_http: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_ErrorSchema: + additionalProperties: false + type: object + properties: + error: type: object properties: - enabled: - type: boolean - host: + message: type: string - port: - type: number + status_code: + minimum: 400 + type: integer required: - - enabled - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - type: string - namespace: + - status_code + - message + id: type: string - overrides: - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_policies: - description: >- - This field is present only when retrieving a single agent policy, or - when retrieving a list of agent policies with the ?full=true - parameter - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - revision: - type: number - supports_agentless: - description: >- - Indicates whether the agent policy supports agentless integrations. - Only allowed in a serverless environment. - type: boolean - unenroll_timeout: - type: integer - unprivileged_agents: - type: number - updated_by: + item_id: + minLength: 1 type: string - updated_on: - format: date-time + list_id: + minLength: 1 type: string + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - - id - - status - - name - - namespace - Fleet_agent_policy_create_request: - title: Create agent policy request + - error + Security_Detections_API_EsqlQueryLanguage: + enum: + - esql + type: string + Security_Detections_API_EsqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' + Security_Detections_API_EsqlRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EsqlRuleOptionalFields: type: object properties: - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - description: Force agent policy creation even if packages are not verified. - type: boolean - global_data_tags: - items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object - type: array - id: - type: string - inactivity_timeout: - type: integer - is_protected: - type: boolean - monitoring_enabled: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + response_actions: items: - enum: - - metrics - - logs - type: string + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array - monitoring_output_id: - nullable: true - type: string - name: + Security_Detections_API_EsqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + description: ESQL query to execute + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + type: + description: Rule type + enum: + - esql + type: string + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + Security_Detections_API_EsqlRuleRequiredFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + description: ESQL query to execute + type: + description: Rule type + enum: + - esql type: string - namespace: + required: + - type + - language + - query + Security_Detections_API_EsqlRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EventCategoryOverride: + type: string + Security_Detections_API_ExceptionListType: + description: The exception type + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Detections_API_ExternalRuleSource: + description: >- + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. + type: object + properties: + is_customized: + $ref: >- + #/components/schemas/Security_Detections_API_IsExternalRuleCustomized + type: + enum: + - external type: string - unenroll_timeout: - type: integer required: + - type + - is_customized + Security_Detections_API_FindRulesSortField: + enum: + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status - name - - namespace - Fleet_agent_policy_full: - oneOf: - - type: object - properties: - item: - type: string - - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_full_agent_policy' - title: Agent policy full response - type: object - Fleet_agent_policy_update_request: - title: Update agent policy request + - risk_score + - riskScore + - severity + - updated_at + - updatedAt + type: string + Security_Detections_API_HistoryWindowStart: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + Security_Detections_API_IndexMigrationStatus: type: object properties: - agent_features: + index: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + is_outdated: + type: boolean + migrations: items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled + $ref: '#/components/schemas/Security_Detections_API_MigrationStatus' type: array - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - description: Force agent policy creation even if packages are not verified. - type: boolean - global_data_tags: + signal_versions: items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object + $ref: '#/components/schemas/Security_Detections_API_AlertVersion' type: array - inactivity_timeout: + version: type: integer - is_protected: - type: boolean - monitoring_enabled: + required: + - index + - version + - signal_versions + - migrations + - is_outdated + Security_Detections_API_IndexPatternArray: + items: + type: string + type: array + Security_Detections_API_InternalRuleSource: + description: >- + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. + type: object + properties: + type: + enum: + - internal + type: string + required: + - type + Security_Detections_API_InvestigationFields: + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. + + Added in PR #163235 + + Right now we only have a single field but anticipate adding more related + fields to store various + + configuration states such as `override` - where a user might say if they + want only these fields to + + display, or if they want these fields + the fields we select. When + expanding this field, it may look + + something like: + + ```typescript + + const investigationFields = z.object({ + field_names: NonEmptyArray(NonEmptyString), + override: z.boolean().optional(), + }); + + ``` + type: object + properties: + field_names: items: - enum: - - metrics - - logs - type: string + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + minItems: 1 type: array - monitoring_output_id: - nullable: true - type: string - name: - type: string - namespace: - type: string - unenroll_timeout: - type: integer required: - - name - - namespace - Fleet_agent_status: - enum: - - offline - - error - - online - - inactive - - warning - title: Elastic Agent status + - field_names + Security_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. type: string - Fleet_agent_type: + Security_Detections_API_IsExternalRuleCustomized: + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). + type: boolean + Security_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. + type: boolean + Security_Detections_API_IsRuleImmutable: + deprecated: true + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. + type: boolean + Security_Detections_API_ItemsPerSearch: + minimum: 1 + type: integer + Security_Detections_API_KqlQueryLanguage: enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - title: Agent type + - kuery + - lucene type: string - Fleet_bulk_install_packages_response: - title: Bulk install packages response + Security_Detections_API_MachineLearningJobId: + description: Machine learning job ID + oneOf: + - type: string + - items: + type: string + minItems: 1 + type: array + Security_Detections_API_MachineLearningRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields + Security_Detections_API_MachineLearningRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: - items: - items: - type: object - properties: - name: - type: string - version: - type: string - type: array - response: - deprecated: true - items: - type: object - properties: - name: - type: string - version: - type: string - type: array + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + Security_Detections_API_MachineLearningRulePatchFields: + allOf: + - type: object + properties: + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning + type: string + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields + Security_Detections_API_MachineLearningRuleRequiredFields: + type: object + properties: + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + type: + description: Rule type + enum: + - machine_learning + type: string required: - - items - Fleet_bulk_upgrade_agents: - title: Bulk upgrade agents + - type + - machine_learning_job_id + - anomaly_threshold + Security_Detections_API_MachineLearningRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields + Security_Detections_API_MachineLearningRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields + Security_Detections_API_MaxSignals: + minimum: 1 + type: integer + Security_Detections_API_MigrationCleanupResult: type: object properties: - agents: - oneOf: - - description: KQL query string, leave empty to action all agents + destinationIndex: + type: string + error: + type: object + properties: + message: type: string - - description: list of agent IDs - items: - type: string - type: array - force: - description: Force upgrade, skipping validation (should be used with caution) - type: boolean - rollout_duration_seconds: - description: rolling upgrade window duration in seconds - type: number - skipRateLimitCheck: - description: Skip rate limit check for upgrade - type: boolean - source_uri: - description: alternative upgrade binary download url + status_code: + type: integer + required: + - message + - status_code + id: type: string - start_time: - description: start time of upgrade in ISO 8601 format + sourceIndex: + type: string + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time type: string version: - description: version to upgrade to type: string required: - - agents + - id + - destinationIndex + - status + - sourceIndex - version - Fleet_data_stream: - title: Data stream + - updated + Security_Detections_API_MigrationFinalizationResult: type: object properties: - dashboard: - items: - type: object - properties: - id: - type: string - title: - type: string - type: array - dataset: - type: string - index: + completed: + type: boolean + destinationIndex: type: string - last_activity_ms: - type: number - namespace: + error: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - message + - status_code + id: type: string - package: + sourceIndex: type: string - package_version: + status: + enum: + - success + - failure + - pending type: string - size_in_bytes: - type: number - size_in_bytes_formatted: + updated: + format: date-time type: string - type: + version: type: string - Fleet_download_sources: - title: Download Source + required: + - id + - completed + - destinationIndex + - status + - sourceIndex + - version + - updated + Security_Detections_API_MigrationStatus: type: object properties: - host: - type: string id: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + status: + enum: + - success + - failure + - pending type: string - is_default: - type: boolean - name: + updated: + format: date-time type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the proxies - API for more information. - nullable: true + version: + type: integer + required: + - id + - status + - version + - updated + Security_Detections_API_NewTermsFields: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_NewTermsRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields + Security_Detections_API_NewTermsRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + Security_Detections_API_NewTermsRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + Security_Detections_API_NewTermsRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_NewTermsRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + Security_Detections_API_NewTermsRulePatchFields: + allOf: + - type: object + properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields + Security_Detections_API_NewTermsRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' + Security_Detections_API_NewTermsRuleRequiredFields: + type: object + properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms type: string required: - - is_default - - name - - host - Fleet_elasticsearch_asset_type: - enum: - - component_template - - ingest_pipeline - - index_template - - ilm_policy - - transform - - data_stream_ilm_policy - title: Elasticsearch asset type + - type + - query + - new_terms_fields + - history_window_start + Security_Detections_API_NewTermsRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_NewTermsRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields + Security_Detections_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ type: string - Fleet_enrollment_api_key: - title: Enrollment API key + Security_Detections_API_NormalizedRuleAction: + additionalProperties: false type: object properties: - active: - description: >- - When false, the enrollment API key is revoked and cannot be used for - enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' required: - id - - api_key_id - - api_key - - active - - created_at - Fleet_fleet_server_host: - title: Fleet Server Host + - params + Security_Detections_API_NormalizedRuleError: type: object properties: - host_urls: + err_code: + $ref: >- + #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode + message: + type: string + rules: items: - type: string + $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' + type: array + status_code: + type: integer + required: + - message + - status_code + - rules + Security_Detections_API_OsqueryParams: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' + pack_id: + type: string + queries: + items: + $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array + query: + type: string + saved_query_id: + type: string + timeout: + type: number + Security_Detections_API_OsqueryQuery: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' id: + description: Query ID type: string - is_default: - type: boolean - is_internal: + platform: + type: string + query: + description: Query to run + type: string + removed: type: boolean - is_preconfigured: + snapshot: type: boolean - name: - type: string - proxy_id: + version: + description: Query version type: string required: - - fleet_server_hosts - id - - is_default - - is_preconfigured - - host_urls - Fleet_fleet_settings_response: - title: Fleet settings response - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_settings' - required: - - item - Fleet_fleet_setup_response: - title: Fleet Setup response + - query + Security_Detections_API_OsqueryResponseAction: type: object properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - type: array + action_type_id: + enum: + - .osquery + type: string + params: + $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' required: - - isInitialized - - nonFatalErrors - Fleet_fleet_status_response: - title: Fleet status response + - action_type_id + - params + Security_Detections_API_PlatformErrorResponse: type: object properties: - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - type: array - missing_requirements: - items: - enum: - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - type: array - package_verification_key_id: + error: + type: string + message: type: string + statusCode: + type: integer required: - - isReady - - missing_requirements - - missing_optional_features - Fleet_full_agent_policy: - title: Full agent policy + - statusCode + - error + - message + Security_Detections_API_ProcessesParams: type: object properties: - agent: - nullable: true - type: string - fleet: - oneOf: - - type: object - properties: - hosts: - items: - type: string - type: array - proxy_headers: {} - proxy_url: - type: string - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - - type: object - properties: - kibana: - type: object - properties: - hosts: - items: - type: string - type: array - path: - type: string - protocol: - type: string - id: + command: + enum: + - kill-process + - suspend-process type: string - inputs: + comment: type: string - monitoring: + config: type: object properties: - diagnostics: - type: object - properties: - limit: - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - required: - - enabled - logs: - type: boolean - metrics: - type: boolean - namespace: + field: + description: Field to use instead of process.pid type: string - pprof: - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: + overwrite: + default: true + description: Whether to overwrite field with process.pid type: boolean - use_output: - type: string required: + - field + required: + - command + - config + Security_Detections_API_QueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags - enabled - - metrics - - logs - - traces - output_permissions: - additionalProperties: - type: object - properties: - data: + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' + Security_Detections_API_QueryRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + Security_Detections_API_QueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: $ref: >- - #/components/schemas/Fleet_full_agent_policy_output_permissions - output: - type: integer - type: object - outputs: - additionalProperties: - $ref: '#/components/schemas/Fleet_full_agent_policy_output' - type: object - revision: - type: number - secret_references: + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_QueryRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + Security_Detections_API_QueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + response_actions: items: - type: object - properties: - id: - type: string + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array - required: - - id - - outputs - - inputs - Fleet_full_agent_policy_input: + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + Security_Detections_API_QueryRulePatchFields: allOf: - - additionalProperties: true - type: object + - type: object properties: - data_stream: - type: object - properties: - namespace: - type: string - required: - - namespace - id: + type: + description: Rule type + enum: + - query type: string + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: >- + #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields + Security_Detections_API_QueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: - additionalProperties: true - type: object - properties: - package: - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: - type: string - revision: - type: number - streams: - $ref: '#/components/schemas/Fleet_full_agent_policy_input_stream' - type: - type: string - use_output: - type: string + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' + Security_Detections_API_QueryRuleRequiredFields: + type: object + properties: + type: + description: Rule type + enum: + - query + type: string + required: + - type + Security_Detections_API_QueryRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' required: - - id - - name - - revision - - type - - data_stream - - use_output - title: Full agent policy input - Fleet_full_agent_policy_input_stream: + - query + - language + Security_Detections_API_QueryRuleUpdateProps: allOf: - - additionalProperties: true - type: object + - type: object properties: - data_stream: - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - - type + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - type: string + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - - id - - data_stream - title: Full agent policy input stream - Fleet_full_agent_policy_output: - title: Full agent policy + - name + - description + - risk_score + - severity + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_RelatedIntegration: + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. + + + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + + + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: + + + - `package`: name of the package (required, unique id) + + - `version`: version of the package (required, semver-compatible) + + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + + several integrations; in this case, `integration` should be specified. + + + @example + + const x: RelatedIntegration = { + package: 'windows', + version: '1.5.x', + }; + + + @example + + const x: RelatedIntegration = { + package: 'azure', + version: '~1.1.6', + integration: 'activitylogs', + }; type: object properties: - additionalProperties: - type: object - properties: - text: {} - ca_sha256: - nullable: true + integration: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - package + - version + Security_Detections_API_RelatedIntegrationArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' + type: array + Security_Detections_API_RequiredField: + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and + + the rule will generate an alert. + + + Required field is an event field that must be present in the source + indices of a given rule. + + + @example + + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + + @example + + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; + type: object + properties: + ecs: + description: Whether the field is an ECS field + type: boolean + name: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: Type of the Elasticsearch field + required: + - name + - type + - ecs + Security_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredField' + type: array + Security_Detections_API_RequiredFieldInput: + description: >- + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. + type: object + properties: + name: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: Type of an Elasticsearch field + required: + - name + - type + Security_Detections_API_ResponseAction: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' + - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' + Security_Detections_API_ResponseFields: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + type: string + execution_summary: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + immutable: + $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' + required_fields: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' + revision: + minimum: 0 + type: integer + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_source: + $ref: '#/components/schemas/Security_Detections_API_RuleSource' + updated_at: + format: date-time type: string - hosts: - items: - type: string - type: array - proxy_headers: {} - proxy_url: + updated_by: type: string - type: {} required: - - type - - hosts - - ca_sha256 - Fleet_full_agent_policy_output_permissions: - additionalProperties: + - id + - rule_id + - immutable + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + Security_Detections_API_RiskScore: + description: Risk score (0 to 100) + maximum: 100 + minimum: 0 + type: integer + Security_Detections_API_RiskScoreMapping: + description: >- + Overrides generated alerts' risk_score with a value from the source + event + items: type: object properties: - data: - type: object - properties: - cluster: - items: - type: string - type: array - indices: - items: - type: object - properties: - names: - items: - type: string - type: array - privileges: - items: - type: string - type: array - type: array - packagePolicyName: + field: type: string - title: Full agent policy output permissions - Fleet_get_agent_tags_response: - title: Get Agent Tags response + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: array + Security_Detections_API_RuleAction: type: object properties: - items: - items: - type: string - type: array - Fleet_get_agents_response: - title: Get Agent response + action_type_id: + description: The action type used for sending notifications. + type: string + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' + uuid: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + Security_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + type: object + Security_Detections_API_RuleActionFrequency: + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). type: object properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_agent' - type: array - page: - type: number - perPage: - type: number - statusSummary: - type: object - properties: - degraded': - type: number - enrolling: - type: number - error: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - unenrolled: - type: number - unenrolling: - type: number - updating: - type: number - total: - type: number + notifyWhen: + $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' + summary: + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + nullable: true required: - - items - - total - - page - - perPage - Fleet_get_bulk_assets_response: - deprecated: true + - summary + - notifyWhen + - throttle + Security_Detections_API_RuleActionGroup: + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. + type: string + Security_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Detections_API_RuleActionNotifyWhen: + description: >- + The condition for throttling the notification: `onActionGroupChange`, + `onActiveAlert`, or `onThrottleInterval` + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Detections_API_RuleActionParams: + additionalProperties: true + description: >- + Object containing the allowed connector fields, which varies according + to the connector type. + type: object + Security_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule + type: string + - description: Time interval in seconds, minutes, hours, or days. + example: 1h + pattern: ^[1-9]\d*[smhd]$ + type: string + Security_Detections_API_RuleAuthorArray: + items: + type: string + type: array + Security_Detections_API_RuleCreateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + discriminator: + propertyName: type + Security_Detections_API_RuleDescription: + minLength: 1 + type: string + Security_Detections_API_RuleDetailsInError: + type: object properties: - items: - items: - type: object - properties: - appLink: - type: string - attributes: - type: object - properties: - description: - type: string - title: - type: string - id: - type: string - type: - $ref: '#/components/schemas/Fleet_saved_object_type' - updatedAt: - type: string - type: array + id: + type: string + name: + type: string required: - - items - title: Bulk get assets response + - id + Security_Detections_API_RuleExceptionList: type: object - Fleet_get_categories_response: - title: Get categories response + properties: + id: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: ID of the exception container + list_id: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + description: List ID of the exception container + namespace_type: + description: Determines the exceptions validity in rule's Kibana space + enum: + - agnostic + - single + type: string + type: + $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' + required: + - id + - list_id + - type + - namespace_type + Security_Detections_API_RuleExecutionMetrics: type: object properties: - items: - items: - type: object - properties: - count: - type: number - id: - type: string - title: - type: string - required: - - id - - title - - count - type: array - response: - items: - deprecated: true - type: object - properties: - count: - type: number - id: - type: string - title: - type: string - required: - - id - - title - - count - type: array + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + total_enrichment_duration_ms: + description: >- + Total time spent enriching documents during current rule execution + cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during current rule execution + cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response + minimum: 0 + type: integer + Security_Detections_API_RuleExecutionStatus: + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. + enum: + - going to run + - running + - partial failure + - failed + - succeeded + type: string + Security_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Detections_API_RuleExecutionSummary: + type: object + properties: + last_execution: + type: object + properties: + date: + description: Date of the last execution + format: date-time + type: string + message: + type: string + metrics: + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionMetrics + status: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' + description: Status of the last execution + status_order: + $ref: >- + #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder + required: + - date + - status + - status_order + - message + - metrics + required: + - last_execution + Security_Detections_API_RuleFalsePositiveArray: + items: + type: string + type: array + Security_Detections_API_RuleFilterArray: + items: {} + type: array + Security_Detections_API_RuleInterval: + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). + type: string + Security_Detections_API_RuleIntervalFrom: + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + Security_Detections_API_RuleIntervalTo: + type: string + Security_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Detections_API_RuleMetadata: + additionalProperties: true + type: object + Security_Detections_API_RuleName: + minLength: 1 + type: string + Security_Detections_API_RuleNameOverride: + description: Sets the source field for the alert's signal.rule.name value + type: string + Security_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Detections_API_UUID' + Security_Detections_API_RulePatchProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' + Security_Detections_API_RulePreviewLoggedRequest: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + duration: + type: integer + request: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - - items - Fleet_get_packages_response: - title: Get Packages response + - request + Security_Detections_API_RulePreviewLogs: type: object properties: - items: + duration: + description: Execution duration in milliseconds + type: integer + errors: items: - $ref: '#/components/schemas/Fleet_search_result' + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array - response: - deprecated: true + requests: items: - $ref: '#/components/schemas/Fleet_search_result' + $ref: >- + #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest + type: array + startedAt: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array required: - - items - Fleet_installation_info: - title: Installation info object + - errors + - warnings + - duration + Security_Detections_API_RulePreviewParams: type: object properties: - created_at: + invocationCount: + type: integer + timeframeEnd: + format: date-time type: string - experimental_data_stream_features: + required: + - invocationCount + - timeframeEnd + Security_Detections_API_RuleQuery: + type: string + Security_Detections_API_RuleReferenceArray: + items: + type: string + type: array + Security_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' + discriminator: + propertyName: type + Security_Detections_API_RuleSignatureId: + description: Could be any string, not necessarily a UUID + type: string + Security_Detections_API_RuleSource: + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. + discriminator: + propertyName: type + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' + - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' + Security_Detections_API_RuleTagArray: + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. + items: + type: string + type: array + Security_Detections_API_RuleUpdateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' + discriminator: + propertyName: type + Security_Detections_API_RuleVersion: + description: The rule's version number. + minimum: 1 + type: integer + Security_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Detections_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Detections_API_SavedQueryId: + type: string + Security_Detections_API_SavedQueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields + Security_Detections_API_SavedQueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + Security_Detections_API_SavedQueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + Security_Detections_API_SavedQueryRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_SavedQueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array + Security_Detections_API_SavedQueryRulePatchFields: + allOf: + - type: object properties: - data_stream: + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query type: string - features: - type: object - properties: - doc_value_only_numeric: - nullable: true - type: boolean - doc_value_only_other: - nullable: true - type: boolean - synthetic_source: - nullable: true - type: boolean - tsdb: - nullable: true - type: boolean - install_format_schema_version: - type: string - install_kibana_space_id: - type: string - install_source: - enum: - - registry - - upload - - bundled - type: string - install_status: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields + Security_Detections_API_SavedQueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields + Security_Detections_API_SavedQueryRuleRequiredFields: + type: object + properties: + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + type: + description: Rule type enum: - - installed - - installing - - install_failed + - saved_query type: string - installed_es: - type: object + required: + - type + - saved_id + Security_Detections_API_SavedQueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields + - type: object properties: - deferred: - type: boolean - id: - type: string - type: - $ref: '#/components/schemas/Fleet_elasticsearch_asset_type' - installed_kibana: - type: object + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_SavedQueryRuleUpdateProps: + allOf: + - type: object properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: - type: string - type: - $ref: '#/components/schemas/Fleet_kibana_saved_object_type' - latest_executed_state: - description: Latest successfully executed state in package install state machine - type: object - properties: - error: - type: string + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: - enum: - - create_restart_installation - - install_kibana_assets - - install_ilm_policies - - install_ml_model - - install_index_template_pipelines - - remove_legacy_templates - - update_current_write_indices - - install_transforms - - delete_previous_pipelines - - save_archive_entries_from_assets_map - - update_so - type: string - started_at: - type: string - latest_install_failed_attempts: - description: Latest failed install errors - items: - type: object - properties: - created_at: - type: string - error: - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - target_version: - type: string - type: array - name: - type: string - namespaces: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields + Security_Detections_API_SetAlertsStatusByIds: + type: object + properties: + signal_ids: items: - type: string + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + minItems: 1 type: array - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatus' + required: + - signal_ids + - status + Security_Detections_API_SetAlertsStatusByQuery: + type: object + properties: + conflicts: + default: abort enum: - - verified - - unverified - - unknown + - abort + - proceed type: string - version: + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatus' + required: + - query + - status + Security_Detections_API_SetAlertTags: + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Detections_API_SetupGuide: + type: string + Security_Detections_API_Severity: + description: Severity of the rule + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Detections_API_SiemErrorResponse: + type: object + properties: + message: type: string + status_code: + type: integer required: - - installed_kibana - - installed_es - - name - - version - - install_status - - install_version - - install_started_at - - install_source - - verification_status - - latest_install_failed_attempts - Fleet_kibana_saved_object_type: + - status_code + - message + Security_Detections_API_SkippedAlertsIndexMigration: + type: object + properties: + index: + type: string + required: + - index + Security_Detections_API_SortOrder: enum: - - dashboard - - visualization - - search - - index-pattern - - map - - lens - - ml-module - - security-rule - - csp_rule_template - title: Kibana saved object asset type + - asc + - desc type: string - Fleet_new_package_policy: - description: '' + Security_Detections_API_Threat: + type: object properties: - description: + framework: + description: Relevant attack framework type: string - enabled: - type: boolean - inputs: + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) items: - type: object - properties: - config: - type: object - enabled: - type: boolean - processors: - items: - type: string - type: array - streams: - items: {} - type: array - type: - type: string - vars: - type: object - required: - - type - - enabled + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' type: array - name: - type: string - namespace: - type: string - output_id: + required: + - framework + - tactic + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + items: + type: string + type: array + Security_Detections_API_ThreatIndicatorPath: + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) + type: string + Security_Detections_API_ThreatMapping: + items: + type: object + properties: + entries: + items: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + type: array + required: + - entries + minItems: 1 + type: array + Security_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields + Security_Detections_API_ThreatMatchRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + Security_Detections_API_ThreatMatchRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + Security_Detections_API_ThreatMatchRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThreatMatchRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + concurrent_searches: + $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + items_per_search: + $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + threat_filters: + $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' + threat_language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThreatMatchRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match + type: string + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields + Security_Detections_API_ThreatMatchRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields + Security_Detections_API_ThreatMatchRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match type: string - overrides: - type: object - package: - type: object + required: + - type + - query + - threat_query + - threat_mapping + - threat_index + Security_Detections_API_ThreatMatchRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_ThreatMatchRuleUpdateProps: + allOf: + - type: object properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: - type: string - requires_root: - type: boolean - title: - type: string + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: - type: string + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - - version - policy_id: - deprecated: true - nullable: true + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields + Security_Detections_API_ThreatQuery: + description: Query to run + type: string + Security_Detections_API_ThreatSubtechnique: + type: object + properties: + id: + description: Subtechnique ID + type: string + name: + description: Subtechnique name + type: string + reference: + description: Subtechnique reference type: string - policy_ids: - items: - type: string - type: array required: - - inputs + - id - name - title: New package policy - type: object - Fleet_output_create_request: - discriminator: - mapping: - elasticsearch: '#/components/schemas/Fleet_output_create_request_elasticsearch' - kafka: '#/components/schemas/Fleet_output_create_request_kafka' - logstash: '#/components/schemas/Fleet_output_create_request_logstash' - remote_elasticsearch: >- - #/components/schemas/Fleet_output_create_request_remote_elasticsearch - propertyName: type - oneOf: - - $ref: '#/components/schemas/Fleet_output_create_request_elasticsearch' - - $ref: '#/components/schemas/Fleet_output_create_request_kafka' - - $ref: '#/components/schemas/Fleet_output_create_request_logstash' - - $ref: >- - #/components/schemas/Fleet_output_create_request_remote_elasticsearch - title: Output - Fleet_output_create_request_elasticsearch: - title: elasticsearch + - reference + Security_Detections_API_ThreatTactic: type: object properties: - ca_sha256: + id: + description: Tactic ID type: string - ca_trusted_fingerprint: + name: + description: Tactic name type: string - config: - type: object - config_yaml: + reference: + description: Tactic reference type: string - hosts: - items: - type: string - type: array + required: + - id + - name + - reference + Security_Detections_API_ThreatTechnique: + type: object + properties: id: + description: Technique ID type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean name: + description: Technique name type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: + reference: + description: Technique reference type: string - shipper: - type: object + subtechnique: + description: Array containing more specific information on the attack technique + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' + type: array + required: + - id + - name + - reference + Security_Detections_API_Threshold: + type: object + properties: + cardinality: + $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' + field: + $ref: '#/components/schemas/Security_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' + required: + - field + - value + Security_Detections_API_ThresholdAlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Detections_API_AlertSuppressionDuration + required: + - duration + Security_Detections_API_ThresholdCardinality: + items: + type: object + properties: + field: + type: string + value: + minimum: 0 + type: integer + required: + - field + - value + type: array + Security_Detections_API_ThresholdField: + description: Field to aggregate on + oneOf: + - type: string + - items: + type: string + type: array + Security_Detections_API_ThresholdRule: + allOf: + - type: object properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields + Security_Detections_API_ThresholdRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + Security_Detections_API_ThresholdRuleCreateProps: + allOf: + - type: object properties: - certificate: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + Security_Detections_API_ThresholdRuleDefaultableFields: + type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + Security_Detections_API_ThresholdRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Detections_API_ThresholdAlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + Security_Detections_API_ThresholdRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold type: string - certificate_authorities: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields + Security_Detections_API_ThresholdRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRulePatchFields + Security_Detections_API_ThresholdRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + required: + - type + - query + - threshold + Security_Detections_API_ThresholdRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields + - type: object + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + Security_Detections_API_ThresholdRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Detections_API_RuleFalsePositiveArray + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Detections_API_AlertsIndexNamespace + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: >- + #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: >- + #/components/schemas/Security_Detections_API_RelatedIntegrationArray + required_fields: items: - type: string + $ref: >- + #/components/schemas/Security_Detections_API_RequiredFieldInput type: array - key: - type: string + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: >- + #/components/schemas/Security_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields + Security_Detections_API_ThresholdValue: + description: Threshold value + minimum: 1 + type: integer + Security_Detections_API_ThrottleForBulkActions: + description: >- + The condition for throttling the notification: 'rule', 'no_actions', or + time duration + enum: + - rule + - 1h + - 1d + - 7d + type: string + Security_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Detections_API_TimestampField: + description: Contains the event timestamp used for sorting a sequence of events + type: string + Security_Detections_API_TimestampOverride: + description: Sets the time field used to query indices + type: string + Security_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Detections_API_WarningSchema: + type: object + properties: + actionPath: + type: string + buttonLabel: + type: string + message: + type: string type: - enum: - - elasticsearch type: string required: - - name - Fleet_output_create_request_kafka: - title: kafka + - type + - message + - actionPath + Security_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' + - additionalProperties: false + type: object + Security_Endpoint_Exceptions_API_EndpointListItem: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + Security_Endpoint_Exceptions_API_ExceptionList: type: object properties: - auth_type: + _version: type: string - broker_timeout: - type: number - ca_sha256: + created_at: + format: date-time type: string - ca_trusted_fingerprint: + created_by: type: string - client_id: + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags + tie_breaker_id: type: string - compression: + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType + updated_at: + format: date-time type: string - compression_level: - type: number - config: - type: object - config_yaml: + updated_by: type: string - connection_type: - enum: - - plaintext - - encryption + version: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Endpoint_Exceptions_API_ExceptionListDescription: + type: string + Security_Endpoint_Exceptions_API_ExceptionListHumanId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + description: Human readable string identifier, e.g. `trusted-linux-processes` + Security_Endpoint_Exceptions_API_ExceptionListId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: type: string - headers: - items: - type: object - properties: - key: - type: string - value: - type: string - type: array - hosts: - items: - type: string - type: array - id: + comments: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - key: + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time type: string + id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta name: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags + tie_breaker_id: type: string - partition: + type: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time type: string - password: + updated_by: type: string - proxy_id: + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Endpoint_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + created_at: + format: date-time type: string - random: - type: object - properties: - group_events: - type: number - required_acks: - type: number - round_robin: - type: object - properties: - group_events: - type: number - sasl: - type: object - properties: - mechanism: - type: string - secrets: - type: object - properties: - password: - type: string - ssl: - type: object - properties: - key: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - verification_mode: - enum: - - none - - full - - certificate - - strict - type: string - timeout: - type: number - topic: + created_by: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + updated_at: + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists type: string - topics: - deprecated: true - description: Use topic instead. + required: + - type + - field + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: items: - type: object - properties: - topic: - type: string - when: - deprecated: true - description: >- - Deprecated, kafka output do not support conditionnal topics - anymore. - type: object - properties: - condition: - type: string - type: - type: string + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString + minItems: 1 type: array + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator type: enum: - - kafka - type: string - username: + - wildcard type: string - version: + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + type: + enum: + - nested type: string required: - - name - type - - topics - - auth_type - - hosts - Fleet_output_create_request_logstash: - title: logstash + - field + - entries + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists + Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ExceptionListItemId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemName: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Endpoint_Exceptions_API_ExceptionListName: + type: string + Security_Endpoint_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Endpoint_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Endpoint_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Endpoint_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ListId: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Endpoint_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Endpoint_Exceptions_API_PlatformErrorResponse: type: object properties: - ca_sha256: + error: type: string - ca_trusted_fingerprint: + message: type: string - config: - type: object - config_yaml: + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Endpoint_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: type: string - hosts: - items: + status_code: + type: integer + required: + - status_code + - message + Security_Endpoint_Management_API_ActionLogRequestQuery: + type: object + properties: + end_date: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + page: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + page_size: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + start_date: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + Security_Endpoint_Management_API_ActionStateSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + canEncrypt: + type: boolean + required: + - data + required: + - body + Security_Endpoint_Management_API_ActionStatusSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + agent_id: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_AgentId + pending_actions: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema + required: + - agent_id + - pending_actions + required: + - data + required: + - body + Security_Endpoint_Management_API_AgentId: + description: Agent ID + type: string + Security_Endpoint_Management_API_AgentIds: + minLength: 1 + oneOf: + - items: + minLength: 1 type: string + maxItems: 50 + minItems: 1 type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: + - minLength: 1 type: string - proxy_id: + Security_Endpoint_Management_API_AgentTypes: + enum: + - endpoint + - sentinel_one + - crowdstrike + type: string + Security_Endpoint_Management_API_AlertIds: + description: A list of alerts ids. + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_NonEmptyString' + minItems: 1 + type: array + Security_Endpoint_Management_API_CaseIds: + description: Case IDs to be updated (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Endpoint_Management_API_Command: + description: The command to be executed (cannot be an empty string) + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + minLength: 1 + type: string + Security_Endpoint_Management_API_Commands: + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + type: array + Security_Endpoint_Management_API_Comment: + description: Optional comment + type: string + Security_Endpoint_Management_API_EndDate: + description: End date + type: string + Security_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Endpoint_Management_API_EntityId: + type: object + properties: + entity_id: + minLength: 1 type: string - secrets: - type: object + Security_Endpoint_Management_API_ExecuteRouteRequestBody: + allOf: + - type: object properties: - ssl: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: type: object properties: - key: + command: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Command + timeout: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_Timeout + required: + - command + required: + - parameters + Security_Endpoint_Management_API_GetEndpointActionListRouteQuery: + type: object + properties: + agentIds: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + agentTypes: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + commands: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + endDate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + page: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + startDate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + types: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + userIds: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + withOutputs: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + Security_Endpoint_Management_API_GetFileRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: type: string - shipper: - type: object + required: + - path + required: + - parameters + Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema + Security_Endpoint_Management_API_IsolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema + Security_Endpoint_Management_API_KillProcessRouteRequestBody: + allOf: + - type: object properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - logstash - type: string - required: - - name - - hosts - - type - Fleet_output_create_request_remote_elasticsearch: - title: remote_elasticsearch + parameters: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EntityId + - type: object + properties: + process_name: + description: Valid for SentinelOne agent type only + minLength: 1 + type: string + required: + - parameters + Security_Endpoint_Management_API_ListRequestQuery: type: object properties: - hosts: + hostStatuses: items: + enum: + - healthy + - offline + - updating + - inactive + - unenrolled type: string type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: + kuery: + nullable: true type: string - secrets: - type: object - properties: - service_token: - type: string - service_token: + page: + default: 0 + description: Page number + minimum: 0 + type: integer + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + sortDirection: + enum: + - asc + - desc + nullable: true type: string - type: + sortField: enum: - - remote_elasticsearch + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin type: string required: - - name - Fleet_output_update_request: - discriminator: - mapping: - elasticsearch: '#/components/schemas/Fleet_output_update_request_elasticsearch' - kafka: '#/components/schemas/Fleet_output_update_request_kafka' - logstash: '#/components/schemas/Fleet_output_update_request_logstash' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Fleet_output_update_request_elasticsearch' - - $ref: '#/components/schemas/Fleet_output_update_request_kafka' - - $ref: '#/components/schemas/Fleet_output_update_request_logstash' - title: Output - Fleet_output_update_request_elasticsearch: - title: elasticsearch + - hostStatuses + Security_Endpoint_Management_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Endpoint_Management_API_NoParametersRequestSchema: type: object properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: + body: type: object properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - elasticsearch - type: string + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: - - name - - hosts - - type - Fleet_output_update_request_kafka: - title: kafka + - body + Security_Endpoint_Management_API_Page: + default: 1 + description: Page number + minimum: 1 + type: integer + Security_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + maximum: 100 + minimum: 1 + type: integer + Security_Endpoint_Management_API_Parameters: + description: Optional parameters object type: object - properties: - auth_type: - type: string - broker_timeout: - type: number - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - client_id: - type: string - compression: - type: string - compression_level: - type: number - config: + Security_Endpoint_Management_API_PendingActionDataType: + type: integer + Security_Endpoint_Management_API_PendingActionsSchema: + oneOf: + - type: object + properties: + execute: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + get-file: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + isolate: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + kill-process: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + running-processes: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + scan: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + suspend-process: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + unisolate: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + upload: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType + - additionalProperties: true type: object - config_yaml: - type: string - connection_type: - enum: - - plaintext - - encryption + Security_Endpoint_Management_API_Pid: + type: object + properties: + pid: + minimum: 1 + type: integer + Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + type: object + properties: + note: type: string - headers: - items: - type: object - properties: - key: - type: string - value: - type: string - type: array - hosts: - items: + Security_Endpoint_Management_API_ScanRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Endpoint_Management_API_StartDate: + description: Start date + type: string + Security_Endpoint_Management_API_SuccessResponse: + type: object + properties: {} + Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' + - $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EntityId + required: + - parameters + Security_Endpoint_Management_API_Timeout: + description: The maximum timeout value in milliseconds (optional) + minimum: 1 + type: integer + Security_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Endpoint_Management_API_Types: + description: List of types of response actions + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Endpoint_Management_API_UnisolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema + Security_Endpoint_Management_API_UploadRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: >- + #/components/schemas/Security_Endpoint_Management_API_EndpointIds + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + - type: object + properties: + file: + format: binary + type: string + parameters: + type: object + properties: + overwrite: + default: false + type: boolean + required: + - parameters + - file + Security_Endpoint_Management_API_UserIds: + description: User IDs + oneOf: + - items: + minLength: 1 type: string + minItems: 1 type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - key: - type: string - name: - type: string - partition: - type: string - password: + - minLength: 1 type: string - proxy_id: + Security_Endpoint_Management_API_WithOutputs: + description: Shows detailed outputs for an action response + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 type: string - random: - type: object - properties: - group_events: - type: number - required_acks: - type: number - round_robin: - type: object + Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + type: object + properties: + index: + type: integer + message: + type: string + required: + - message + - index + Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + type: object + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + Security_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + Security_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts + - type: object properties: - group_events: - type: number - sasl: + '@timestamp': + description: The time the record was created or updated. + example: '2017-07-21T17:32:28Z' + format: date-time + type: string + required: + - '@timestamp' + Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: + type: object + properties: + asset: type: object properties: - mechanism: - type: string - shipper: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - asset + host: type: object properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: + asset: + type: object + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + name: type: string - loadbalance: - type: boolean - ssl: + required: + - name + user: type: object properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - verification_mode: - enum: - - none - - full - - certificate - - strict + asset: + type: object + properties: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + name: type: string - timeout: - type: number - topic: + required: + - name + required: + - asset + Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: + type: object + properties: + id_field: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + description: The field representing the ID. + example: host.name + id_value: + description: The ID value of the asset. type: string - topics: - deprecated: true - description: Use topic instead. + required: + - id_value + - id_field + Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: + type: object + properties: + cleanup_successful: + example: false + type: boolean + errors: items: type: object properties: - topic: + error: type: string - when: - deprecated: true - description: >- - Deprecated, kafka output do not support conditionnal topics - anymore. - type: object - properties: - condition: - type: string - type: - type: string + seq: + type: integer + required: + - seq + - error type: array - type: - enum: - - kafka - type: string - username: - type: string - version: - type: string required: - - name - Fleet_output_update_request_logstash: - title: logstash + - cleanup_successful + - errors + Security_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality_level + Security_Entity_Analytics_API_EngineDescriptor: type: object properties: - ca_sha256: + filter: type: string - ca_trusted_fingerprint: + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + Security_Entity_Analytics_API_EngineStatus: + enum: + - installing + - started + - stopped + type: string + Security_Entity_Analytics_API_Entity: + oneOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' + Security_Entity_Analytics_API_EntityRiskLevels: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + Security_Entity_Analytics_API_EntityRiskScoreRecord: + type: object + properties: + '@timestamp': + description: The time at which the risk score was calculated. + example: '2017-07-21T17:32:28Z' + format: date-time type: string - config: - type: object - config_yaml: + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + example: Critical + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: >- + The normalized numeric value of the given entity's risk score. + Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + category_1_count: + description: >- + The number of risk input documents that contributed to the Category + 1 score (`category_1_score`). + format: integer + type: number + category_1_score: + description: >- + The contribution of Category 1 to the overall risk score + (`calculated_score`). Category 1 contains Detection Engine Alerts. + format: double + type: number + category_2_count: + format: integer + type: number + category_2_score: + format: double + type: number + criticality_level: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + criticality_modifier: + format: double + type: number + id_field: + description: >- + The identifier field defining this risk score. Coupled with + `id_value`, uniquely identifies the entity being scored. + example: host.name type: string - hosts: + id_value: + description: >- + The identifier value defining this risk score. Coupled with + `id_field`, uniquely identifies the entity being scored. + example: example.host + type: string + inputs: + description: >- + A list of the highest-risk documents contributing to this risk + score. Useful for investigative purposes. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' + type: array + notes: items: type: string type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - type: string - shipper: + required: + - '@timestamp' + - id_field + - id_value + - calculated_level + - calculated_score + - calculated_score_norm + - category_1_score + - category_1_count + - inputs + - notes + Security_Entity_Analytics_API_EntityType: + enum: + - user + - host + type: string + Security_Entity_Analytics_API_HostEntity: + type: object + properties: + asset: type: object properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + entity: type: object properties: - certificate: + definitionId: type: string - certificate_authorities: + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: items: type: string type: array - key: + lastSeenTimestamp: + format: date-time type: string - type: - enum: - - logstash - type: string - required: - - name - Fleet_package_info: - title: Package information - type: object - properties: - assets: - items: - type: string - type: array - categories: - items: - type: string - type: array - conditions: + schemaVersion: + type: string + source: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + host: type: object properties: - elasticsearch: - type: object - properties: - subscription: - enum: - - basic - - gold - - platinum - - enterprise - type: string - kibana: - type: object - properties: - versions: - type: string - data_streams: - items: - type: object - properties: - ingeset_pipeline: + architecture: + items: type: string - name: + type: array + domain: + items: type: string - package: + type: array + hostname: + items: type: string - release: + type: array + id: + items: type: string - title: + type: array + ip: + items: type: string - type: + type: array + mac: + items: type: string - vars: - items: - type: object - properties: - default: - type: string - name: - type: string - required: - - name - - default - type: array - required: - - title - - name - - release - - ingeset_pipeline - - type - - package - type: array - description: - type: string - download: - type: string - elasticsearch: - type: object - properties: - privileges: - type: object - properties: - cluster: - items: - type: string - type: array - format_version: - type: string - icons: + type: array + name: + type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + type: + items: + type: string + type: array + required: + - name + Security_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + type: string + Security_Entity_Analytics_API_IndexPattern: + type: string + Security_Entity_Analytics_API_InspectQuery: + type: object + properties: + dsl: items: type: string type: array - internal: - type: boolean - name: - type: string - path: - type: string - readme: - type: string - release: - deprecated: true - description: >- - release label is deprecated, derive from the version instead - (packages follow semver) - enum: - - experimental - - beta - - ga - type: string - screenshots: + response: items: - type: object - properties: - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - - path + type: string type: array - source: - type: object - properties: - license: - enum: - - Apache-2.0 - - Elastic-2.0 - type: string - title: - type: string - type: + required: + - dsl + - response + Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: + type: object + properties: + full_error: type: string - version: + message: type: string required: - - name - - title - - version - - description - - type - - categories - - conditions - - assets - - format_version - - download - - path - Fleet_package_policy: - allOf: - - type: object - properties: - id: - type: string - inputs: - oneOf: - - items: {} - type: array - - type: object - revision: - type: number - required: - - id - - revision - - $ref: '#/components/schemas/Fleet_new_package_policy' - title: Package policy - Fleet_package_policy_request: - title: Package Policy Request + - message + - full_error + Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: type: object properties: + success: + type: boolean + Security_Entity_Analytics_API_RiskScoreInput: + description: A generic representation of a document contributing to a Risk Score. + type: object + properties: + category: + description: The risk category of the risk input document. + example: category_1 + type: string + contribution_score: + format: double + type: number description: - description: Package policy description - example: my description + description: A human-readable description of the risk input document. + example: 'Generated from Detection Engine Rule: Malware Prevention Alert' type: string - force: - description: >- - Force package policy creation even if package is not verified, or if - the agent policy is managed. - type: boolean id: - description: Package policy unique identifier + description: The unique identifier (`_id`) of the original source document + example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c type: string - inputs: - additionalProperties: - type: object - properties: - enabled: - description: enable or disable that input, (default to true) - type: boolean - streams: - additionalProperties: - type: object - properties: - enabled: - description: enable or disable that stream, (default to true) - type: boolean - vars: - description: >- - Stream level variable (see integration documentation for - more information) - type: object - description: >- - Input streams (see integration documentation to know what - streams are available) - type: object - vars: - description: >- - Input level variable (see integration documentation for more - information) - type: object - description: >- - Package policy inputs (see integration documentation to know what - inputs are available) - example: - nginx-logfile: - enabled: true - streams: - nginx.access: - enabled: true - vars: - ignore_older: 72h - paths: - - /var/log/nginx/access.log* - preserve_original_event: false - tags: - - nginx-access - type: object - name: - description: Package policy name (should be unique) - example: nginx-123 + index: + description: The unique index (`_index`) of the original source document + example: .internal.alerts-security.alerts-default-000001 type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - example: customnamespace + risk_score: + description: The weighted risk score of the risk input document. + format: double + maximum: 100 + minimum: 0 + type: number + timestamp: + description: The @timestamp of the risk input document. + example: '2017-07-21T17:32:28Z' type: string - output_id: - description: Output ID to send package data to - example: output-id - nullable: true + required: + - id + - index + - description + - category + Security_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable + type: object + properties: + message: type: string - overrides: - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + Security_Entity_Analytics_API_UserEntity: + type: object + properties: + asset: type: object properties: - inputs: - type: object - package: + criticality: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality + entity: + type: object + properties: + definitionId: + type: string + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + source: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + - source + user: type: object properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array name: - description: Package name - example: nginx - type: string - version: - description: Package version - example: 1.6.0 type: string + risk: + $ref: >- + #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord + roles: + items: + type: string + type: array required: - name - - version - policy_id: - deprecated: true - description: Agent policy ID where that package policy will be added - example: agent-policy-id - nullable: true - type: string - policy_ids: - description: Agent policy IDs where that package policy will be added - example: - - agent-policy-id - items: - type: string - type: array - vars: - description: >- - Package root level variable (see integration documentation for more - information) - type: object + Security_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - name - - package - Fleet_package_usage_stats: - title: Package usage stats + - comment + Security_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment + type: array + Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: - agent_policy_count: - type: integer + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - agent_policy_count - Fleet_proxies: - title: Fleet Proxy + - comment + Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment + type: array + Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - id: + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time type: string + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: - type: string - proxy_headers: - type: object - url: - type: string + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: + - type - name - - url - Fleet_saved_object_type: - oneOf: - - enum: - - dashboard - - visualization - - search - - index_pattern - - map - - lens - - security_rule - - csp_rule_template - - ml_module - - tag - - osquery_pack_asset - - osquery_saved_query - type: string - - enum: - - index - - component_template - - ingest_pipeline - - index_template - - ilm_policy - - transform - - data_stream_ilm_policy - - ml_model - type: string - title: Saved Object type - Fleet_search_result: - title: Search result + - description + - entries + Security_Exceptions_API_ExceptionList: type: object properties: - description: + _version: type: string - download: + created_at: + format: date-time type: string - icons: + created_by: type: string - installationInfo: - $ref: '#/components/schemas/Fleet_installation_info' + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListDescription + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + immutable: + type: boolean + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: - type: string - path: - type: string - savedObject: - deprecated: true - type: object - status: - type: string - title: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + tie_breaker_id: type: string type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + updated_at: + format: date-time type: string - version: + updated_by: type: string + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - - description - - download - - icons - - name - - path - - title + - id + - list_id - type + - name + - description + - immutable + - namespace_type - version - - status - Fleet_settings: - title: Settings + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Exceptions_API_ExceptionListDescription: + type: string + Security_Exceptions_API_ExceptionListHumanId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + description: Human readable string identifier, e.g. `trusted-linux-processes` + Security_Exceptions_API_ExceptionListId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ExceptionListItem: type: object properties: - fleet_server_hosts: - deprecated: true - items: - type: string - type: array - has_seen_add_data_notice: - type: boolean + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + updated_at: + format: date-time + type: string + updated_by: type: string - prerelease_integrations_enabled: - type: boolean required: - - fleet_server_hosts - id - Fleet_upgrade_agent: - title: Upgrade agent + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Exceptions_API_ExceptionListItemComment: type: object properties: - force: - description: Force upgrade, skipping validation (should be used with caution) - type: boolean - skipRateLimitCheck: - description: Skip rate limit check for upgrade - type: boolean - source_uri: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + created_at: + format: date-time type: string - version: + created_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + updated_at: + format: date-time type: string + updated_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - - version - Fleet_upgrade_agent_diff: + - id + - comment + - created_at + - created_by + Security_Exceptions_API_ExceptionListItemCommentArray: items: - items: - $ref: '#/components/schemas/Fleet_full_agent_policy_input' - type: array - title: Package policy Upgrade dryrun + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' type: array - Fleet_upgrade_diff: + Security_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Exceptions_API_ExceptionListItemEntryArray: items: - allOf: - - $ref: '#/components/schemas/Fleet_package_policy' - - allOf: - - $ref: '#/components/schemas/Fleet_new_package_policy' - - type: object - properties: - errors: - items: - type: object - properties: - key: - type: string - message: - type: string - type: array - missingVars: - items: - type: string - type: array - type: object - title: Package policy Upgrade dryrun + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' type: array - Kibana_HTTP_APIs_core_status_redactedResponse: - additionalProperties: false - description: A minimal representation of Kibana's operational status. + Security_Exceptions_API_ExceptionListItemEntryExists: type: object properties: - status: - additionalProperties: false - type: object - properties: - overall: - additionalProperties: false - type: object - properties: - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - required: - - level - required: - - overall + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string required: - - status - Kibana_HTTP_APIs_core_status_response: - additionalProperties: false - description: >- - Kibana's operational status as well as a detailed breakdown of plugin - statuses indication of various loads (like event loop utilization and - network traffic) at time of request. + - type + - field + - operator + Security_Exceptions_API_ExceptionListItemEntryList: type: object properties: - metrics: - additionalProperties: false - description: Metric groups collected by Kibana. - type: object - properties: - collection_interval_in_millis: - description: The interval at which metrics should be collected. - type: number - elasticsearch_client: - additionalProperties: false - description: Current network metrics of Kibana's Elasticsearch client. - type: object - properties: - totalActiveSockets: - description: Count of network sockets currently in use. - type: number - totalIdleSockets: - description: Count of network sockets currently idle. - type: number - totalQueuedRequests: - description: Count of requests not yet assigned to sockets. - type: number - required: - - totalActiveSockets - - totalIdleSockets - - totalQueuedRequests - last_updated: - description: The time metrics were collected. - type: string - required: - - elasticsearch_client - - last_updated - - collection_interval_in_millis - name: - description: Kibana instance name. - type: string - status: - additionalProperties: false + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + list: type: object properties: - core: - additionalProperties: false - description: Statuses of core Kibana services. - type: object - properties: - elasticsearch: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - savedObjects: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - required: - - elasticsearch - - savedObjects - overall: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - plugins: - additionalProperties: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - description: A dynamic mapping of plugin ID to plugin status. - type: object + id: + $ref: '#/components/schemas/Security_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ListType' required: - - overall - - core - - plugins - uuid: - description: >- - Unique, generated Kibana instance UUID. This UUID should persist - even if the Kibana process restarts. + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list type: string - version: - additionalProperties: false + required: + - type + - field + - list + - operator + Security_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists + Security_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Exceptions_API_ExceptionListItemHumanId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ExceptionListItemId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Exceptions_API_ExceptionListItemName: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListItemTags: + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: array + Security_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Exceptions_API_ExceptionListName: + type: string + Security_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListsImportBulkError: + type: object + properties: + error: type: object properties: - build_date: - description: The date and time of this build. - type: string - build_flavor: - description: >- - The build flavour determines configuration and behavior of - Kibana. On premise users will almost always run the - "traditional" flavour, while other flavours are reserved for - Elastic-specific use cases. - enum: - - serverless - - traditional - type: string - build_hash: - description: >- - A unique hash value representing the git commit of this Kibana - build. - type: string - build_number: - description: >- - A monotonically increasing number, each subsequent build will - have a higher number. - type: number - build_snapshot: - description: Whether this build is a snapshot build. - type: boolean - number: - description: A semantic version number. + message: type: string + status_code: + type: integer required: - - number - - build_hash - - build_number - - build_snapshot - - build_flavor - - build_date + - status_code + - message + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + item_id: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + required: + - error + Security_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError + type: array + Security_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_FindExceptionListsFilter: + type: string + Security_Exceptions_API_ListId: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Exceptions_API_UpdateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + Security_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment + type: array + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Lists_API_FindListItemsCursor: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_FindListItemsFilter: + type: string + Security_Lists_API_FindListsCursor: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_FindListsFilter: + type: string + Security_Lists_API_List: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + minimum: 1 + type: integer required: + - id + - type - name - - uuid + - description + - immutable - version - - status - - metrics - Machine_learning_APIs_mlSync200Response: + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListDescription: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListId: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListItem: + type: object properties: - datafeedsAdded: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Lists_API_ListItemId: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListItemMetadata: + additionalProperties: true + type: object + Security_Lists_API_ListItemPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListItemValue: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListMetadata: + additionalProperties: true + type: object + Security_Lists_API_ListName: + $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' + Security_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. + type: boolean type: object - datafeedsRemoved: + has_all_requested: + type: boolean + index: additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. + additionalProperties: + type: boolean + type: object type: object - savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated - savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted - title: Successful sync API response + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Lists_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Lists_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Lists_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Lists_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Osquery_API_ArrayQueries: + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_Id' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_CreateLiveQueryRequestBody: + type: object + properties: + agent_all: + type: boolean + agent_ids: + items: + type: string + type: array + agent_platforms: + items: + type: string + type: array + agent_policy_ids: + items: + type: string + type: array + alert_ids: + items: + type: string + type: array + case_ids: + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + event_ids: + items: + type: string + type: array + metadata: + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + Security_Osquery_API_CreatePacksRequestBody: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_CreateSavedQueryRequestBody: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_DefaultSuccessResponse: + type: object + properties: {} + Security_Osquery_API_Description: + type: string + Security_Osquery_API_DescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Description' + nullable: true + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + type: object + Security_Osquery_API_ECSMappingItem: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + Security_Osquery_API_Enabled: + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + Security_Osquery_API_FindLiveQueryRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + pageSize: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + sort: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + sortOrder: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + Security_Osquery_API_FindPacksRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + pageSize: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + sort: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + sortOrder: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + Security_Osquery_API_FindSavedQueryRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + pageSize: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + sort: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + sortOrder: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + Security_Osquery_API_GetLiveQueryResultsRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + pageSize: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + sort: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + sortOrder: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + Security_Osquery_API_Id: + type: string + Security_Osquery_API_Interval: + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + Security_Osquery_API_KueryOrUndefined: + nullable: true + type: string + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + type: object + Security_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_Id' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_PackId: + type: string + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + Security_Osquery_API_PackName: + type: string + Security_Osquery_API_PageOrUndefined: + nullable: true + type: integer + Security_Osquery_API_PageSizeOrUndefined: + nullable: true + type: integer + Security_Osquery_API_Platform: + type: string + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + Security_Osquery_API_PolicyIds: + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + Security_Osquery_API_Query: + type: string + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + Security_Osquery_API_Removed: + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + Security_Osquery_API_SavedQueryId: + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + Security_Osquery_API_Shards: + additionalProperties: + type: number + type: object + Security_Osquery_API_Snapshot: + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + Security_Osquery_API_SortOrderOrUndefined: + oneOf: + - nullable: true + type: string + - enum: + - asc + - desc + Security_Osquery_API_SortOrUndefined: + nullable: true + type: string + Security_Osquery_API_UpdatePacksRequestBody: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + Security_Osquery_API_UpdateSavedQueryRequestBody: + type: object + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' + platform: + $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + Security_Osquery_API_Version: + type: string + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + Security_Timeline_API_BareNote: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + nullable: true + type: string + note: + nullable: true + type: string + timelineId: + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + required: + - timelineId + Security_Timeline_API_BarePinnedEvent: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + type: string + timelineId: + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + required: + - eventId + - timelineId + Security_Timeline_API_ColumnHeaderResult: + type: object + properties: + aggregatable: + nullable: true + type: boolean + category: + nullable: true + type: string + columnHeaderType: + nullable: true + type: string + description: + nullable: true + type: string + example: + nullable: true + type: string + id: + nullable: true + type: string + indexes: + items: + type: string + nullable: true + type: array + name: + nullable: true + type: string + placeholder: + nullable: true + type: string + searchable: + nullable: true + type: boolean + type: + nullable: true + type: string + Security_Timeline_API_DataProviderQueryMatch: + type: object + properties: + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderResult: type: object - Machine_learning_APIs_mlSync4xxResponse: properties: - error: - example: Unauthorized + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true type: string + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + Security_Timeline_API_DataProviderType: + description: >- + The type of data provider to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + code: + nullable: true + type: number + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array message: + nullable: true type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful sync API response + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: + type: string + required: + - savedObjectId + - version + Security_Timeline_API_FavoriteTimelineResult: type: object - Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for anomaly detection jobs + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Timeline_API_FilterTimelineResult: type: object - Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for datafeeds + exists: + nullable: true + type: string + match_all: + nullable: true + type: string + meta: + nullable: true + type: object + properties: + alias: + nullable: true + type: string + controlledBy: + nullable: true + type: string + disabled: + nullable: true + type: boolean + field: + nullable: true + type: string + formattedValue: + nullable: true + type: string + index: + nullable: true + type: string + key: + nullable: true + type: string + negate: + nullable: true + type: boolean + params: + nullable: true + type: string + type: + nullable: true + type: string + value: + nullable: true + type: string + missing: + nullable: true + type: string + query: + nullable: true + type: string + range: + nullable: true + type: string + script: + nullable: true + type: string + Security_Timeline_API_GetNotesResult: type: object - Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for data frame analytics jobs + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + type: array + totalCount: + type: number + required: + - totalCount + - notes + Security_Timeline_API_ImportTimelineResult: type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: If saved objects are missing for trained models, they are created. + errors: + items: + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + type: number + id: + type: string + type: array + success: + type: boolean + success_count: + type: number + timelines_installed: + type: number + timelines_updated: + type: number + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - type: object + properties: + noteId: + type: string + version: + type: string + required: + - noteId + - version + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - allOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - $ref: >- + #/components/schemas/Security_Timeline_API_PinnedEventBaseResponseBody + - nullable: true type: object - title: Sync API response for created saved objects + Security_Timeline_API_PersistTimelineResponse: type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. + data: type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. - type: object - title: Sync API response for deleted saved objects + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + required: + - timeline + required: + - persistTimeline + required: + - data + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - type: object + properties: + pinnedEventId: + type: string + version: + type: string + required: + - pinnedEventId + - version + Security_Timeline_API_PinnedEventBaseResponseBody: type: object - Machine_learning_APIs_mlSyncResponseSuccess: - description: The success or failure of the synchronization. - type: boolean - Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for trained models + code: + type: number + message: + type: string + required: + - code + Security_Timeline_API_QueryMatchResult: type: object - Saved_objects_400_response: - title: Bad request + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + oneOf: + - nullable: true + type: string + - items: + type: string + nullable: true + type: array + Security_Timeline_API_ResolvedTimeline: type: object properties: - error: - enum: - - Bad Request + alias_purpose: + $ref: >- + #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose + alias_target_id: type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: >- + #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject + required: + - timeline + - outcome + Security_Timeline_API_ResponseNote: + type: object + properties: + code: + type: number message: type: string - statusCode: - enum: - - 400 - type: integer + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' required: - - error + - code - message - - statusCode - Saved_objects_attributes: - description: > - The data that you want to create. WARNING: When you create saved - objects, attributes are not validated, which allows you to pass - arbitrary and ill-formed data into the API that can break Kibana. Make - sure any data that you send to the API is properly formed. + - note + Security_Timeline_API_RowRendererId: + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: type: object - Saved_objects_initial_namespaces: - description: > - Identifiers for the spaces in which this object is created. If this is - provided, the object is created only in the explicitly defined spaces. - If this is not provided, the object is created in the current space - (default behavior). For shareable object types (registered with - `namespaceType: 'multiple'`), this option can be used to specify one or - more spaces, including the "All spaces" identifier ('*'). For isolated - object types (registered with `namespaceType: 'single'` or - `namespaceType: 'multiple-isolated'`), this option can only be used to - specify a single space, and the "All spaces" identifier ('*') is not - allowed. For global object types (`registered with `namespaceType: - agnostic`), this option cannot be used. - type: array - Saved_objects_references: - description: > - Objects with `name`, `id`, and `type` properties that describe the other - saved objects that this object references. Use `name` in attributes to - refer to the other saved object, but never the `id`, which can update - automatically during migrations or import and export. - type: array + properties: + columns: + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + dataProviders: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + dataViewId: + nullable: true + type: string + dateRange: + nullable: true + type: object + properties: + end: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + start: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + description: + nullable: true + type: string + eqlOptions: + nullable: true + type: object + properties: + eventCategoryField: + nullable: true + type: string + query: + nullable: true + type: string + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + nullable: true + type: string + excludedRowRendererIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + filters: + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + indexNames: + items: + type: string + nullable: true + type: array + kqlMode: + nullable: true + type: string + kqlQuery: + $ref: >- + #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult + nullable: true + savedQueryId: + nullable: true + type: string + savedSearchId: + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + status: + enum: + - active + - draft + - immutable + nullable: true + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + title: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + Security_Timeline_API_SerializedFilterQueryResult: + type: object + properties: + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + type: object + properties: + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: >- + #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + items: + type: string + nullable: true + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + noteIds: + items: + type: string + nullable: true + type: array + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + Security_Timeline_API_TimelineStatus: + description: >- + The status of the timeline. Valid values are `active`, `draft`, and + `immutable`. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: >- + The type of timeline to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string SLOs_400_response: title: Bad request type: object @@ -24416,6 +42238,44 @@ tags: permanently breaks future Kibana versions. name: saved objects x-displayName: Saved objects + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: >- + You can create rules that automatically turn events and external alerts + sent to Elastic Security into detection alerts. These alerts are displayed + on the Detections page. + name: Security Detections API + x-displayName: Security detections + - description: >- + Endpoint Exceptions API allows you to manage detection rule endpoint + exceptions to prevent a rule from generating an alert from incoming events + even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: '' + name: Security Entity Analytics API + x-displayName: Security entity analytics + - description: >- + Exceptions API allows you to manage detection rule exceptions to prevent a + rule from generating an alert from incoming events even when the rule's + other criteria are met. + name: Security Exceptions API + x-displayName: Security exceptions + - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline - description: SLO APIs enable you to define, manage and track service-level objectives name: slo - name: spaces diff --git a/oas_docs/overlays/kibana.overlays.serverless.yaml b/oas_docs/overlays/kibana.overlays.serverless.yaml index 5d1064eecb37e..b4a37c1aec846 100644 --- a/oas_docs/overlays/kibana.overlays.serverless.yaml +++ b/oas_docs/overlays/kibana.overlays.serverless.yaml @@ -55,8 +55,12 @@ actions: update: x-displayName: "Service level objectives" - target: '$.tags[?(@.name=="system")]' - description: Change displayName + description: Change displayName and description update: x-displayName: "System" description: > - Get information about the system status, resource usage, and installed plugins. \ No newline at end of file + Get information about the system status, resource usage, and installed plugins. + # Remove extra tags from operations + - target: "$.paths[*][*].tags[1:]" + description: Remove all but first tag from operations + remove: true \ No newline at end of file diff --git a/oas_docs/overlays/kibana.overlays.yaml b/oas_docs/overlays/kibana.overlays.yaml index cd3b40eeda819..7464f1899d8f2 100644 --- a/oas_docs/overlays/kibana.overlays.yaml +++ b/oas_docs/overlays/kibana.overlays.yaml @@ -70,8 +70,12 @@ actions: update: x-displayName: "Service level objectives" - target: '$.tags[?(@.name=="system")]' - description: Change displayName + description: Change displayName and description update: x-displayName: "System" description: > Get information about the system status, resource usage, and installed plugins. + # Remove extra tags from operations + - target: "$.paths[*][*].tags[1:]" + description: Remove all but first tag from operations + remove: true \ No newline at end of file diff --git a/oas_docs/scripts/merge_ess_oas.js b/oas_docs/scripts/merge_ess_oas.js index 9a0bd9217817f..da71cb41595e6 100644 --- a/oas_docs/scripts/merge_ess_oas.js +++ b/oas_docs/scripts/merge_ess_oas.js @@ -27,6 +27,12 @@ const { REPO_ROOT } = require('@kbn/repo-info'); `${REPO_ROOT}/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml`, // Security solution + `${REPO_ROOT}/x-pack/plugins/security_solution/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-lists-common/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/x-pack/plugins/osquery/docs/openapi/ess/*.schema.yaml`, ], outputFilePath: `${REPO_ROOT}/oas_docs/output/kibana.yaml`, options: { diff --git a/oas_docs/scripts/merge_serverless_oas.js b/oas_docs/scripts/merge_serverless_oas.js index 3d5384a7af2fb..d9d91dfb032b4 100644 --- a/oas_docs/scripts/merge_serverless_oas.js +++ b/oas_docs/scripts/merge_serverless_oas.js @@ -25,6 +25,12 @@ const { REPO_ROOT } = require('@kbn/repo-info'); `${REPO_ROOT}/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml`, // Security solution + `${REPO_ROOT}/x-pack/plugins/security_solution/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/x-pack/plugins/osquery/docs/openapi/serverless/*.schema.yaml`, ], outputFilePath: `${REPO_ROOT}/oas_docs/output/kibana.serverless.yaml`, options: { diff --git a/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/ess/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml b/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/ess/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml index 78c75760f1888..366efe23d586b 100644 --- a/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/ess/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml +++ b/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/ess/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml @@ -885,3 +885,4 @@ tags: exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Endpoint Exceptions API + x-displayName: Security endpoint exceptions diff --git a/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/serverless/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml b/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/serverless/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml index 6b3b4d4eaa55d..0ecce40ef34d3 100644 --- a/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/serverless/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml +++ b/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/serverless/security_solution_endpoint_exceptions_api_2023_10_31.bundled.schema.yaml @@ -885,3 +885,4 @@ tags: exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Endpoint Exceptions API + x-displayName: Security endpoint exceptions diff --git a/packages/kbn-securitysolution-endpoint-exceptions-common/scripts/openapi_bundle.js b/packages/kbn-securitysolution-endpoint-exceptions-common/scripts/openapi_bundle.js index edd9cb25f6d44..e5a02965593c3 100644 --- a/packages/kbn-securitysolution-endpoint-exceptions-common/scripts/openapi_bundle.js +++ b/packages/kbn-securitysolution-endpoint-exceptions-common/scripts/openapi_bundle.js @@ -30,6 +30,7 @@ const ROOT = resolve(__dirname, '..'); tags: [ { name: 'Security Endpoint Exceptions API', + 'x-displayName': 'Security endpoint exceptions', description: "Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.", }, @@ -54,6 +55,7 @@ const ROOT = resolve(__dirname, '..'); tags: [ { name: 'Security Endpoint Exceptions API', + 'x-displayName': 'Security endpoint exceptions', description: "Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.", }, diff --git a/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml b/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml index 89208f3a9ced0..bf290e872f915 100644 --- a/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml +++ b/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml @@ -1904,3 +1904,4 @@ tags: rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Exceptions API + x-displayName: Security exceptions diff --git a/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml b/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml index 190c2bd64aab5..115658261c909 100644 --- a/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml +++ b/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/security_solution_exceptions_api_2023_10_31.bundled.schema.yaml @@ -1904,3 +1904,4 @@ tags: rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Exceptions API + x-displayName: Security exceptions diff --git a/packages/kbn-securitysolution-exceptions-common/scripts/openapi_bundle.js b/packages/kbn-securitysolution-exceptions-common/scripts/openapi_bundle.js index edbe0f14ed75f..83c84d91daaf5 100644 --- a/packages/kbn-securitysolution-exceptions-common/scripts/openapi_bundle.js +++ b/packages/kbn-securitysolution-exceptions-common/scripts/openapi_bundle.js @@ -31,6 +31,7 @@ const ROOT = resolve(__dirname, '..'); tags: [ { name: 'Security Exceptions API', + 'x-displayName': 'Security exceptions', description: "Exceptions API allows you to manage detection rule exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.", }, @@ -56,6 +57,7 @@ const ROOT = resolve(__dirname, '..'); tags: [ { name: 'Security Exceptions API', + 'x-displayName': 'Security exceptions', description: "Exceptions API allows you to manage detection rule exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.", }, diff --git a/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml b/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml index e2f6e182e1ed8..17eef19505e40 100644 --- a/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml +++ b/packages/kbn-securitysolution-lists-common/docs/openapi/ess/security_solution_lists_api_2023_10_31.bundled.schema.yaml @@ -1564,3 +1564,4 @@ security: tags: - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items. name: Security Lists API + x-displayName: Security lists diff --git a/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml b/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml index c11f67f85014c..5348d9404a0e3 100644 --- a/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml +++ b/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/security_solution_lists_api_2023_10_31.bundled.schema.yaml @@ -1564,3 +1564,4 @@ security: tags: - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items. name: Security Lists API + x-displayName: Security lists diff --git a/packages/kbn-securitysolution-lists-common/scripts/openapi_bundle.js b/packages/kbn-securitysolution-lists-common/scripts/openapi_bundle.js index 2f809aa1f5ee2..b8ea2ea2e8377 100644 --- a/packages/kbn-securitysolution-lists-common/scripts/openapi_bundle.js +++ b/packages/kbn-securitysolution-lists-common/scripts/openapi_bundle.js @@ -30,6 +30,7 @@ const ROOT = resolve(__dirname, '..'); tags: [ { name: 'Security Lists API', + 'x-displayName': 'Security lists', description: 'Lists API allows you to manage lists of keywords, IPs or IP ranges items.', }, @@ -54,6 +55,7 @@ const ROOT = resolve(__dirname, '..'); tags: [ { name: 'Security Lists API', + 'x-displayName': 'Security lists', description: 'Lists API allows you to manage lists of keywords, IPs or IP ranges items.', }, diff --git a/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/ess/elastic_assistant_api_2023_10_31.bundled.schema.yaml b/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/ess/elastic_assistant_api_2023_10_31.bundled.schema.yaml index dfd9be372b7f0..1e070b75322d4 100644 --- a/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/ess/elastic_assistant_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/ess/elastic_assistant_api_2023_10_31.bundled.schema.yaml @@ -1237,3 +1237,4 @@ security: tags: - description: Manage and interact with Security Assistant resources. name: Security AI Assistant API + x-displayName: Security AI assistant diff --git a/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/serverless/elastic_assistant_api_2023_10_31.bundled.schema.yaml b/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/serverless/elastic_assistant_api_2023_10_31.bundled.schema.yaml index 9c8cc4a8ca21d..e13d7a05af41f 100644 --- a/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/serverless/elastic_assistant_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/serverless/elastic_assistant_api_2023_10_31.bundled.schema.yaml @@ -1237,3 +1237,4 @@ security: tags: - description: Manage and interact with Security Assistant resources. name: Security AI Assistant API + x-displayName: Security AI assistant diff --git a/x-pack/packages/kbn-elastic-assistant-common/scripts/openapi/bundle.js b/x-pack/packages/kbn-elastic-assistant-common/scripts/openapi/bundle.js index 63d21a2d93ae3..b06776be03a4b 100644 --- a/x-pack/packages/kbn-elastic-assistant-common/scripts/openapi/bundle.js +++ b/x-pack/packages/kbn-elastic-assistant-common/scripts/openapi/bundle.js @@ -29,6 +29,7 @@ const ELASTIC_ASSISTANT_ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security AI Assistant API', + 'x-displayName': 'Security AI assistant', description: 'Manage and interact with Security Assistant resources.', }, ], @@ -52,6 +53,7 @@ const ELASTIC_ASSISTANT_ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security AI Assistant API', + 'x-displayName': 'Security AI assistant', description: 'Manage and interact with Security Assistant resources.', }, ], diff --git a/x-pack/plugins/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml index f224add76d524..c18b9d891524a 100644 --- a/x-pack/plugins/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/osquery/docs/openapi/ess/osquery_api_2023_10_31.bundled.schema.yaml @@ -639,3 +639,4 @@ security: tags: - description: Run live queries, manage packs and saved queries. name: Security Osquery API + x-displayName: Security Osquery diff --git a/x-pack/plugins/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml index 9228355269d02..3e308d1ebfcc5 100644 --- a/x-pack/plugins/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/osquery/docs/openapi/serverless/osquery_api_2023_10_31.bundled.schema.yaml @@ -639,3 +639,4 @@ security: tags: - description: Run live queries, manage packs and saved queries. name: Security Osquery API + x-displayName: Security Osquery diff --git a/x-pack/plugins/osquery/scripts/openapi/bundle.js b/x-pack/plugins/osquery/scripts/openapi/bundle.js index cc9e1dc93b66d..49594c2fa5ce2 100644 --- a/x-pack/plugins/osquery/scripts/openapi/bundle.js +++ b/x-pack/plugins/osquery/scripts/openapi/bundle.js @@ -28,6 +28,7 @@ const ELASTIC_ASSISTANT_ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Osquery API', + 'x-displayName': 'Security Osquery', description: 'Run live queries, manage packs and saved queries.', }, ], @@ -49,6 +50,7 @@ const ELASTIC_ASSISTANT_ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Osquery API', + 'x-displayName': 'Security Osquery', description: 'Run live queries, manage packs and saved queries.', }, ], diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_cleanup_route.gen.ts b/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_cleanup_route.gen.ts index 13194051244cb..9928b33af9a5a 100644 --- a/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_cleanup_route.gen.ts +++ b/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_cleanup_route.gen.ts @@ -11,7 +11,7 @@ * * info: * title: Risk Scoring API - * version: 1 + * version: 2023-10-31 */ import { z } from '@kbn/zod'; diff --git a/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_cleanup_route.schema.yaml b/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_cleanup_route.schema.yaml index 2dffe3879961e..4eba00a8ffbe6 100644 --- a/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_cleanup_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/entity_analytics/risk_engine/engine_cleanup_route.schema.yaml @@ -1,6 +1,6 @@ openapi: 3.0.0 info: - version: '1' + version: '2023-10-31' title: Risk Scoring API description: These APIs allow the consumer to manage Entity Risk Scores within Entity Analytics. paths: @@ -57,4 +57,3 @@ components: type: integer error: type: string - diff --git a/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts b/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts index 255b56c485b9b..288a08fdb8afb 100644 --- a/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts +++ b/x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts @@ -554,7 +554,7 @@ If asset criticality records already exist for the specified entities, those rec .request({ path: '/api/risk_score/engine/dangerously_delete_data', headers: { - [ELASTIC_HTTP_VERSION_HEADER]: '1', + [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31', }, method: 'DELETE', }) diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 73a8554ceaac0..cdff061d94f22 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -7000,3 +7000,4 @@ tags: sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page. name: Security Detections API + x-displayName: Security detections diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml index 3aa292c02c18c..ae35a302cbb42 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml @@ -1136,3 +1136,4 @@ security: tags: - description: Interact with and manage endpoints running the Elastic Defend integration. name: Security Endpoint Management API + x-displayName: Security endpoint management diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_1.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_1.bundled.schema.yaml deleted file mode 100644 index 9d6d57abd382a..0000000000000 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_1.bundled.schema.yaml +++ /dev/null @@ -1,88 +0,0 @@ -openapi: 3.0.3 -info: - description: '' - title: Security Entity Analytics API (Elastic Cloud and self-hosted) - version: '1' -servers: - - url: http://{kibana_host}:{port} - variables: - kibana_host: - default: localhost - port: - default: '5601' -paths: - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine - responses: - '200': - content: - application/json: - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/TaskManagerUnavailableResponse' - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: '#/components/schemas/CleanUpRiskEngineErrorResponse' - description: Unexpected error - summary: Cleanup the Risk Engine - tags: - - Security Entity Analytics API -components: - schemas: - CleanUpRiskEngineErrorResponse: - type: object - properties: - cleanup_successful: - example: false - type: boolean - errors: - items: - type: object - properties: - error: - type: string - seq: - type: integer - required: - - seq - - error - type: array - required: - - cleanup_successful - - errors - TaskManagerUnavailableResponse: - description: Task manager is unavailable - type: object - properties: - message: - type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - securitySchemes: - BasicAuth: - scheme: basic - type: http -security: - - BasicAuth: [] -tags: - - description: '' - name: Security Entity Analytics API diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml index c0f3df5536459..05f6cdc427566 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml @@ -524,6 +524,37 @@ paths: summary: List Entity Store Entities tags: - Security Entity Analytics API + /api/risk_score/engine/dangerously_delete_data: + delete: + description: >- + Cleaning up the the Risk Engine by removing the indices, mapping and + transforms + operationId: CleanUpRiskEngine + responses: + '200': + content: + application/json: + schema: + type: object + properties: + cleanup_successful: + type: boolean + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API /api/risk_score/engine/schedule_now: post: description: >- @@ -655,6 +686,27 @@ components: required: - id_value - id_field + CleanUpRiskEngineErrorResponse: + type: object + properties: + cleanup_successful: + example: false + type: boolean + errors: + items: + type: object + properties: + error: + type: string + seq: + type: integer + required: + - seq + - error + type: array + required: + - cleanup_successful + - errors CreateAssetCriticalityRecord: allOf: - $ref: '#/components/schemas/AssetCriticalityRecordIdParts' @@ -1043,3 +1095,4 @@ security: tags: - description: '' name: Security Entity Analytics API + x-displayName: Security entity analytics diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_timeline_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_timeline_api_2023_10_31.bundled.schema.yaml index 68740efb388a4..48eb959168856 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_timeline_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_timeline_api_2023_10_31.bundled.schema.yaml @@ -1660,3 +1660,4 @@ tags: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. name: Security Timeline API + x-displayName: Security timeline diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 24a0032201c90..4b7d9bed6e416 100644 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -6146,3 +6146,4 @@ tags: sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page. name: Security Detections API + x-displayName: Security detections diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml index 7156c0a5226be..df98520fe783f 100644 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml @@ -1036,3 +1036,4 @@ security: tags: - description: Interact with and manage endpoints running the Elastic Defend integration. name: Security Endpoint Management API + x-displayName: Security endpoint management diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_1.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_1.bundled.schema.yaml deleted file mode 100644 index 835d8f79b1fea..0000000000000 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_1.bundled.schema.yaml +++ /dev/null @@ -1,88 +0,0 @@ -openapi: 3.0.3 -info: - description: '' - title: Security Entity Analytics API (Elastic Cloud Serverless) - version: '1' -servers: - - url: http://{kibana_host}:{port} - variables: - kibana_host: - default: localhost - port: - default: '5601' -paths: - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine - responses: - '200': - content: - application/json: - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json: - schema: - $ref: '#/components/schemas/TaskManagerUnavailableResponse' - description: Task manager is unavailable - default: - content: - application/json: - schema: - $ref: '#/components/schemas/CleanUpRiskEngineErrorResponse' - description: Unexpected error - summary: Cleanup the Risk Engine - tags: - - Security Entity Analytics API -components: - schemas: - CleanUpRiskEngineErrorResponse: - type: object - properties: - cleanup_successful: - example: false - type: boolean - errors: - items: - type: object - properties: - error: - type: string - seq: - type: integer - required: - - seq - - error - type: array - required: - - cleanup_successful - - errors - TaskManagerUnavailableResponse: - description: Task manager is unavailable - type: object - properties: - message: - type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - securitySchemes: - BasicAuth: - scheme: basic - type: http -security: - - BasicAuth: [] -tags: - - description: '' - name: Security Entity Analytics API diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml index 690b59c518409..1ad7423a05b21 100644 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml @@ -524,6 +524,37 @@ paths: summary: List Entity Store Entities tags: - Security Entity Analytics API + /api/risk_score/engine/dangerously_delete_data: + delete: + description: >- + Cleaning up the the Risk Engine by removing the indices, mapping and + transforms + operationId: CleanUpRiskEngine + responses: + '200': + content: + application/json: + schema: + type: object + properties: + cleanup_successful: + type: boolean + description: Successful response + '400': + content: + application/json: + schema: + $ref: '#/components/schemas/TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API /api/risk_score/engine/schedule_now: post: description: >- @@ -655,6 +686,27 @@ components: required: - id_value - id_field + CleanUpRiskEngineErrorResponse: + type: object + properties: + cleanup_successful: + example: false + type: boolean + errors: + items: + type: object + properties: + error: + type: string + seq: + type: integer + required: + - seq + - error + type: array + required: + - cleanup_successful + - errors CreateAssetCriticalityRecord: allOf: - $ref: '#/components/schemas/AssetCriticalityRecordIdParts' @@ -1043,3 +1095,4 @@ security: tags: - description: '' name: Security Entity Analytics API + x-displayName: Security entity analytics diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml index cfcb36e2dee75..343ec3dc30a73 100644 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml @@ -1660,3 +1660,4 @@ tags: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. name: Security Timeline API + x-displayName: Security timeline diff --git a/x-pack/plugins/security_solution/scripts/openapi/bundle_detections.js b/x-pack/plugins/security_solution/scripts/openapi/bundle_detections.js index 7ae72255217e4..2c0e36f3db8ee 100644 --- a/x-pack/plugins/security_solution/scripts/openapi/bundle_detections.js +++ b/x-pack/plugins/security_solution/scripts/openapi/bundle_detections.js @@ -29,6 +29,7 @@ const ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Detections API', + 'x-displayName': 'Security detections', description: 'You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page.', }, @@ -54,6 +55,7 @@ const ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Detections API', + 'x-displayName': 'Security detections', description: 'You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page.', }, diff --git a/x-pack/plugins/security_solution/scripts/openapi/bundle_endpoint_management.js b/x-pack/plugins/security_solution/scripts/openapi/bundle_endpoint_management.js index 6ff13e46b0ccd..481e3df4803d5 100644 --- a/x-pack/plugins/security_solution/scripts/openapi/bundle_endpoint_management.js +++ b/x-pack/plugins/security_solution/scripts/openapi/bundle_endpoint_management.js @@ -28,6 +28,7 @@ const ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Endpoint Management API', + 'x-displayName': 'Security endpoint management', description: 'Interact with and manage endpoints running the Elastic Defend integration.', }, @@ -52,6 +53,7 @@ const ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Endpoint Management API', + 'x-displayName': 'Security endpoint management', description: 'Interact with and manage endpoints running the Elastic Defend integration.', }, diff --git a/x-pack/plugins/security_solution/scripts/openapi/bundle_entity_analytics.js b/x-pack/plugins/security_solution/scripts/openapi/bundle_entity_analytics.js index f8464b7dad367..89a60e1a8a0bb 100644 --- a/x-pack/plugins/security_solution/scripts/openapi/bundle_entity_analytics.js +++ b/x-pack/plugins/security_solution/scripts/openapi/bundle_entity_analytics.js @@ -28,6 +28,7 @@ const ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Entity Analytics API', + 'x-displayName': 'Security entity analytics', description: '', }, ], @@ -51,6 +52,7 @@ const ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Entity Analytics API', + 'x-displayName': 'Security entity analytics', description: '', }, ], diff --git a/x-pack/plugins/security_solution/scripts/openapi/bundle_timeline.js b/x-pack/plugins/security_solution/scripts/openapi/bundle_timeline.js index 507ca29293faf..e2a439b81b322 100644 --- a/x-pack/plugins/security_solution/scripts/openapi/bundle_timeline.js +++ b/x-pack/plugins/security_solution/scripts/openapi/bundle_timeline.js @@ -29,6 +29,7 @@ const ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Timeline API', + 'x-displayName': 'Security timeline', description: 'You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.', }, @@ -54,6 +55,7 @@ const ROOT = resolve(__dirname, '../..'); tags: [ { name: 'Security Timeline API', + 'x-displayName': 'Security timeline', description: 'You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.', }, diff --git a/x-pack/test/api_integration/services/security_solution_api.gen.ts b/x-pack/test/api_integration/services/security_solution_api.gen.ts index aba6550ea9c3b..c110ce8676edb 100644 --- a/x-pack/test/api_integration/services/security_solution_api.gen.ts +++ b/x-pack/test/api_integration/services/security_solution_api.gen.ts @@ -270,7 +270,7 @@ If asset criticality records already exist for the specified entities, those rec return supertest .delete(routeWithNamespace('/api/risk_score/engine/dangerously_delete_data', kibanaSpace)) .set('kbn-xsrf', 'true') - .set(ELASTIC_HTTP_VERSION_HEADER, '1') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, /**